VPNs Problems with Cisco and 2.3.2-RELEASE


  • Hi everyone, this is my first post on the pfsense forum, i am having a very serius problem with site to site vpns between cisco routers and pfsense.

    the short story is that i made the update from version 2.1.x to 2.3.2 , on the 2.1.x version all vpns (more that 50) used to work fine, last week when i made the update to 2.3.2 release a great part of mi vpns went down, and i can't figure out why.

    I made a debug and the error seems to be the hash at the level of phase 1, nevertheless all the phase 1 parameters on both sides are the same.

    here the debug…

    Pfsense side:

    Jan 26 11:44:06    charon        11[CFG] <168179> looking for an ike config for 192.3.5.254…200.41.51.189
    Jan 26 11:44:06    charon        11[CFG] <168179> candidate: %any…%any, prio 24
    Jan 26 11:44:06    charon        11[CFG] <168179> found matching ike config: %any…%any with prio 24
    Jan 26 11:44:06    charon        11[IKE] <168179> received NAT-T (RFC 3947) vendor ID
    Jan 26 11:44:06    charon        11[IKE] <168179> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Jan 26 11:44:06    charon        11[IKE] <168179> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Jan 26 11:44:06    charon        11[IKE] <168179> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 26 11:44:06    charon        11[IKE] <168179> 200.41.51.189 is initiating a Main Mode IKE_SA
    Jan 26 11:44:06    charon        11[IKE] <168179> IKE_SA (unnamed)[168179] state change: CREATED => CONNECTING
    Jan 26 11:44:06    charon        11[CFG] <168179> selecting proposal:
    Jan 26 11:44:06    charon        11[CFG] <168179> no acceptable ENCRYPTION_ALGORITHM found
    Jan 26 11:44:06    charon        11[CFG] <168179> selecting proposal:

    CISCO router side

    *Jan 26 15:51:17.659: ISAKMP:(0): SA request profile is (NULL)
    *Jan 26 15:51:17.659: ISAKMP: Created a peer struct for 192.3.5.254, peer port 500
    *Jan 26 15:51:17.659: ISAKMP: New peer created peer = 0x86A8DE6C peer_handle = 0x80000002
    *Jan 26 15:51:17.659: ISAKMP: Locking peer struct 0x86A8DE6C, refcount 1 for isakmp_initiator
    *Jan 26 15:51:17.659: ISAKMP: local port 500, remote port 500
    *Jan 26 15:51:17.659: ISAKMP: set new node 0 to QM_IDLE     
    *Jan 26 15:51:17.659: ISAKMP:(0):insert sa successfully sa = 865C1488
    *Jan 26 15:51:17.659: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    *Jan 26 15:51:17.659: ISAKMP:(0):found peer pre-shared key matching 192.3.5.254
    *Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    *Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-07 ID
    *Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-03 ID
    *Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-02 ID
    *Jan 26 15:51:17.659: ISAKMP:(0):
    INFRATEST#Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    *Jan 26 15:51:17.659: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

    *Jan 26 15:51:17.659: ISAKMP:(0): beginning Main Mode exchange
    *Jan 26 15:51:17.659: ISAKMP:(0): sending packet to 192.3.5.254 my_port 500 peer_port 500 (I) MM_NO_STATE
    *Jan 26 15:51:17.659: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Jan 26 15:51:17.779: ISAKMP (0): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_NO_STATE
    *Jan 26 15:51:17.783: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Jan 26 15:51:17.783: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

    *Jan 26 15:51:17.783: ISAKMP:(0): processing SA payload. message ID = 0
    *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
    *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
    *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is XAUTH
    *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
    *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is DPD
    *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
    *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    *Jan 26 15:51:17.787: ISAKMP (0): vendor ID is NAT-T RFC 3947
    *Jan 26 15:51:17.787: ISAKMP:(0):found peer pre-shared key matching 192.3.5.254
    *Jan 26 15:51:17.787: ISAKMP:(0): local preshared key found
    *Jan 26 15:51:17.787: ISAKMP : Scanning profiles for xauth …
    *Jan 26 15:51:17.787: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    *Jan 26 15:51:17.787: ISAKMP:      encryption AES-CBC
    *Jan 26 15:51:17.787: ISAKMP:      keylength of 256
    *Jan 26 15:51:17.787: ISAKMP:      hash SHA
    *Jan 26 15:51:17.787: ISAKMP:      default group 2
    *Jan 26 15:51:17.787: ISAKMP:      auth pre-share
    *Jan 26 15:51:17.787: ISAKMP:      life type in seconds
    *Jan 26 15:51:17.787: ISAKMP:      life duration (basic) of 1300
    *Jan 26 15:51:17.787: ISAKMP:(0):atts are acceptable. Next payload is 0
    *Jan 26 15:51:17.787: ISAKMP:(0):Acceptable atts:actual life: 0
    *Jan 26 15:51:17.787: ISAKMP:(0):Acceptable atts:life: 0
    *Jan 26 15:51:17.787: ISAKMP:(0):Basic life_in_seconds:1300
    *Jan 26 15:51:17.787: ISAKMP:(0):Returning Actual lifetime: 1300
    *Jan 26 15:51:17.787: ISAKMP:(0)::Started lifetime timer: 1300.

    *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
    *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
    *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is XAUTH
    *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
    *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is DPD
    *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
    *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
    *Jan 26 15:51:17.787: ISAKMP (0): vendor ID is NAT-T RFC 3947
    *Jan 26 15:51:17.787: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Jan 26 15:51:17.787: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

    *Jan 26 15:51:17.787: ISAKMP:(0): sending packet to 192.3.5.254 my_port 500 peer_port 500 (I) MM_SA_SETUP
    *Jan 26 15:51:17.787: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Jan 26 15:51:17.787: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Jan 26 15:51:17.787: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

    *Jan 26 15:51:17.859: ISAKMP (0): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_SA_SETUP
    *Jan 26 15:51:17.859: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    *Jan 26 15:51:17.859: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

    *Jan 26 15:51:17.859: ISAKMP:(0): processing KE payload. message ID = 0
    *Jan 26 15:51:17.891: ISAKMP:(0): processing NONCE payload. message ID = 0
    *Jan 26 15:51:17.891: ISAKMP:(0):found peer pre-shared key matching 192.3.5.254
    *Jan 26 15:51:17.891: ISAKMP:received payload type 20
    *Jan 26 15:51:17.891: ISAKMP (2001): His hash no match - this node outside NAT
    *Jan 26 15:51:17.891: ISAKMP:received payload type 20
    *Jan 26 15:51:17.891: ISAKMP (2001): No NAT Found for self or peer
    *Jan 26 15:51:17.891: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    *Jan 26 15:51:17.891: ISAKMP:(2001):Old State = IKE_I_MM4  New State = IKE_I_MM4

    *Jan 26 15:51:17.891: ISAKMP:(2001):Send initial contact
    *Jan 26 15:51:17.891: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    *Jan 26 15:51:17.891: ISAKMP (2001): ID payload
            next-payload : 8
            type        : 1
            address      : 200.41.51.189
            protocol    : 17
            port        : 500
            length      : 12
    *Jan 26 15:51:17.891: ISAKMP:(2001):Total payload length: 12
    *Jan 26 15:51:17.891: ISAKMP:(2001): sending packet to 192.3.5.254 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    *Jan 26 15:51:17.891: ISAKMP:(2001):Sending an IKE IPv4 Packet.
    *Jan 26 15:51:17.891: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    *Jan 26 15:51:17.891: ISAKMP:(2001):Old State = IKE_I_MM4  New State = IKE_I_MM5

    *Jan 26 15:51:17.995: ISAKMP (2001): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_KEY_EXCH
    *Jan 26 15:51:17.995: ISAKMP: set new node -1111398064 to QM_IDLE     
    *Jan 26 15:51:17.995: ISAKMP (2001): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_KEY_EXCH
    *Jan 26 15:51:17.995: ISAKMP (2001): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_KEY_EXCH
    *Jan 26 15:51:17.995: ISAKMP (2001): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_KEY_EXCH
    *Jan 26 15:51:17.999: ISAKMP (2001): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_KEY_EXCH
    *Jan 26 15:51:17.999: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 192.3.5.254 to 200.41.51.189.
    *Jan 26 15:51:27.891: ISAKMP:(2001): retransmitting phase 1 MM_KEY_EXCH…
    *Jan 26 15:51:27.891: ISAKMP (2001): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

    i will apreciate the help.


  • I maybe facing these same errors. Does the connection work if you attempt to connect from the Cisco firewall?