IPSEC behind NAT won't connect - "no shared key" error



  • I have just switched to a fiber connection.  The local side pfSense gets a fixed IP from the ISP but the public-facing IP changes every time the modem restarts (as seen through whatsmyip.org).  Remote side pfSense has a fixed IP.

    Both sides have pfSense 2.3.2-RELEASE-p1

    If I set up an IPSEC connection from the remote to the public-facing IP address it connects correctly and everything works as it should.  However, if I set the remote side to connect to the fixed IP instead it will not connect, with invalid key errors.

    I have tried it with NAT traversal both set to "auto" and "fixed" and it makes no difference.

    Settings are identical for both sides

    IKE v1
    Mutual PSK
    Main
    My identifier - fixed IP address (peer identifier set to this on remote)
    Peer identifier - Peer IP address (set to "My IP address" on remote)
    PSK = same on both
    AES 256bit
    SHA256
    DH group 2
    86400 seconds
    Disable rekey unchecked
    Responder only unchecked
    NAT Traversal auto
    DPD enabled
    Delay 20
    Max failures 5

    Logs for both sides are below:

    xxx.xxx.xxx.xxx = Fiber modem IP address (pfSense local WAN address behind NAT)
    yyy.yyy.yyy.yyy = ISP public IP address (changes whenever modem resets)
    zzz.zzz.zzz.zzz = Remote IP address (Remote pfSense WAN, no NAT)
    
    Local side
    
    Feb 6 17:51:02	charon		13[IKE] <con1000|191> initiating Main Mode IKE_SA con1000[191] to zzz.zzz.zzz.zzz
    Feb 6 17:51:02	charon		13[ENC] <con1000|191> generating ID_PROT request 0 [ SA V V V V V ]
    Feb 6 17:51:02	charon		13[NET] <con1000|191> sending packet: from xxx.xxx.xxx.xxx[500] to zzz.zzz.zzz.zzz[500] (184 bytes)
    Feb 6 17:51:02	charon		11[NET] <con1000|191> received packet: from zzz.zzz.zzz.zzz[500] to xxx.xxx.xxx.xxx[500] (140 bytes)
    Feb 6 17:51:02	charon		11[ENC] <con1000|191> parsed ID_PROT response 0 [ SA V V V ]
    Feb 6 17:51:02	charon		11[IKE] <con1000|191> received XAuth vendor ID
    Feb 6 17:51:02	charon		11[IKE] <con1000|191> received DPD vendor ID
    Feb 6 17:51:02	charon		11[IKE] <con1000|191> received NAT-T (RFC 3947) vendor ID
    Feb 6 17:51:02	charon		11[ENC] <con1000|191> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Feb 6 17:51:02	charon		11[NET] <con1000|191> sending packet: from xxx.xxx.xxx.xxx[500] to zzz.zzz.zzz.zzz[500] (268 bytes)
    Feb 6 17:51:02	charon		10[NET] <con1000|191> received packet: from zzz.zzz.zzz.zzz[500] to xxx.xxx.xxx.xxx[500] (56 bytes)
    Feb 6 17:51:02	charon		10[ENC] <con1000|191> parsed INFORMATIONAL_V1 request 3587200257 [ N(INVAL_KE) ]
    Feb 6 17:51:02	charon		10[IKE] <con1000|191> received INVALID_KE_PAYLOAD error notify
    Feb 6 17:51:03	charon		10[KNL] creating acquire job for policy xxx.xxx.xxx.xxx/32|/0 === zzz.zzz.zzz.zzz/32|/0 with reqid {1}
    
    Remote side
    
    Feb 6 12:06:56	charon		12[IKE] <8777> yyy.yyy.yyy.yyy is initiating a Main Mode IKE_SA
    Feb 6 12:06:56	charon		12[ENC] <8777> generating ID_PROT response 0 [ SA V V V ]
    Feb 6 12:06:56	charon		12[NET] <8777> sending packet: from zzz.zzz.zzz.zzz[500] to yyy.yyy.yyy.yyy[46880] (140 bytes)
    Feb 6 12:06:57	charon		08[NET] <8777> received packet: from yyy.yyy.yyy.yyy[46880] to zzz.zzz.zzz.zzz[500] (268 bytes)
    Feb 6 12:06:57	charon		08[ENC] <8777> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Feb 6 12:06:57	charon		08[IKE] <8777> remote host is behind NAT
    Feb 6 12:06:57	charon		08[IKE] <8777> no shared key found for zzz.zzz.zzz.zzz - yyy.yyy.yyy.yyy
    Feb 6 12:06:57	charon		08[ENC] <8777> generating INFORMATIONAL_V1 request 1497720683 [ N(INVAL_KE) ]
    Feb 6 12:06:57	charon		08[NET] <8777> sending packet: from zzz.zzz.zzz.zzz[500] to yyy.yyy.yyy.yyy[46880] (56 bytes)
    Feb 6 12:06:57	charon		16[NET] <8778> received packet: from yyy.yyy.yyy.yyy[46880] to zzz.zzz.zzz.zzz[500] (184 bytes)
    Feb 6 12:06:57	charon		16[ENC] <8778> parsed ID_PROT request 0 [ SA V V V V V ]
    Feb 6 12:06:57	charon		16[IKE] <8778> received XAuth vendor ID
    Feb 6 12:06:57	charon		16[IKE] <8778> received DPD vendor ID
    Feb 6 12:06:57	charon		16[IKE] <8778> received FRAGMENTATION vendor ID
    Feb 6 12:06:57	charon		16[IKE] <8778> received NAT-T (RFC 3947) vendor ID
    Feb 6 12:06:57	charon		16[IKE] <8778> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191>
    

  • Rebel Alliance Developer Netgate

    If your "fixed" address is public then the ISP should not be changing that address. When you are behind NAT, as you appear to be, the far side has to build the tunnel to the public address it sees (especially in Main mode).

    If your "fixed" address is private or in CGN space then it's useless as far as being "fixed" goes.



  • Yeah, unfortunately my ISP here in Nepal doesn't seem to understand what they have.  I tell them I need a fixed public IP and they keep telling me "You have a static IP!" but I know it is NATed to the outside world.  I have actually gotten IPSEC working decently well to the external IP by using dynamic DNS, but I still have other issues.  For instance my kids' xBox still has "Strict" NAT despite the fact that I have all the correct ports forwarded on my end, so they can't play Minecraft online.  I'll just have to keep talking to the ISP until I find someone that understands the problem.

    Thanks,
    -Matt