IPSec fails with "no shared key found for '%any'"



  • My IPSec connection is failing with "no shared key found for '%any' - '{Remote Peer ID}'" but I've ensured the PSK and all other settings match.  The only search results I can find about this error refer to old pfSense bugs and misconfiguration of the ipsec.secrets file on non-pfSense platforms.

    Can anyone suggest how to troubleshoot this?  The logs certainly suggest a misconfiguration, but I'm not seeing it.

    Settings and logs are as follows:

    Local pfSense IPsec settings

    
    IKE: v2
    IP: v4
    Interface: 2xx.xx.xx.163
    Remote: remote.xxx.com (dynamic DNS that resolves to 1x.xx.xx.34)
    Description: IPSec for Remote Site
    Auth Method: Mutual PSK
    My ID: IP Address, 2xx.xx.xx.163
    Peer ID: KeyID, "Remote"
    Preshared Key: "Temp123"
    P1 Encryption: AES 256
    P1 Hash: SHA1
    P1 DH Group: 2
    P1 Lifetime: 28800
    P1 Responder Only
    P1 MOBIKE: Disabled
    P1 Dead Peer Detection
    P1 Delay: 10
    P1 Max failures: 5
    P2 Mode: Tunnel v4
    P2 Local: Network, 10.x.2.0/24
    P2 NAT translation: None
    P2 Remote: Network, 10.x.11.0/24
    P2 Description: Remote LAN
    P2 Protocol: ESP
    P2 Encryption: AES 256
    P2 Hash: SHA1
    P2 PFS: Off
    P2 Lifetime: 28800
    
    

    Remote IPSec settings (Sonicwall)

    
    Policy Type: Site-to-Site
    Auth Method: IKE using Preshared Secret
    Name: Company
    IPsec Primary Gateway: 2xx.xx.xx.163
    IPsec Secondary Gateway: 0.0.0.0
    Shared Secret: "Temp123"
    Local IKE ID: Key Identifier, "Remote"
    Peer IKE ID: IP Address, 2xx.xx.xx.163
    Local Network: 10.x.11.0/24
    Remote Network: 10.x.2.0/24
    P1 Exchange: IKEv2 Mode
    P1 DH Group: 2
    P1 Encryption: AES-256
    P1 Auth: SHA1
    P1 Lifetime: 28800
    P2 Protocol: ESP
    P2 Encryption: AES-256
    P2 Auth: SHA1
    P2 PFS: Off
    P2 Lifetime: 28800
    Enable Keep Alive
    
    

    pfSense logs

    
    Mar 15 13:55:10 	charon 		08[NET] <2> received packet: from 1x.xx.xx.34[42933] to 2xx.xx.xx.163[500] (316 bytes)
    Mar 15 13:55:10 	charon 		08[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
    Mar 15 13:55:10 	charon 		08[CFG] <2> looking for an ike config for 2xx.xx.xx.163...1x.xx.xx.34
    Mar 15 13:55:10 	charon 		08[CFG] <2> candidate: %any...%any, prio 24
    Mar 15 13:55:10 	charon 		08[CFG] <2> candidate: 2xx.xx.xx.163...remote.xxx.com, prio 3100
    Mar 15 13:55:10 	charon 		08[CFG] <2> found matching ike config: 2xx.xx.xx.163...remote.xxx.com with prio 3100
    Mar 15 13:55:10 	charon 		08[ENC] <2> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
    Mar 15 13:55:10 	charon 		08[IKE] <2> 1x.xx.xx.34 is initiating an IKE_SA
    Mar 15 13:55:10 	charon 		08[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
    Mar 15 13:55:10 	charon 		08[CFG] <2> selecting proposal:
    Mar 15 13:55:10 	charon 		08[CFG] <2> proposal matches
    Mar 15 13:55:10 	charon 		08[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 15 13:55:10 	charon 		08[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 15 13:55:10 	charon 		08[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Mar 15 13:55:10 	charon 		08[IKE] <2> remote host is behind NAT
    Mar 15 13:55:10 	charon 		08[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
    Mar 15 13:55:10 	charon 		08[NET] <2> sending packet: from 2xx.xx.xx.163[500] to 1x.xx.xx.34[42933] (312 bytes)
    Mar 15 13:55:10 	charon 		08[NET] <2> received packet: from 1x.xx.xx.34[42450] to 2xx.xx.xx.163[4500] (220 bytes)
    Mar 15 13:55:10 	charon 		08[ENC] <2> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
    Mar 15 13:55:10 	charon 		08[CFG] <2> looking for peer configs matching 2xx.xx.xx.163[%any]...1x.xx.xx.34[Remote]
    Mar 15 13:55:10 	charon 		08[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Mar 15 13:55:10 	charon 		08[CFG] <bypasslan|2>selected peer config 'bypasslan'
    Mar 15 13:55:10 	charon 		08[IKE] <bypasslan|2>no shared key found for '%any' - 'Remote'
    Mar 15 13:55:10 	charon 		08[ENC] <bypasslan|2>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Mar 15 13:55:10 	charon 		08[NET] <bypasslan|2>sending packet: from 2xx.xx.xx.163[4500] to 1x.xx.xx.34[42450] (76 bytes)
    Mar 15 13:55:10 	charon 		08[IKE] <bypasslan|2>IKE_SA bypasslan[2] state change: CONNECTING => DESTROYING</bypasslan|2></bypasslan|2></bypasslan|2></bypasslan|2></bypasslan|2> 
    

    I tried changing the pfSense P1 Peer ID to Any but receive the same error.

    Any suggestions are appreciated.



  • I fixed this by switching the remote Peer ID to something other than Key ID; I used Distinguished Name and set it to the dynamic DNS hostname for the remote site


Log in to reply