Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec fails with "no shared key found for '%any'"

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 11.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jhuntitg
      last edited by

      My IPSec connection is failing with "no shared key found for '%any' - '{Remote Peer ID}'" but I've ensured the PSK and all other settings match.  The only search results I can find about this error refer to old pfSense bugs and misconfiguration of the ipsec.secrets file on non-pfSense platforms.

      Can anyone suggest how to troubleshoot this?  The logs certainly suggest a misconfiguration, but I'm not seeing it.

      Settings and logs are as follows:

      Local pfSense IPsec settings

      
      IKE: v2
      IP: v4
      Interface: 2xx.xx.xx.163
      Remote: remote.xxx.com (dynamic DNS that resolves to 1x.xx.xx.34)
      Description: IPSec for Remote Site
      Auth Method: Mutual PSK
      My ID: IP Address, 2xx.xx.xx.163
      Peer ID: KeyID, "Remote"
      Preshared Key: "Temp123"
      P1 Encryption: AES 256
      P1 Hash: SHA1
      P1 DH Group: 2
      P1 Lifetime: 28800
      P1 Responder Only
      P1 MOBIKE: Disabled
      P1 Dead Peer Detection
      P1 Delay: 10
      P1 Max failures: 5
      P2 Mode: Tunnel v4
      P2 Local: Network, 10.x.2.0/24
      P2 NAT translation: None
      P2 Remote: Network, 10.x.11.0/24
      P2 Description: Remote LAN
      P2 Protocol: ESP
      P2 Encryption: AES 256
      P2 Hash: SHA1
      P2 PFS: Off
      P2 Lifetime: 28800
      
      

      Remote IPSec settings (Sonicwall)

      
      Policy Type: Site-to-Site
      Auth Method: IKE using Preshared Secret
      Name: Company
      IPsec Primary Gateway: 2xx.xx.xx.163
      IPsec Secondary Gateway: 0.0.0.0
      Shared Secret: "Temp123"
      Local IKE ID: Key Identifier, "Remote"
      Peer IKE ID: IP Address, 2xx.xx.xx.163
      Local Network: 10.x.11.0/24
      Remote Network: 10.x.2.0/24
      P1 Exchange: IKEv2 Mode
      P1 DH Group: 2
      P1 Encryption: AES-256
      P1 Auth: SHA1
      P1 Lifetime: 28800
      P2 Protocol: ESP
      P2 Encryption: AES-256
      P2 Auth: SHA1
      P2 PFS: Off
      P2 Lifetime: 28800
      Enable Keep Alive
      
      

      pfSense logs

      
      Mar 15 13:55:10 	charon 		08[NET] <2> received packet: from 1x.xx.xx.34[42933] to 2xx.xx.xx.163[500] (316 bytes)
      Mar 15 13:55:10 	charon 		08[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
      Mar 15 13:55:10 	charon 		08[CFG] <2> looking for an ike config for 2xx.xx.xx.163...1x.xx.xx.34
      Mar 15 13:55:10 	charon 		08[CFG] <2> candidate: %any...%any, prio 24
      Mar 15 13:55:10 	charon 		08[CFG] <2> candidate: 2xx.xx.xx.163...remote.xxx.com, prio 3100
      Mar 15 13:55:10 	charon 		08[CFG] <2> found matching ike config: 2xx.xx.xx.163...remote.xxx.com with prio 3100
      Mar 15 13:55:10 	charon 		08[ENC] <2> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
      Mar 15 13:55:10 	charon 		08[IKE] <2> 1x.xx.xx.34 is initiating an IKE_SA
      Mar 15 13:55:10 	charon 		08[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
      Mar 15 13:55:10 	charon 		08[CFG] <2> selecting proposal:
      Mar 15 13:55:10 	charon 		08[CFG] <2> proposal matches
      Mar 15 13:55:10 	charon 		08[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 15 13:55:10 	charon 		08[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 15 13:55:10 	charon 		08[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Mar 15 13:55:10 	charon 		08[IKE] <2> remote host is behind NAT
      Mar 15 13:55:10 	charon 		08[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
      Mar 15 13:55:10 	charon 		08[NET] <2> sending packet: from 2xx.xx.xx.163[500] to 1x.xx.xx.34[42933] (312 bytes)
      Mar 15 13:55:10 	charon 		08[NET] <2> received packet: from 1x.xx.xx.34[42450] to 2xx.xx.xx.163[4500] (220 bytes)
      Mar 15 13:55:10 	charon 		08[ENC] <2> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
      Mar 15 13:55:10 	charon 		08[CFG] <2> looking for peer configs matching 2xx.xx.xx.163[%any]...1x.xx.xx.34[Remote]
      Mar 15 13:55:10 	charon 		08[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike)
      Mar 15 13:55:10 	charon 		08[CFG] <bypasslan|2>selected peer config 'bypasslan'
      Mar 15 13:55:10 	charon 		08[IKE] <bypasslan|2>no shared key found for '%any' - 'Remote'
      Mar 15 13:55:10 	charon 		08[ENC] <bypasslan|2>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Mar 15 13:55:10 	charon 		08[NET] <bypasslan|2>sending packet: from 2xx.xx.xx.163[4500] to 1x.xx.xx.34[42450] (76 bytes)
      Mar 15 13:55:10 	charon 		08[IKE] <bypasslan|2>IKE_SA bypasslan[2] state change: CONNECTING => DESTROYING</bypasslan|2></bypasslan|2></bypasslan|2></bypasslan|2></bypasslan|2> 
      

      I tried changing the pfSense P1 Peer ID to Any but receive the same error.

      Any suggestions are appreciated.

      1 Reply Last reply Reply Quote 0
      • J
        jhuntitg
        last edited by

        I fixed this by switching the remote Peer ID to something other than Key ID; I used Distinguished Name and set it to the dynamic DNS hostname for the remote site

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.