4. IPSec fails with "no shared key found for '%any'"

IPSec fails with "no shared key found for '%any'"

  • J

    My IPSec connection is failing with "no shared key found for '%any' - '{Remote Peer ID}'" but I've ensured the PSK and all other settings match.  The only search results I can find about this error refer to old pfSense bugs and misconfiguration of the ipsec.secrets file on non-pfSense platforms.

    Can anyone suggest how to troubleshoot this?  The logs certainly suggest a misconfiguration, but I'm not seeing it.

    Settings and logs are as follows:

    Local pfSense IPsec settings

    
IKE: v2
IP: v4
Interface: 2xx.xx.xx.163
Remote: remote.xxx.com (dynamic DNS that resolves to 1x.xx.xx.34)
Description: IPSec for Remote Site
Auth Method: Mutual PSK
My ID: IP Address, 2xx.xx.xx.163
Peer ID: KeyID, "Remote"
Preshared Key: "Temp123"
P1 Encryption: AES 256
P1 Hash: SHA1
P1 DH Group: 2
P1 Lifetime: 28800
P1 Responder Only
P1 MOBIKE: Disabled
P1 Dead Peer Detection
P1 Delay: 10
P1 Max failures: 5
P2 Mode: Tunnel v4
P2 Local: Network, 10.x.2.0/24
P2 NAT translation: None
P2 Remote: Network, 10.x.11.0/24
P2 Description: Remote LAN
P2 Protocol: ESP
P2 Encryption: AES 256
P2 Hash: SHA1
P2 PFS: Off
P2 Lifetime: 28800

    Remote IPSec settings (Sonicwall)

    
Policy Type: Site-to-Site
Auth Method: IKE using Preshared Secret
Name: Company
IPsec Primary Gateway: 2xx.xx.xx.163
IPsec Secondary Gateway: 0.0.0.0
Shared Secret: "Temp123"
Local IKE ID: Key Identifier, "Remote"
Peer IKE ID: IP Address, 2xx.xx.xx.163
Local Network: 10.x.11.0/24
Remote Network: 10.x.2.0/24
P1 Exchange: IKEv2 Mode
P1 DH Group: 2
P1 Encryption: AES-256
P1 Auth: SHA1
P1 Lifetime: 28800
P2 Protocol: ESP
P2 Encryption: AES-256
P2 Auth: SHA1
P2 PFS: Off
P2 Lifetime: 28800
Enable Keep Alive

    pfSense logs

    
Mar 15 13:55:10 	charon 		08[NET] <2> received packet: from 1x.xx.xx.34[42933] to 2xx.xx.xx.163[500] (316 bytes)
Mar 15 13:55:10 	charon 		08[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Mar 15 13:55:10 	charon 		08[CFG] <2> looking for an ike config for 2xx.xx.xx.163...1x.xx.xx.34
Mar 15 13:55:10 	charon 		08[CFG] <2> candidate: %any...%any, prio 24
Mar 15 13:55:10 	charon 		08[CFG] <2> candidate: 2xx.xx.xx.163...remote.xxx.com, prio 3100
Mar 15 13:55:10 	charon 		08[CFG] <2> found matching ike config: 2xx.xx.xx.163...remote.xxx.com with prio 3100
Mar 15 13:55:10 	charon 		08[ENC] <2> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Mar 15 13:55:10 	charon 		08[IKE] <2> 1x.xx.xx.34 is initiating an IKE_SA
Mar 15 13:55:10 	charon 		08[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Mar 15 13:55:10 	charon 		08[CFG] <2> selecting proposal:
Mar 15 13:55:10 	charon 		08[CFG] <2> proposal matches
Mar 15 13:55:10 	charon 		08[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 15 13:55:10 	charon 		08[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 15 13:55:10 	charon 		08[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 15 13:55:10 	charon 		08[IKE] <2> remote host is behind NAT
Mar 15 13:55:10 	charon 		08[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar 15 13:55:10 	charon 		08[NET] <2> sending packet: from 2xx.xx.xx.163[500] to 1x.xx.xx.34[42933] (312 bytes)
Mar 15 13:55:10 	charon 		08[NET] <2> received packet: from 1x.xx.xx.34[42450] to 2xx.xx.xx.163[4500] (220 bytes)
Mar 15 13:55:10 	charon 		08[ENC] <2> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Mar 15 13:55:10 	charon 		08[CFG] <2> looking for peer configs matching 2xx.xx.xx.163[%any]...1x.xx.xx.34[Remote]
Mar 15 13:55:10 	charon 		08[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Mar 15 13:55:10 	charon 		08[CFG] <bypasslan|2>selected peer config 'bypasslan'
Mar 15 13:55:10 	charon 		08[IKE] <bypasslan|2>no shared key found for '%any' - 'Remote'
Mar 15 13:55:10 	charon 		08[ENC] <bypasslan|2>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mar 15 13:55:10 	charon 		08[NET] <bypasslan|2>sending packet: from 2xx.xx.xx.163[4500] to 1x.xx.xx.34[42450] (76 bytes)
Mar 15 13:55:10 	charon 		08[IKE] <bypasslan|2>IKE_SA bypasslan[2] state change: CONNECTING => DESTROYING</bypasslan|2></bypasslan|2></bypasslan|2></bypasslan|2></bypasslan|2>

    I tried changing the pfSense P1 Peer ID to Any but receive the same error.

    Any suggestions are appreciated.

    0
  • J

    I fixed this by switching the remote Peer ID to something other than Key ID; I used Distinguished Name and set it to the dynamic DNS hostname for the remote site

    1
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy