Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec fails with "no shared key found for '%any'"

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 11.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jhuntitg
      last edited by

      My IPSec connection is failing with "no shared key found for '%any' - '{Remote Peer ID}'" but I've ensured the PSK and all other settings match.  The only search results I can find about this error refer to old pfSense bugs and misconfiguration of the ipsec.secrets file on non-pfSense platforms.

      Can anyone suggest how to troubleshoot this?  The logs certainly suggest a misconfiguration, but I'm not seeing it.

      Settings and logs are as follows:

      Local pfSense IPsec settings

      
IKE: v2
IP: v4
Interface: 2xx.xx.xx.163
Remote: remote.xxx.com (dynamic DNS that resolves to 1x.xx.xx.34)
Description: IPSec for Remote Site
Auth Method: Mutual PSK
My ID: IP Address, 2xx.xx.xx.163
Peer ID: KeyID, "Remote"
Preshared Key: "Temp123"
P1 Encryption: AES 256
P1 Hash: SHA1
P1 DH Group: 2
P1 Lifetime: 28800
P1 Responder Only
P1 MOBIKE: Disabled
P1 Dead Peer Detection
P1 Delay: 10
P1 Max failures: 5
P2 Mode: Tunnel v4
P2 Local: Network, 10.x.2.0/24
P2 NAT translation: None
P2 Remote: Network, 10.x.11.0/24
P2 Description: Remote LAN
P2 Protocol: ESP
P2 Encryption: AES 256
P2 Hash: SHA1
P2 PFS: Off
P2 Lifetime: 28800

      Remote IPSec settings (Sonicwall)

      
Policy Type: Site-to-Site
Auth Method: IKE using Preshared Secret
Name: Company
IPsec Primary Gateway: 2xx.xx.xx.163
IPsec Secondary Gateway: 0.0.0.0
Shared Secret: "Temp123"
Local IKE ID: Key Identifier, "Remote"
Peer IKE ID: IP Address, 2xx.xx.xx.163
Local Network: 10.x.11.0/24
Remote Network: 10.x.2.0/24
P1 Exchange: IKEv2 Mode
P1 DH Group: 2
P1 Encryption: AES-256
P1 Auth: SHA1
P1 Lifetime: 28800
P2 Protocol: ESP
P2 Encryption: AES-256
P2 Auth: SHA1
P2 PFS: Off
P2 Lifetime: 28800
Enable Keep Alive

      pfSense logs

      
Mar 15 13:55:10 	charon 		08[NET] <2> received packet: from 1x.xx.xx.34[42933] to 2xx.xx.xx.163[500] (316 bytes)
Mar 15 13:55:10 	charon 		08[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Mar 15 13:55:10 	charon 		08[CFG] <2> looking for an ike config for 2xx.xx.xx.163...1x.xx.xx.34
Mar 15 13:55:10 	charon 		08[CFG] <2> candidate: %any...%any, prio 24
Mar 15 13:55:10 	charon 		08[CFG] <2> candidate: 2xx.xx.xx.163...remote.xxx.com, prio 3100
Mar 15 13:55:10 	charon 		08[CFG] <2> found matching ike config: 2xx.xx.xx.163...remote.xxx.com with prio 3100
Mar 15 13:55:10 	charon 		08[ENC] <2> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Mar 15 13:55:10 	charon 		08[IKE] <2> 1x.xx.xx.34 is initiating an IKE_SA
Mar 15 13:55:10 	charon 		08[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Mar 15 13:55:10 	charon 		08[CFG] <2> selecting proposal:
Mar 15 13:55:10 	charon 		08[CFG] <2> proposal matches
Mar 15 13:55:10 	charon 		08[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 15 13:55:10 	charon 		08[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 15 13:55:10 	charon 		08[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 15 13:55:10 	charon 		08[IKE] <2> remote host is behind NAT
Mar 15 13:55:10 	charon 		08[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar 15 13:55:10 	charon 		08[NET] <2> sending packet: from 2xx.xx.xx.163[500] to 1x.xx.xx.34[42933] (312 bytes)
Mar 15 13:55:10 	charon 		08[NET] <2> received packet: from 1x.xx.xx.34[42450] to 2xx.xx.xx.163[4500] (220 bytes)
Mar 15 13:55:10 	charon 		08[ENC] <2> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ]
Mar 15 13:55:10 	charon 		08[CFG] <2> looking for peer configs matching 2xx.xx.xx.163[%any]...1x.xx.xx.34[Remote]
Mar 15 13:55:10 	charon 		08[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Mar 15 13:55:10 	charon 		08[CFG] <bypasslan|2>selected peer config 'bypasslan'
Mar 15 13:55:10 	charon 		08[IKE] <bypasslan|2>no shared key found for '%any' - 'Remote'
Mar 15 13:55:10 	charon 		08[ENC] <bypasslan|2>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mar 15 13:55:10 	charon 		08[NET] <bypasslan|2>sending packet: from 2xx.xx.xx.163[4500] to 1x.xx.xx.34[42450] (76 bytes)
Mar 15 13:55:10 	charon 		08[IKE] <bypasslan|2>IKE_SA bypasslan[2] state change: CONNECTING => DESTROYING</bypasslan|2></bypasslan|2></bypasslan|2></bypasslan|2></bypasslan|2>

      I tried changing the pfSense P1 Peer ID to Any but receive the same error.

      Any suggestions are appreciated.

      1 Reply Last reply Reply Quote 0
      • J
        jhuntitg
        last edited by

        I fixed this by switching the remote Peer ID to something other than Key ID; I used Distinguished Name and set it to the dynamic DNS hostname for the remote site

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.