Diffie Hellman group erorr phase 1



  • I have 4 ipsec tunnels connecting to my pfsense only 1 of them is having issues connecting as if pfsense is just blocking the one when they are all set up the same. We recently had a outage with AT&T at that site but it came up just fine for days before this. I have updated firmware rebooted etc nothing works all the settings look correct. The only thing I can find out of the norm is modp 1024 configured and 1536 recieved. dh group in phase 1 is set for 5 i have the screen shot for phase 2 attached.

    Aug 24 08:40:22 charon 06[NET] <10788> sending packet: from xx.xx.xxx.xx[500] to xx.xx.xx.xx[500] (56 bytes)
    Aug 24 08:40:22 charon 06[ENC] <10788> generating INFORMATIONAL_V1 request 3610246692 [ N(NO_PROP) ]
    Aug 24 08:40:22 charon 06[IKE] <10788> activating INFORMATIONAL task
    Aug 24 08:40:22 charon 06[IKE] <10788> activating new tasks
    Aug 24 08:40:22 charon 06[IKE] <10788> queueing INFORMATIONAL task
    Aug 24 08:40:22 charon 06[IKE] <10788> no proposal found
    Aug 24 08:40:22 charon 06[CFG] <10788> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Aug 24 08:40:22 charon 06[CFG] <10788> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
    Aug 24 08:40:22 charon 06[CFG] <10788> no acceptable DIFFIE_HELLMAN_GROUP found
    Aug 24 08:40:22 charon 06[CFG] <10788> selecting proposal:
    Aug 24 08:40:22 charon 06[IKE] <10788> IKE_SA (unnamed)[10788] state change: CREATED => CONNECTING
    Aug 24 08:40:22 charon 06[IKE] <10788> remote ip is initiating a Main Mode IKE_SA
    Aug 24 08:40:22 charon 06[ENC] <10788> received unknown vendor ID: xx:xx:xx:xx:xx:xx:xx:xx:xx
    Aug 24 08:40:22 charon 06[IKE] <10788> received DPD vendor ID
    Aug 24 08:40:22 charon 06[IKE] <10788> received NAT-T (RFC 3947) vendor ID
    Aug 24 08:40:22 charon 06[IKE] <10788> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 24 08:40:22 charon 06[IKE] <10788> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 24 08:40:22 charon 06[IKE] <10788> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 24 08:40:22 charon 06[ENC] <10788> received unknown vendor ID: xx:xx:xx:Xx:xx:xx:xx:xx:Xx:xx:xx:xx:xx:xx:Xx
    Aug 24 08:40:22 charon 06[ENC] <10788> received unknown vendor ID: xx:xx:xx:Xx:xx:xx:xx:xx:Xx:xx:xx:xx:xx:xx:Xx
    Aug 24 08:40:22 charon 06[CFG] <10788> found matching ike config: xx.xx.xxx.xx…%any with prio 1052
    Aug 24 08:40:22 charon 06[CFG] <10788> candidate: xx.xx.xxx.xx…%any, prio 1052
    Aug 24 08:40:22 charon 06[CFG] <10788> looking for an ike config for xx.xx.xxx.xx…xx.xx.xxx.xx
    Aug 24 08:40:22 charon 06[ENC] <10788> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    Aug 24 08:40:22 charon 06[NET] <10788> received packet: from xx.xx.xxx.xx[500] to 71.95.197.22[500] (240 bytes)
    Aug 24 08:40:15 charon 06[IKE] <con3|9099>nothing to initiate
    Aug 24 08:40:15 charon 06[IKE] <con3|9099>activating new tasks
    Aug 24 08:40:15 charon 06[ENC] <con3|9099>parsed INFORMATIONAL_V1 request 368268754 [ HASH N(DPD_ACK) ]

    ![phase 2 barstow.JPG](/public/imported_attachments/1/phase 2 barstow.JPG)
    ![phase 2 barstow.JPG_thumb](/public/imported_attachments/1/phase 2 barstow.JPG_thumb)</con3|9099></con3|9099></con3|9099>



  • It is as if Pfsense is setting it for dh2 in the second phase even though I have it set for none. So I changed the setting in the pfs key on both sides to none then 2 and 5, fails every time.


  • Netgate

    That looks to me like your Phase 1 is configured for group 2 and the other side is expecting group 5.



  • Yeah that is the weird thing, the logs are showing that but the settings are set for 5 on both sides. See attached any ideas should I reboot pfsense after hours tonight?

    ![pfsense phase1.JPG](/public/imported_attachments/1/pfsense phase1.JPG)
    ![pfsense phase1.JPG_thumb](/public/imported_attachments/1/pfsense phase1.JPG_thumb)
    ![zyxel phase1.JPG](/public/imported_attachments/1/zyxel phase1.JPG)
    ![zyxel phase1.JPG_thumb](/public/imported_attachments/1/zyxel phase1.JPG_thumb)


  • Netgate

    No need to reboot. If anything stop and start the ipsec service. Don't restart, stop and start.



  • Its so strange as Pfsense has been so reliable and I have 3 other sites that are connecting with the exact same config and connecting fine.

    I am remoted into the remote router its a zyxel and it seems to be running fine with the exception of getting timed out each time I try to connect.

    I even set up for aggressive on both sides and changed to dh2 just to see if it did anything but it gave the exact same error.


  • Netgate

    Yeah stop stabbing around at checkboxes that make no difference.

    Is this 2.3.4_1?



  • restarted ipsec service no dice. I am running 2.3.2-RELEASE


  • Netgate

    I don't know of anything that would affect that but maybe you should get current.

    PM your /var/etc/ipsec/ipsec.conf and that output from ipsec statusall

    If the logs have changed it might be helpful so see fresh ones, too.



  • will pm you know I even set up a completely new connection on pfsense and the remote router. Pfsense is still stuck on wanting dh2 in phase 1 for some reason so i matched on the remote site and got a pseudo random function found. see below

    Aug 24 13:46:26 charon 06[IKE] <11758> IKE_SA (unnamed)[11758] state change: CONNECTING => DESTROYING
    Aug 24 13:46:26 charon 06[NET] <11758> sending packet: from xxxxxxx[500] to xxxxxx[500] (56 bytes)
    Aug 24 13:46:26 charon 06[ENC] <11758> generating INFORMATIONAL_V1 request 1417244930 [ N(NO_PROP) ]
    Aug 24 13:46:26 charon 06[IKE] <11758> activating INFORMATIONAL task
    Aug 24 13:46:26 charon 06[IKE] <11758> activating new tasks
    Aug 24 13:46:26 charon 06[IKE] <11758> queueing INFORMATIONAL task
    Aug 24 13:46:26 charon 06[IKE] <11758> no proposal found
    Aug 24 13:46:26 charon 06[CFG] <11758> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Aug 24 13:46:26 charon 06[CFG] <11758> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    Aug 24 13:46:26 charon 06[CFG] <11758> no acceptable PSEUDO_RANDOM_FUNCTION found
    Aug 24 13:46:26 charon 06[CFG] <11758> selecting proposal:
    Aug 24 13:46:26 charon 06[IKE] <11758> IKE_SA (unnamed)[11758] state change: CREATED => CONNECTING
    Aug 24 13:46:26 charon 06[IKE] <11758> xxxxxxx is initiating a Main Mode IKE_SA
    Aug 24 13:46:26 charon 06[ENC] <11758> received unknown vendor ID:
    Aug 24 13:46:26 charon 06[IKE] <11758> received DPD vendor ID
    Aug 24 13:46:26 charon 06[IKE] <11758> received NAT-T (RFC 3947) vendor ID
    Aug 24 13:46:26 charon 06[IKE] <11758> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 24 13:46:26 charon 06[IKE] <11758> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 24 13:46:26 charon 06[IKE] <11758> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 24 13:46:26 charon 06[ENC] <11758> received unknown vendor ID:
    Aug 24 13:46:26 charon 06[ENC] <11758> received unknown vendor ID:
    Aug 24 13:46:26 charon 06[CFG] <11758> found matching ike config: xxxxxxxxx…%any with prio 1052
    Aug 24 13:46:26 charon 06[CFG] <11758> candidate: xxxxxxxx…%any, prio 1052
    Aug 24 13:46:26 charon 06[CFG] <11758> looking for an ike config for xxxxxxx…xxxxxxxx
    Aug 24 13:46:26 charon 06[ENC] <11758> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    Aug 24 13:46:26 charon 06[NET] <11758> received packet: from xxxx[500] to xxxxx[500] (240 bytes)


  • Netgate

    That is set MD5 on one side and SHA1 on the other.

    
    These do not match:
    
    IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
    
    


  • I set them both to match but its like pfsense is sticking. I am going to have them all set sha1 but that is saying it doesn't support a preshared key in the log stand by i have to drive home then will try and repost logs feels like i am closer at least.


  • Netgate

    There are settings that do not take effect until rekey/reauth or the tunnel is torn down and brought back up. IPsec is generally set it and forget it so it likes to keep the tunnels up.



  • Yeah for all my other sites it has been set it and forget it so I set up another tunnel to see if that fixed it but it just seemed to have other issues. The most i have had to do up til now is reset the unit usually just need to reconnect VPN.

    here is the most recently logs as i went back to that tunnel. i changed the designation to be pfsense and remote also both are set for dh5 for phase1 and none for phase 2

    Aug 24 15:35:52 charon 06[IKE] <12010> IKE_SA (unnamed)[12010] state change: CONNECTING => DESTROYING
    Aug 24 15:35:52 charon 06[NET] <12010> sending packet: from pfsense[500] to remote[500] (56 bytes)
    Aug 24 15:35:52 charon 06[ENC] <12010> generating INFORMATIONAL_V1 request 1130904949 [ N(NO_PROP) ]
    Aug 24 15:35:52 charon 06[IKE] <12010> activating INFORMATIONAL task
    Aug 24 15:35:52 charon 06[IKE] <12010> activating new tasks
    Aug 24 15:35:52 charon 06[IKE] <12010> queueing INFORMATIONAL task
    Aug 24 15:35:52 charon 06[IKE] <12010> no proposal found
    Aug 24 15:35:52 charon 06[CFG] <12010> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Aug 24 15:35:52 charon 06[CFG] <12010> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
    Aug 24 15:35:52 charon 06[CFG] <12010> no acceptable DIFFIE_HELLMAN_GROUP found
    Aug 24 15:35:52 charon 06[CFG] <12010> selecting proposal:
    Aug 24 15:35:52 charon 06[IKE] <12010> IKE_SA (unnamed)[12010] state change: CREATED => CONNECTING
    Aug 24 15:35:52 charon 06[IKE] <12010> remote is initiating a Main Mode IKE_SA
    Aug 24 15:35:52 charon 06[ENC] <12010> received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
    Aug 24 15:35:52 charon 06[IKE] <12010> received DPD vendor ID
    Aug 24 15:35:52 charon 06[IKE] <12010> received NAT-T (RFC 3947) vendor ID
    Aug 24 15:35:52 charon 06[IKE] <12010> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 24 15:35:52 charon 06[IKE] <12010> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 24 15:35:52 charon 06[IKE] <12010> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 24 15:35:52 charon 06[ENC] <12010> received unknown vendor ID:
    Aug 24 15:35:52 charon 06[ENC] <12010> received unknown vendor ID:
    Aug 24 15:35:52 charon 06[CFG] <12010> found matching ike config: pfsense…%any with prio 1052
    Aug 24 15:35:52 charon 06[CFG] <12010> candidate: pfsense…%any, prio 1052
    Aug 24 15:35:52 charon 06[CFG] <12010> looking for an ike config for pfsense…remote
    Aug 24 15:35:52 charon 06[ENC] <12010> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    Aug 24 15:35:52 charon 06[NET] <12010> received packet: from remote[500] to pfsense[500] (240 bytes)



  • now that i changed the remote to dh2 I get this

    Aug 24 15:41:42 charon 10[IKE] <12046> IKE_SA (unnamed)[12046] state change: CONNECTING => DESTROYING
    Aug 24 15:41:42 charon 10[NET] <12046> sending packet: from pfsense[4500] to remote[4500] (84 bytes)
    Aug 24 15:41:42 charon 10[ENC] <12046> generating INFORMATIONAL_V1 request 295856288 [ HASH N(AUTH_FAILED) ]
    Aug 24 15:41:42 charon 10[IKE] <12046> activating INFORMATIONAL task
    Aug 24 15:41:42 charon 10[IKE] <12046> activating new tasks
    Aug 24 15:41:42 charon 10[IKE] <12046> queueing INFORMATIONAL task
    Aug 24 15:41:42 charon 10[IKE] <12046> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    Aug 24 15:41:42 charon 10[CFG] <12046> candidate "con5", match: 1/1/1052 (me/other/ike)
    Aug 24 15:41:42 charon 10[CFG] <12046> looking for pre-shared key peer configs matching pfsense…remote[remote]
    Aug 24 15:41:42 charon 10[ENC] <12046> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Aug 24 15:41:42 charon 10[NET] <12046> received packet: from remote[4500] to pfsense[4500] (92 bytes)
    Aug 24 15:41:42 charon 04[NET] <12046> sending packet: from pfsense[500] to remote[500] (244 bytes)
    Aug 24 15:41:42 charon 04[ENC] <12046> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Aug 24 15:41:42 charon 04[IKE] <12046> faking NAT situation to enforce UDP encapsulation
    Aug 24 15:41:42 charon 04[ENC] <12046> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Aug 24 15:41:42 charon 04[NET] <12046> received packet: from remote[500] to pfsense[500] (228 bytes)
    Aug 24 15:41:41 charon 04[NET] <12046> sending packet: from pfsense[500] to remote[500] (136 bytes)
    Aug 24 15:41:41 charon 04[ENC] <12046> generating ID_PROT response 0 [ SA V V V ]
    Aug 24 15:41:41 charon 04[IKE] <12046> sending NAT-T (RFC 3947) vendor ID
    Aug 24 15:41:41 charon 04[IKE] <12046> sending DPD vendor ID
    Aug 24 15:41:41 charon 04[IKE] <12046> sending XAuth vendor ID
    Aug 24 15:41:41 charon 04[CFG] <12046> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Aug 24 15:41:41 charon 04[CFG] <12046> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Aug 24 15:41:41 charon 04[CFG] <12046> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Aug 24 15:41:41 charon 04[CFG] <12046> proposal matches
    Aug 24 15:41:41 charon 04[CFG] <12046> selecting proposal:
    Aug 24 15:41:41 charon 04[IKE] <12046> IKE_SA (unnamed)[12046] state change: CREATED => CONNECTING
    Aug 24 15:41:41 charon 04[IKE] <12046> remote is initiating a Main Mode IKE_SA
    Aug 24 15:41:41 charon 04[ENC] <12046> received unknown vendor ID:
    Aug 24 15:41:41 charon 04[IKE] <12046> received DPD vendor ID
    Aug 24 15:41:41 charon 04[IKE] <12046> received NAT-T (RFC 3947) vendor ID
    Aug 24 15:41:41 charon 04[IKE] <12046> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 24 15:41:41 charon 04[IKE] <12046> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 24 15:41:41 charon 04[IKE] <12046> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 24 15:41:41 charon 04[ENC] <12046> received unknown vendor ID:
    Aug 24 15:41:41 charon 04[ENC] <12046> received unknown vendor ID:
    Aug 24 15:41:41 charon 04[CFG] <12046> found matching ike config: pfsense…%any with prio 1052
    Aug 24 15:41:41 charon 04[CFG] <12046> candidate: pfsense…%any, prio 1052
    Aug 24 15:41:41 charon 04[CFG] <12046> looking for an ike config for pfsense…remote
    Aug 24 15:41:41 charon 04[ENC] <12046> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    Aug 24 15:41:41 charon 04[NET] <12046> received packet: from remote[500] to pfsense[500] (240 bytes)


  • Netgate

    Is it still set for aggressive mode? Set it to Main.

    I won't know what con5 is until I get those config files and output in the PM.



  • I copied settings from other working tunnels but it is saying it is DH2 on phase 1 when I have DH5 selected. They are all set for Main.

    Can I give you those outputs via the gui? I dont have shell enabled and don't know the commands.

    If I have too I can restart the pfsense router tonight.

    Aug 24 16:36:02 charon 13[IKE] <12233> IKE_SA (unnamed)[12233] state change: CONNECTING => DESTROYING
    Aug 24 16:36:02 charon 13[NET] <12233> sending packet: from pfsense[500] to remote[500] (56 bytes)
    Aug 24 16:36:02 charon 13[ENC] <12233> generating INFORMATIONAL_V1 request 2927385480 [ N(NO_PROP) ]
    Aug 24 16:36:02 charon 13[IKE] <12233> activating INFORMATIONAL task
    Aug 24 16:36:02 charon 13[IKE] <12233> activating new tasks
    Aug 24 16:36:02 charon 13[IKE] <12233> queueing INFORMATIONAL task
    Aug 24 16:36:02 charon 13[IKE] <12233> no proposal found
    Aug 24 16:36:02 charon 13[CFG] <12233> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Aug 24 16:36:02 charon 13[CFG] <12233> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
    Aug 24 16:36:02 charon 13[CFG] <12233> no acceptable DIFFIE_HELLMAN_GROUP found
    Aug 24 16:36:02 charon 13[CFG] <12233> selecting proposal:
    Aug 24 16:36:02 charon 13[IKE] <12233> IKE_SA (unnamed)[12233] state change: CREATED => CONNECTING
    Aug 24 16:36:02 charon 13[IKE] <12233> remote is initiating a Main Mode IKE_SA
    Aug 24 16:36:02 charon 13[ENC] <12233> received unknown vendor ID:
    Aug 24 16:36:02 charon 13[IKE] <12233> received DPD vendor ID
    Aug 24 16:36:02 charon 13[IKE] <12233> received NAT-T (RFC 3947) vendor ID
    Aug 24 16:36:02 charon 13[IKE] <12233> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Aug 24 16:36:02 charon 13[IKE] <12233> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 24 16:36:02 charon 13[IKE] <12233> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Aug 24 16:36:02 charon 13[ENC] <12233> received unknown vendor ID:
    Aug 24 16:36:02 charon 13[ENC] <12233> received unknown vendor ID:
    Aug 24 16:36:02 charon 13[CFG] <12233> found matching ike config: pfsense…%any with prio 1052
    Aug 24 16:36:02 charon 13[CFG] <12233> candidate: pfsense…%any, prio 1052
    Aug 24 16:36:02 charon 13[CFG] <12233> looking for an ike config for pfsense…remote
    Aug 24 16:36:02 charon 13[ENC] <12233> parsed ID_PROT request 0 [ SA V V V V V V V V ]
    Aug 24 16:36:02 charon 13[NET] <12233> received packet: from remote[500] to pfsense[500] (240 bytes)


  • Netgate

    It looks like those connections are matching your Mobile IPsec somehow. Is the other side set to be aggressive mode?

    I see it says Main mode up there. but that's what's happening…

    Aug 24 16:36:02  charon      13[NET] <12233> received packet: from remote[500] to pfsense[500] (240 bytes)

    Are you sure about that remote source IP address?



  • Turns out as strange as it was pfsense was somehow stuck on dh2 for phase 1. I had to reboot pfsense and it fixed the problem even though no configs had changed and 3 other sites were connected in exactly the same way the unit had been up for almost 300 days though without reboot. Can't figure out how to mark as solved maybe thats left for moderators?



  • LOL Pfsense does funny things.