Tunnel with PFS and a WatchGuard Firebox XTM 850

ngee

Hey guys,

I fail to configure an IPsec tunnel between a virtualized PFsense and a watchguard hardware appliance in Phase 2.

It doesn't seem to matter what the opposite side and I configure in phase 1 or phase 2. Whenever Perfect Forward Secrecy is enabled, the connection fails with the error message below. I have tried all other variants of DH groups and hash algorithms. If PFS is active, the connection fails. We are able to transfer data with the same config but without PFS.

Does anyone have an idea? I am very grateful for all ideas and hints.

Nov 30 11:31:50	charon		10[IKE] <con1|2>initiating IKE_SA con1[2] to 2.2.2.2
Nov 30 11:31:50	charon		10[ENC] <con1|2>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 30 11:31:50	charon		10[NET] <con1|2>sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (466 bytes)
Nov 30 11:31:50	charon		10[NET] <con1|2>received packet: from 2.2.2.2[500] to 1.1.1.1[500] (452 bytes)
Nov 30 11:31:50	charon		10[ENC] <con1|2>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Nov 30 11:31:50	charon		10[ENC] <con1|2>received unknown vendor ID: -snip-
Nov 30 11:31:50	charon		10[IKE] <con1|2>local host is behind NAT, sending keep alives
Nov 30 11:31:50	charon		10[IKE] <con1|2>authentication of '1.1.1.1' (myself) with pre-shared key
Nov 30 11:31:50	charon		10[IKE] <con1|2>establishing CHILD_SA con1{3}
Nov 30 11:31:50	charon		10[ENC] <con1|2>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Nov 30 11:31:50	charon		10[NET] <con1|2>sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (304 bytes)
Nov 30 11:31:50	charon		10[NET] <con1|2>received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (80 bytes)
Nov 30 11:31:50	charon		10[ENC] <con1|2>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 30 11:31:50	charon		10[IKE] <con1|2>received AUTHENTICATION_FAILED notify error</con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2></con1|2> 

Current configuration:

P1
IKEv2
IPv4
Remote Gateway 2.2.2.2
Mutual PSK
My identifier 1.1.1.1
Peer identifier 2.2.2.2
Pre-Shared Key -snip-
Encryption Algorithm AES / 256 bits
Hash Algorithm SHA256
DH Group 14
Lifetime (Seconds) 28800
Margintime (Seconds) 3600
Dead Peer Detection Enabled

P2
Mode Tunnel IPv4
Local Network 10.10.10.0/24
Remote Network 11.11.11.0/24
Protocol ESP
Encryption Algorithms AES 256 bits
Hash Algorithms SHA256
PFS key group 14
Lifetime 3600 Seconds

ngee

Update, this is what the Firebox says:

[Related Logs]
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)******** RECV an IKE packet at 2.2.2.2:500(socket=13 ifIndex=10) from Peer 1.1.1.1:500 ********
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)Received IKEv2 "IKE_SA_INIT response" message with message-ID:0 length:440 SPI[i]
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)"IKE_SA_INIT response" message has 6 payloads [ SA(sz=48) KE(sz=264) NONCE(sz=36) N(sz=28) N(sz=28) N(sz=8)]
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)Got IKE policy 'gateway.something' from ikeSA(0x3bbc5b8)
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)dispatch the received IKE_SA_INIT response message - IkeSA(0x3bbc5b8)'s state=SA_INIT_I
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)The peer is behind NAT
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)The local is NOT behind NAT
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)non-supported notify type: 16404(N(MULTIPLE_AUTH_SUPPORTED)), ignore it
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)ENCR: found the matched ENCR algo - ENCR_AES_CBC_256
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)IKE proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/DH_GROUP14
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)stop the retry object(0x3bb9778) for the previous request message(name=IKE_SA_INIT request, msgId=0)
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)NATT: as the initiator, we need to float UDP port (myPort: 500 -> 4500, peerPort: 500 -> 4500), local 0 remote 1
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)Starting IKE_AUTH exchange. IKE policy:gateway.something opCode:4
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)peer does NOT support childless, do ikeConnectP1
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)'IKE_AUTH request' message created successfully. length:240
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)Sent out IKE_AUTH request message (msgId=1) from 2.2.2.2:4500 to 1.1.1.1:4500 for 'gateway.something' gateway endpoint successfully.
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)ikeSA(0x3bbc5b8) state change: SA_INIT_I ==> IKE_AUTH_I, reason: "IKE_AUTH request is Out"
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)ikeSA(0x3bbc5b8)'s msgIdSend is updated: 1 -> 2
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)******** RECV an IKE packet at 2.2.2.2:4500(socket=14 ifIndex=10) from Peer 1.1.1.1:4500 ********
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)Received IKEv2 "IKE_AUTH response" message with message-ID:1 length:144 SPI[i]
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)"IKE_AUTH response" message has 1 payloads [ ENCR(sz=116)]
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)Got IKE policy 'gateway.something' from ikeSA(0x3bbc5b8)
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)IKEv2 "IKE_AUTH response"'s decrypted message contains 4 payloads [ IDr(sz=12) AUTH(sz=40) N(sz=12) N(sz=8)]
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)dispatch the received IKE_AUTH response message - IkeSA(0x3bbc5b8)'s state=IKE_AUTH_I
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)non-supported notify type: 16403(N(AUTH_LIFETIME)), ignore it
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)remote gatway(1.1.1.1:4500)'s proposed ID matches the configured ID in the local ikePcy(gateway.something)
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)ikeSA(0x3bbc5b8) state change: IKE_AUTH_I ==> MATURE, reason: "Validated peer's ID in IKE_AUTH_RESPONSE successfully"
<158>Dec  1 09:12:43 iked[8304]: msg_id="021A-0017" (2.2.2.2<->1.1.1.1)IKEv2 IKE SA established successfully as initiator for 'gateway.something' gateway endpoint. local-gw:2.2.2.2:4500 remote-gw:1.1.1.1:4500 SA ID:0x6c505829.
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)IKESA(0x3bbc5b8) life-time timer started. original-life-time:28800 adjusted-life-time:28795 negotiation-role:initiator
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)ike2_P1StatusChange: notify ikePcy(gateway.something ver#2)'s status becomes "UP" (ikeSA=0x3bbc5b8)
<158>Dec  1 09:12:43 iked[8304]: (2.2.2.2<->1.1.1.1)stop the retry object(0x3a361c8) for the previous request message(name=IKE_AUTH request, msgId=1)
<158>Dec  1 09:12:44 iked[8304]: ikeDoDdpAction: received INIT_DPD message for SA dir:OUT
<158>Dec  1 09:12:52 iked[8304]: ikeDoDdpAction: received INIT_DPD message for SA dir:OUT
<158>Dec  1 09:12:55 iked[8304]: ikeDoDdpAction: received INIT_DPD message for SA dir:OUT
<158>Dec  1 09:12:57 iked[8304]: ikeDoDdpAction: received INIT_DPD message for SA dir:OUT
<158>Dec  1 09:12:58 iked[8304]: ikeDoDdpAction: received INIT_DPD message for SA dir:OUT
<158>Dec  1 09:12:59 iked[8304]: Trace file (/tmp/debug/ikemsg.log) exceeds limit (51269>51200).
[/i][/i]

ngee

No one really has an idea?

ngee

It turned out that the firmware on the Firefbox is older and can be updated. With firmware > 12 it works immediately.