IPSec just won't connect, pulling my hair



  • Hey,

    I'm kind of used to working with IPSec, and normally it's not a problem. I've set up a lot of them during the years, and at the moment have at least 15+ working on different pfsense routers that I manage. But I have a tunnel going from work to my home, used for backups, that stopped working some weeks ago, and no matter what I try it simply won't go up. I've looked over it what feels like a million times so I can't have missed anything. This is the phase1 config on router 1:

    		 <phase1><ikeid>1</ikeid>
    			<iketype>ikev1</iketype>
    			<mode>main</mode>
    			<interface>wan</interface>
    			<remote-gateway>sannahed.1337.cx</remote-gateway>
    			<protocol>inet</protocol>
    			<myid_type>fqdn</myid_type>
    			<myid_data>ipsec.leetcom.se</myid_data>
    			<peerid_type>any</peerid_type>
    			<peerid_data>sannahed.1337.cx</peerid_data>
    			 <encryption-algorithm><name>aes</name>
    				<keylen>256</keylen></encryption-algorithm> 
    			<hash-algorithm>sha1</hash-algorithm>
    			<dhgroup>2</dhgroup>
    			<lifetime>28800</lifetime>
    			<pre-shared-key>mysharedkey</pre-shared-key>
    			<private-key></private-key>
    
    			<caref></caref>
    			<authentication_method>pre_shared_key</authentication_method>
    
    			<nat_traversal>on</nat_traversal>
    			<mobike>off</mobike>
    			<rekey_enable></rekey_enable>
    			<dpd_delay>10</dpd_delay>
    			<dpd_maxfail>5</dpd_maxfail></phase1> 
    

    And this is the phase1 config on router 2:

    		 <phase1><ikeid>1</ikeid>
    			<iketype>ikev1</iketype>
    			<mode>main</mode>
    			<interface>wan</interface>
    			<remote-gateway>ipsec.leetcom.se</remote-gateway>
    			<protocol>inet</protocol>
    			<myid_type>fqdn</myid_type>
    			<myid_data>sannahed.1337.cx</myid_data>
    			<peerid_type>any</peerid_type>
    			<peerid_data>ipsec.leetcom.se</peerid_data>
    			 <encryption-algorithm><name>aes</name>
    				<keylen>256</keylen></encryption-algorithm> 
    			<hash-algorithm>sha1</hash-algorithm>
    			<dhgroup>2</dhgroup>
    			<lifetime>28800</lifetime>
    			<pre-shared-key>mysharedkey</pre-shared-key>
    			<private-key></private-key>
    
    			<caref></caref>
    			<authentication_method>pre_shared_key</authentication_method>
    
    			<nat_traversal>on</nat_traversal>
    			<mobike>off</mobike>
    			<rekey_enable></rekey_enable>
    			<dpd_delay>10</dpd_delay>
    			<dpd_maxfail>5</dpd_maxfail></phase1> 
    

    And the log…

    Mar 13 21:39:01 ipsec_starter 40391 'bypasslan' shunt PASS policy installed
    Mar 13 21:39:01 charon 12[CFG] received stroke: route 'bypasslan'
    Mar 13 21:39:01 charon 09[CFG] added configuration 'bypasslan'
    Mar 13 21:39:01 charon 09[CFG] received stroke: add connection 'bypasslan'
    Mar 13 21:39:01 charon 12[CFG] deleted connection 'bypasslan'
    Mar 13 21:39:01 charon 12[CFG] received stroke: delete connection 'bypasslan'
    Mar 13 21:39:01 ipsec_starter 40391 shunt policy 'bypasslan' uninstalled
    Mar 13 21:39:01 charon 12[CFG] received stroke: unroute 'bypasslan'
    Mar 13 21:39:01 charon 10[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
    Mar 13 21:39:01 charon 10[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Mar 13 21:39:01 charon 10[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Mar 13 21:39:01 charon 10[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Mar 13 21:39:01 charon 10[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Mar 13 21:39:01 charon 10[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Mar 13 21:39:01 charon 10[CFG] rereading secrets
    Mar 13 21:38:14 ipsec_starter 40391 'bypasslan' shunt PASS policy installed
    Mar 13 21:38:14 charon 15[CFG] received stroke: route 'bypasslan'
    Mar 13 21:38:14 charon 13[CFG] added configuration 'bypasslan'
    Mar 13 21:38:14 charon 13[CFG] received stroke: add connection 'bypasslan'
    Mar 13 21:38:14 charon 15[CFG] deleted connection 'bypasslan'
    Mar 13 21:38:14 charon 15[CFG] received stroke: delete connection 'bypasslan'
    Mar 13 21:38:14 ipsec_starter 40391 shunt policy 'bypasslan' uninstalled
    Mar 13 21:38:14 charon 15[CFG] received stroke: unroute 'bypasslan'
    Mar 13 21:38:14 charon 14[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
    Mar 13 21:38:14 charon 14[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Mar 13 21:38:14 charon 14[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Mar 13 21:38:14 charon 14[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Mar 13 21:38:14 charon 14[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Mar 13 21:38:14 charon 14[CFG] loaded IKE secret for %any @ipsec.leetcom.se
    Mar 13 21:38:14 charon 14[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Mar 13 21:38:14 charon 14[CFG] rereading secrets
    Mar 13 21:37:58 ipsec_starter 40391 'bypasslan' shunt PASS policy installed
    Mar 13 21:37:58 charon 01[CFG] received stroke: route 'bypasslan'
    Mar 13 21:37:58 charon 01[CFG] added configuration 'bypasslan'
    Mar 13 21:37:58 charon 01[CFG] received stroke: add connection 'bypasslan'
    Mar 13 21:37:58 ipsec_starter 40391 charon (40404) started after 140 ms
    Mar 13 21:37:58 charon 00[JOB] spawning 16 worker threads
    Mar 13 21:37:58 charon 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
    Mar 13 21:37:58 charon 00[CFG] loaded 0 RADIUS server configurations
    Mar 13 21:37:58 charon 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
    Mar 13 21:37:58 charon 00[CFG] loaded IKE secret for %any @ipsec.leetcom.se
    Mar 13 21:37:58 charon 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Mar 13 21:37:58 charon 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
    Mar 13 21:37:58 charon 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Mar 13 21:37:58 charon 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Mar 13 21:37:58 charon 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Mar 13 21:37:58 charon 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Mar 13 21:37:58 charon 00[CFG] ipseckey plugin is disabled
    Mar 13 21:37:58 charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Mar 13 21:37:58 charon 00[KNL] unable to set UDP_ENCAP: Invalid argument

    Since I didn't get it to work I have;
    Installed a new router 2
    Upgraded both routers so they're running on 2.4.2-RELEASE-p1
    Reset router 2 and rebuilt the config
    Verified I can ping fqdn and wan ip on both
    Remember router 1 have at least 3 or 4 running tunnels with basically the same settings

    Am I still missing something?



  • Not sure why you are using 'any' instead of 'fqdn' for the peer identifiers, but other than that nothing jumps out at me
    You verified the p2 is matching traffic and trying to initiate?



  • @dotdash:

    Not sure why you are using 'any' instead of 'fqdn' for the peer identifiers, but other than that nothing jumps out at me

    Because I tested so much I forgot I put it on any… I usually have fqdn there too.

    @dotdash:

    You verified the p2 is matching traffic and trying to initiate?

    At this point I didn't even configure p2 as I can't even get p1 up and running.

    Also I sent a mail to my ISP asking if they're blocking me in some way.


  • Netgate

    I don't think there is any reason for the P1 to even attempt a connection without a P2. There is no interesting traffic in that case.

    There are no connection attempts in the logs you posted.

    I would config a P2 and try again.