HELP : ERROR: none message must be encrypted
I am currently trying to set up a VPN tunnel to a client that is internationally based. Thus, we have no access to the host box, but we have a settings page that they have confirmed is accurate.
When trying to ping / telnet / putty / anything to the IP addresses given (within the remote subnet range), we get the following in the LOGS:
Feb 2 09:17:41 racoon: [Myvpn]: ERROR: 141.194.yyy.zzz [i](Client Gateway IP)[/i] give up to get IPsec-SA due to time up to wait. Feb 2 09:17:32 last message repeated 2 times Feb 2 09:17:12 racoon: ERROR: none message must be encrypted Feb 2 09:17:11 racoon: [Myvpn]: INFO: initiate new phase 2 negotiation: xx.xx.xx.xx [i](Our PF sense WAN IP address)[/i] <=>141.194.xx.xx [i](Client Gateway IP)[/i] 
Our settings are as follows on the IPSec side:
Mode Tunnel Interface WAN Local Subent LAN subnet Remote subnet 141.194.www.xxx/24 Remote Gateway 141.194.yyy.zzz Description My VPN Phase 1: Negotiation Mode : Main My Identifier My IP Address Encryption Algorithm 3DES Hash algorithm SHA1 DH key group 2 Lifetime 28800 seconds Authentication Pre-shared key Pre-shared Key ************ Phase 2: Protocol ESP Encryption algorithms 3DES Hash Algorithms SHA1 PFS key group 2 Lifetime 28800 seconds Keep Alive: Automatically ping host __________ IP address
From the pfsense web configurator we can ping to any outside website, but not from a client PC if we use the pfSense box as a gateway.
Please help, what does the 'none message must be encrypted' thing mean?
The client has confirmed that they have seen the tunnel as up from their side, yet we can do no transacting between the two networks.
This is quite an urgent thing to get up…
Thanks in advance!
Forgot to state that in the firewall rules side I have set ALL traffic for LAN, WAN and IPSEC to be allowed… Thus it is all just one great big range of *'s.
Firewall in System log doesn't seem to block anything, thus the rules appear to work... Will narrow down security once the tunnel is working...
After not touching this system the whole day, just trying to do a telnet to one of the servers again today, I get this:
Feb 2 16:42:08 racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
Feb 2 16:42:08 racoon: [Michelin vpn]: INFO: initiate new phase 2 negotiation: ### (Our PFSense IP)<=>### (Client Public Gateway)
Feb 2 16:42:08 racoon: [Michelin vpn]: INFO: ISAKMP-SA established ### (Our PFSense IP)-### (Client Public Gateway) spi:0ff6c06a390cbad2:cb0cf2c20c189609
Feb 2 16:42:06 racoon: INFO: received Vendor ID: DPD
Feb 2 16:42:06 racoon: INFO: begin Identity Protection mode.
Feb 2 16:42:06 racoon: [Michelin vpn]: INFO: initiate new phase 1 negotiation: ### (Our PFSense IP)<=>### (Client Public Gateway)
Feb 2 16:42:06 racoon: [Michelin vpn]: INFO: IPsec-SA request for ### (Client Public Gateway) queued due to no phase1 found.
PLEASE help… We changed nothing and now this has come up on the system...
Doesn't anyone have any answers?
Please help, this is really really urgent for us. We need to support the client and can not get access…
The error is back to the first one 'none message must be encrypted' though.
ANYONE? PLEASE? :-[ :-\ :'(
Is there device a PIX or cisco device. What do the remote endpoint settings look like? Also are you saying that from behind the pfsense you are not able to get out to the internet? Have you modified any of the rules for the firewall? LAN/WAN/IPSEC interfaces?
Is there any device acting as a firewall in fron of your device or the other device? If so….pfSense does not support NAT-T in the current stable version.
Their device as far as we know it is a Cisco device yes.
Remote endpoint settings match ours according to them, minus the obvious reversal of local and remote networks etc. From behind pf sense I can't get out, yes. Can ping from pfsense itself, not from behind it using it as a gateway on my box. LAN / WAN / IPSEC rules on the firewall page are set with all * to allow any and all traffic through to first get this working. Will worry about refining that once we get the tunnel working.
No other device - My PC –> pfSense box --> ADSL router --> Internet and on their side we have no idea. They say we need to NAT our IP's and they have other clients connecting to the same VPN router on their side, so NATting must work it seems.
Any other options maybe?
What internal subnets are you both using?
we are running on 192.168.2.0/24, NATted to x.x.191/24 and they are on x.x.249.0/24 for the external IP's we ping to. Internal IP's on their side is in the 10.x.x.x range. Also /24 as far as we know…