HELP : ERROR: none message must be encrypted



  • Hi.

    I am currently trying to set up a VPN tunnel to a client that is internationally based. Thus, we have no access to the host box, but we have a settings page that they have confirmed is accurate.

    When trying to ping / telnet / putty / anything to the IP addresses given (within the remote subnet range), we get the following in the LOGS:

    
    Feb 2 09:17:41	racoon: [Myvpn]: ERROR: 141.194.yyy.zzz [i](Client Gateway IP)[/i] give up to get IPsec-SA due to time up to wait.
    Feb 2 09:17:32	last message repeated 2 times
    Feb 2 09:17:12	racoon: ERROR: none message must be encrypted
    Feb 2 09:17:11	racoon: [Myvpn]: INFO: initiate new phase 2 negotiation: xx.xx.xx.xx [i](Our PF sense WAN IP address)[/i] [0]<=>141.194.xx.xx [i](Client Gateway IP)[/i] [0]
    

    Our settings are as follows on the IPSec side:

    
    Mode				Tunnel
    Interface			WAN
    Local Subent		LAN subnet
    Remote subnet		141.194.www.xxx/24
    Remote Gateway		141.194.yyy.zzz
    Description 			My VPN
    
    Phase 1:
    
    Negotiation Mode : 	Main
    My Identifier		My IP Address
    Encryption Algorithm	3DES
    Hash algorithm		SHA1
    DH key group		2
    Lifetime			28800 seconds
    Authentication		Pre-shared key
    Pre-shared Key		************
    
    Phase 2:
    
    Protocol			ESP
    Encryption algorithms	3DES
    Hash Algorithms		SHA1
    PFS key group		2
    Lifetime			28800 seconds
    
    Keep Alive:
    Automatically ping host	__________ IP address
    
    

    From the pfsense web configurator we can ping to any outside website, but not from a client PC if we use the pfSense box as a gateway.

    Please help, what does the 'none message must be encrypted' thing mean?

    The client has confirmed that they have seen the tunnel as up from their side, yet we can do no transacting between the two networks.
    This is quite an urgent thing to get up…

    Thanks in advance!



  • Forgot to state that in the firewall rules side I have set ALL traffic for LAN, WAN and IPSEC to be allowed… Thus it is all just one great big range of *'s.

    Firewall in System log doesn't seem to block anything, thus the rules appear to work... Will narrow down security once the tunnel is working...



  • After not touching this system the whole day, just trying to do a telnet to one of the servers again today, I get this:

    Feb 2 16:42:08 racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
    Feb 2 16:42:08 racoon: [Michelin vpn]: INFO: initiate new phase 2 negotiation: ### (Our PFSense IP)[500]<=>### (Client Public Gateway)[500]
    Feb 2 16:42:08 racoon: [Michelin vpn]: INFO: ISAKMP-SA established ### (Our PFSense IP)-### (Client Public Gateway)[500] spi:0ff6c06a390cbad2:cb0cf2c20c189609
    Feb 2 16:42:06 racoon: INFO: received Vendor ID: DPD
    Feb 2 16:42:06 racoon: INFO: begin Identity Protection mode.
    Feb 2 16:42:06 racoon: [Michelin vpn]: INFO: initiate new phase 1 negotiation: ### (Our PFSense IP)<=>### (Client Public Gateway)[500]
    Feb 2 16:42:06 racoon: [Michelin vpn]: INFO: IPsec-SA request for ### (Client Public Gateway) queued due to no phase1 found.

    PLEASE help… We changed nothing and now this has come up on the system...



  • Doesn't anyone have any answers?

    Please help, this is really really urgent for us. We need to support the client and can not get access…

    The error is back to the first one 'none message must be encrypted' though.

    ANYONE? PLEASE?  :-[ :-\ :'(



  • Is there device a PIX or cisco device.  What do the remote endpoint settings look like?  Also are you saying that from behind the pfsense you are not able to get out to the internet?  Have you modified any of the rules for the firewall?  LAN/WAN/IPSEC interfaces?



  • Is there any device acting as a firewall in fron of your device or the other device?  If so….pfSense does not support NAT-T in the current stable version.



  • Their device as far as we know it is a Cisco device yes.

    Remote endpoint settings match ours according to them, minus the obvious reversal of local and remote networks etc. From behind pf sense I can't get out, yes. Can ping from pfsense itself, not from behind it using it as a gateway on my box. LAN / WAN / IPSEC rules on the firewall page are set with all * to allow any and all traffic through to first get this working. Will worry about refining that once we get the tunnel working.

    No other device - My PC –> pfSense box --> ADSL router --> Internet and on their side we have no idea. They say we need to NAT our IP's and they have other clients connecting to the same VPN router on their side, so NATting must work it seems.

    Any other options maybe?



  • What internal subnets are you both using?



  • we are running on 192.168.2.0/24, NATted to x.x.191/24 and they are on x.x.249.0/24 for the external IP's we ping to. Internal IP's on their side is in the 10.x.x.x range. Also /24 as far as we know…


Locked