Site to Site IPSec VPN over AT&T Wireless



  • I have added an AT&T Wireless Internet device to an existing pfSense running on an SG-1000. All internet connectivity over the new interface works well but I can't seem to get an IPSec VPN created for a site to site VPN. Both ends are running 2.4.3-RELEASE-p1

    Site A (Primary)

    • WAN2 - PPPOE DHCP Used for VPN but a very static DHCP
    • VPN Settings
    • IKEv1
    • IPv4
    • Remote Gateway: lte.siteB.com
    • Mutual PSK
    • Negotiation: Main
    • My ID: sitea.sitea-to-siteb
    • Peer ID: siteb.sitea-to-siteb
    • PSK: matching via copy/paste
    • P1 Encryption AES256 SHA256 GH Group 14
    • Lifetime: 28800
    • Disable Rekey: enabled
    • Responder Only: enabled
    • NAT-T: Auto
    • DPD: Enabled
    • Delay: 10
    • Max Fail: 5

    Site B (Secondary)

    • WAN2 - Static Private IP behind AT&T internet gateway
    • VPN Settings
    • IKEv1
    • IPv4
    • Remote Gateway: wan2.sitea.com
    • Mutual PSK
    • Negotiation: Main
    • My ID: siteb.sitea-to-siteb
    • Peer ID: sitea.sitea-to-siteb
    • PSK: matching via copy/paste
    • P1 Encryption AES256 SHA256 GH Group 14
    • Lifetime: 28800
    • Disable Rekey: enabled
    • Responder Only: disabled
    • NAT-T: Auto
    • DPD: Enabled
    • Delay: 10
    • Max Fail: 5

    Now I stop at the P1 details because I see this error message in the logs

    Aug 14 19:39:07	charon		13[IKE] <con1000|2> ignore malformed INFORMATIONAL request
    Aug 14 19:39:07	charon		13[IKE] <con1000|2> message parsing failed
    Aug 14 19:39:07	charon		13[ENC] <con1000|2> could not decrypt payloads
    Aug 14 19:39:07	charon		13[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed?
    

    According to https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-troubleshooting.html it means I have a PSK mismatch but I have verified, changed, re-verified, tried other PSKs to no avail.

    I have also enabled MSS clamping on VPN traffic and set it down to 1300 on both ends. I am at somewhat of a loss as to what I may be missing.


  • Netgate

    Things like MSS clamping will not prevent the tunnel from connecting.

    I would uncheck disable re-key on both sides. Probably won't fix this but it should be unchecked.

    You might want to post more of the logs. From that it looks like the PSKs don't match, as you have already found.

    Also double-check the types of the identifiers. What are you setting there? Distinguished name?



  • I have removed the check for Disable rekey. Should I be setting a margintime?

    I am using distinquished name for the identifiers as that is what I have commonly used in similar setups. While the error continues to point to a PSK mismatch, the keys match, I have copied the key from one configuration page to the other.

    Here are some more logs following the changes

    Aug 16 08:56:31	charon		12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 3744141107 processing failed
    Aug 16 08:56:31	charon		12[IKE] <con1000|2> ignore malformed INFORMATIONAL request
    Aug 16 08:56:31	charon		12[IKE] <con1000|2> message parsing failed
    Aug 16 08:56:31	charon		12[ENC] <con1000|2> could not decrypt payloads
    Aug 16 08:56:31	charon		12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed?
    Aug 16 08:56:31	charon		12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes)
    Aug 16 08:56:30	charon		12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
    Aug 16 08:56:30	charon		12[IKE] <con1000|2> sending retransmit 2 of request message ID 0, seq 3
    Aug 16 08:56:23	charon		12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 468255107 processing failed
    Aug 16 08:56:23	charon		12[IKE] <con1000|2> ignore malformed INFORMATIONAL request
    Aug 16 08:56:23	charon		12[IKE] <con1000|2> message parsing failed
    Aug 16 08:56:23	charon		12[ENC] <con1000|2> could not decrypt payloads
    Aug 16 08:56:23	charon		12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed?
    Aug 16 08:56:23	charon		12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes)
    Aug 16 08:56:23	charon		12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
    Aug 16 08:56:23	charon		12[IKE] <con1000|2> sending retransmit 1 of request message ID 0, seq 3
    Aug 16 08:56:19	charon		10[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 2140660544 processing failed
    Aug 16 08:56:19	charon		10[IKE] <con1000|2> ignore malformed INFORMATIONAL request
    Aug 16 08:56:19	charon		10[IKE] <con1000|2> message parsing failed
    Aug 16 08:56:19	charon		10[ENC] <con1000|2> could not decrypt payloads
    Aug 16 08:56:19	charon		10[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed?
    Aug 16 08:56:19	charon		10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes)
    Aug 16 08:56:19	charon		10[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
    Aug 16 08:56:19	charon		10[ENC] <con1000|2> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Aug 16 08:56:19	charon		10[IKE] <con1000|2> local host is behind NAT, sending keep alives
    Aug 16 08:56:19	charon		10[ENC] <con1000|2> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Aug 16 08:56:19	charon		10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (396 bytes)
    Aug 16 08:56:19	charon		10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (396 bytes)
    Aug 16 08:56:19	charon		10[ENC] <con1000|2> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Aug 16 08:56:19	charon		10[IKE] <con1000|2> received NAT-T (RFC 3947) vendor ID
    Aug 16 08:56:19	charon		10[IKE] <con1000|2> received FRAGMENTATION vendor ID
    Aug 16 08:56:19	charon		10[IKE] <con1000|2> received DPD vendor ID
    Aug 16 08:56:19	charon		10[IKE] <con1000|2> received XAuth vendor ID
    Aug 16 08:56:19	charon		10[ENC] <con1000|2> parsed ID_PROT response 0 [ SA V V V V ]
    Aug 16 08:56:19	charon		10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (160 bytes)
    Aug 16 08:56:18	charon		10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (180 bytes)
    Aug 16 08:56:18	charon		10[ENC] <con1000|2> generating ID_PROT request 0 [ SA V V V V V ]
    Aug 16 08:56:18	charon		10[IKE] <con1000|2> initiating Main Mode IKE_SA con1000[2] to 50.X.X.149
    Aug 16 08:56:18	charon		12[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4}
    Aug 16 08:52:53	charon		12[IKE] <con1000|1> establishing IKE_SA failed, peer not responding
    Aug 16 08:52:53	charon		12[IKE] <con1000|1> giving up after 5 retransmits
    Aug 16 08:52:06	charon		07[CFG] ignoring acquire, connection attempt pending
    Aug 16 08:52:06	charon		05[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4}
    Aug 16 08:51:41	charon		16[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4}
    Aug 16 08:51:40	ipsec_starter	62014	'con1000' routed
    Aug 16 08:51:40	charon		14[CFG] received stroke: route 'con1000'
    Aug 16 08:51:40	charon		16[CFG] added configuration 'con1000'
    Aug 16 08:51:40	charon		16[CFG] received stroke: add connection 'con1000'
    Aug 16 08:51:40	ipsec_starter	62014	'bypasslan' shunt PASS policy installed
    Aug 16 08:51:40	charon		13[CFG] received stroke: route 'bypasslan'
    Aug 16 08:51:40	charon		14[CFG] added configuration 'bypasslan'
    Aug 16 08:51:40	charon		14[CFG] received stroke: add connection 'bypasslan'
    Aug 16 08:51:40	charon		15[CFG] deleted connection 'con1000'
    Aug 16 08:51:40	charon		15[CFG] received stroke: delete connection 'con1000'
    Aug 16 08:51:40	ipsec_starter	62014	configuration 'con1000' unrouted
    Aug 16 08:51:40	charon		13[CFG] received stroke: unroute 'con1000'
    Aug 16 08:51:40	charon		14[CFG] deleted connection 'bypasslan'
    Aug 16 08:51:40	charon		14[CFG] received stroke: delete connection 'bypasslan'
    Aug 16 08:51:40	ipsec_starter	62014	shunt policy 'bypasslan' uninstalled
    Aug 16 08:51:40	charon		15[CFG] received stroke: unroute 'bypasslan'
    Aug 16 08:51:40	charon		13[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
    Aug 16 08:51:40	charon		13[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Aug 16 08:51:40	charon		13[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Aug 16 08:51:40	charon		13[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Aug 16 08:51:40	charon		13[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Aug 16 08:51:40	charon		13[CFG] loaded IKE secret for %any @sitea.sitea-to-siteb
    Aug 16 08:51:40	charon		13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Aug 16 08:51:40	charon		13[CFG] rereading secrets
    Aug 16 08:51:37	charon		08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
    Aug 16 08:51:37	charon		08[IKE] <con1000|1> sending retransmit 5 of request message ID 0, seq 3
    Aug 16 08:50:55	charon		08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
    Aug 16 08:50:55	charon		08[IKE] <con1000|1> sending retransmit 4 of request message ID 0, seq 3
    Aug 16 08:50:32	charon		08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2027756021 processing failed
    Aug 16 08:50:32	charon		08[IKE] <con1000|1> ignore malformed INFORMATIONAL request
    Aug 16 08:50:32	charon		08[IKE] <con1000|1> message parsing failed
    Aug 16 08:50:32	charon		08[ENC] <con1000|1> could not decrypt payloads
    Aug 16 08:50:32	charon		08[ENC] <con1000|1> invalid HASH_V1 payload length, decryption failed?
    Aug 16 08:50:32	charon		08[NET] <con1000|1> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes)
    Aug 16 08:50:32	charon		08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
    Aug 16 08:50:32	charon		08[IKE] <con1000|1> sending retransmit 3 of request message ID 0, seq 3
    Aug 16 08:50:19	charon		08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2405277567 processing failed
    Aug 16 08:50:19	charon		08[IKE] <con1000|1> ignore malformed INFORMATIONAL request
    Aug 16 08:50:19	charon		08[IKE] <con1000|1> message parsing failed
    Aug 16 08:50:19	charon		08[ENC] <con1000|1> could not decrypt payloads
    

 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy