Site to Site IPSec VPN over AT&T Wireless
-
I have added an AT&T Wireless Internet device to an existing pfSense running on an SG-1000. All internet connectivity over the new interface works well but I can't seem to get an IPSec VPN created for a site to site VPN. Both ends are running 2.4.3-RELEASE-p1
Site A (Primary)
- WAN2 - PPPOE DHCP Used for VPN but a very static DHCP
- VPN Settings
- IKEv1
- IPv4
- Remote Gateway: lte.siteB.com
- Mutual PSK
- Negotiation: Main
- My ID: sitea.sitea-to-siteb
- Peer ID: siteb.sitea-to-siteb
- PSK: matching via copy/paste
- P1 Encryption AES256 SHA256 GH Group 14
- Lifetime: 28800
- Disable Rekey: enabled
- Responder Only: enabled
- NAT-T: Auto
- DPD: Enabled
- Delay: 10
- Max Fail: 5
Site B (Secondary)
- WAN2 - Static Private IP behind AT&T internet gateway
- VPN Settings
- IKEv1
- IPv4
- Remote Gateway: wan2.sitea.com
- Mutual PSK
- Negotiation: Main
- My ID: siteb.sitea-to-siteb
- Peer ID: sitea.sitea-to-siteb
- PSK: matching via copy/paste
- P1 Encryption AES256 SHA256 GH Group 14
- Lifetime: 28800
- Disable Rekey: enabled
- Responder Only: disabled
- NAT-T: Auto
- DPD: Enabled
- Delay: 10
- Max Fail: 5
Now I stop at the P1 details because I see this error message in the logs
Aug 14 19:39:07 charon 13[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 14 19:39:07 charon 13[IKE] <con1000|2> message parsing failed Aug 14 19:39:07 charon 13[ENC] <con1000|2> could not decrypt payloads Aug 14 19:39:07 charon 13[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed?
According to https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-troubleshooting.html it means I have a PSK mismatch but I have verified, changed, re-verified, tried other PSKs to no avail.
I have also enabled MSS clamping on VPN traffic and set it down to 1300 on both ends. I am at somewhat of a loss as to what I may be missing.
-
Things like MSS clamping will not prevent the tunnel from connecting.
I would uncheck disable re-key on both sides. Probably won't fix this but it should be unchecked.
You might want to post more of the logs. From that it looks like the PSKs don't match, as you have already found.
Also double-check the types of the identifiers. What are you setting there? Distinguished name?
-
I have removed the check for
Disable rekey
. Should I be setting amargintime
?I am using
distinquished name
for the identifiers as that is what I have commonly used in similar setups. While the error continues to point to a PSK mismatch, the keys match, I have copied the key from one configuration page to the other.Here are some more logs following the changes
Aug 16 08:56:31 charon 12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 3744141107 processing failed Aug 16 08:56:31 charon 12[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:31 charon 12[IKE] <con1000|2> message parsing failed Aug 16 08:56:31 charon 12[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:31 charon 12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:31 charon 12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:30 charon 12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:30 charon 12[IKE] <con1000|2> sending retransmit 2 of request message ID 0, seq 3 Aug 16 08:56:23 charon 12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 468255107 processing failed Aug 16 08:56:23 charon 12[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:23 charon 12[IKE] <con1000|2> message parsing failed Aug 16 08:56:23 charon 12[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:23 charon 12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:23 charon 12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:23 charon 12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:23 charon 12[IKE] <con1000|2> sending retransmit 1 of request message ID 0, seq 3 Aug 16 08:56:19 charon 10[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 2140660544 processing failed Aug 16 08:56:19 charon 10[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:19 charon 10[IKE] <con1000|2> message parsing failed Aug 16 08:56:19 charon 10[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:19 charon 10[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:19 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:19 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Aug 16 08:56:19 charon 10[IKE] <con1000|2> local host is behind NAT, sending keep alives Aug 16 08:56:19 charon 10[ENC] <con1000|2> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (396 bytes) Aug 16 08:56:19 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (396 bytes) Aug 16 08:56:19 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 16 08:56:19 charon 10[IKE] <con1000|2> received NAT-T (RFC 3947) vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received FRAGMENTATION vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received DPD vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received XAuth vendor ID Aug 16 08:56:19 charon 10[ENC] <con1000|2> parsed ID_PROT response 0 [ SA V V V V ] Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (160 bytes) Aug 16 08:56:18 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (180 bytes) Aug 16 08:56:18 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ SA V V V V V ] Aug 16 08:56:18 charon 10[IKE] <con1000|2> initiating Main Mode IKE_SA con1000[2] to 50.X.X.149 Aug 16 08:56:18 charon 12[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:52:53 charon 12[IKE] <con1000|1> establishing IKE_SA failed, peer not responding Aug 16 08:52:53 charon 12[IKE] <con1000|1> giving up after 5 retransmits Aug 16 08:52:06 charon 07[CFG] ignoring acquire, connection attempt pending Aug 16 08:52:06 charon 05[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:51:41 charon 16[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:51:40 ipsec_starter 62014 'con1000' routed Aug 16 08:51:40 charon 14[CFG] received stroke: route 'con1000' Aug 16 08:51:40 charon 16[CFG] added configuration 'con1000' Aug 16 08:51:40 charon 16[CFG] received stroke: add connection 'con1000' Aug 16 08:51:40 ipsec_starter 62014 'bypasslan' shunt PASS policy installed Aug 16 08:51:40 charon 13[CFG] received stroke: route 'bypasslan' Aug 16 08:51:40 charon 14[CFG] added configuration 'bypasslan' Aug 16 08:51:40 charon 14[CFG] received stroke: add connection 'bypasslan' Aug 16 08:51:40 charon 15[CFG] deleted connection 'con1000' Aug 16 08:51:40 charon 15[CFG] received stroke: delete connection 'con1000' Aug 16 08:51:40 ipsec_starter 62014 configuration 'con1000' unrouted Aug 16 08:51:40 charon 13[CFG] received stroke: unroute 'con1000' Aug 16 08:51:40 charon 14[CFG] deleted connection 'bypasslan' Aug 16 08:51:40 charon 14[CFG] received stroke: delete connection 'bypasslan' Aug 16 08:51:40 ipsec_starter 62014 shunt policy 'bypasslan' uninstalled Aug 16 08:51:40 charon 15[CFG] received stroke: unroute 'bypasslan' Aug 16 08:51:40 charon 13[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls' Aug 16 08:51:40 charon 13[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Aug 16 08:51:40 charon 13[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Aug 16 08:51:40 charon 13[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Aug 16 08:51:40 charon 13[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Aug 16 08:51:40 charon 13[CFG] loaded IKE secret for %any @sitea.sitea-to-siteb Aug 16 08:51:40 charon 13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Aug 16 08:51:40 charon 13[CFG] rereading secrets Aug 16 08:51:37 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:51:37 charon 08[IKE] <con1000|1> sending retransmit 5 of request message ID 0, seq 3 Aug 16 08:50:55 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:50:55 charon 08[IKE] <con1000|1> sending retransmit 4 of request message ID 0, seq 3 Aug 16 08:50:32 charon 08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2027756021 processing failed Aug 16 08:50:32 charon 08[IKE] <con1000|1> ignore malformed INFORMATIONAL request Aug 16 08:50:32 charon 08[IKE] <con1000|1> message parsing failed Aug 16 08:50:32 charon 08[ENC] <con1000|1> could not decrypt payloads Aug 16 08:50:32 charon 08[ENC] <con1000|1> invalid HASH_V1 payload length, decryption failed? Aug 16 08:50:32 charon 08[NET] <con1000|1> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:50:32 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:50:32 charon 08[IKE] <con1000|1> sending retransmit 3 of request message ID 0, seq 3 Aug 16 08:50:19 charon 08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2405277567 processing failed Aug 16 08:50:19 charon 08[IKE] <con1000|1> ignore malformed INFORMATIONAL request Aug 16 08:50:19 charon 08[IKE] <con1000|1> message parsing failed Aug 16 08:50:19 charon 08[ENC] <con1000|1> could not decrypt payloads