• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Site-to-Site Authentication Fails

Scheduled Pinned Locked Moved IPsec
4 Posts 2 Posters 2.0k Views 2 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E Offline
    Elegant
    last edited by Elegant Jan 14, 2020, 5:30 PM Jan 14, 2020, 5:29 PM

    Good morning,

    We recently setup a Site-to-Site IPSec between two pfSense routers but they do not seem to agree on authenticating per the logs. Site A currently uses CARP for HA behind my ISP's router (DMZ enabled on CARP IP) which is working with failover when setup with OpenVPN. Site B is connects to the ISP directly.

    We have ensured that Site B's Remote ID is set to the internal address of Site A (192.168.2.5) to ensure that it matches up with the Local ID on Site A. Despite this, we are still encountering issues but are unsure if the issue is NAT related or somewhere else below are the configs of site as well as their logs.

    Any assistance would be much appreciated. Thanks!

    Site A config:

    Main.png

    Site B config:

    Remote.png

    Site A logs:

    05[IKE] initiating IKE_SA con1000[138] to 62.*.*.*
    05[IKE] <con1000|138> IKE_SA con1000[138] state change: CREATED => CONNECTING
    05[CFG] <con1000|138> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    05[CFG] <con1000|138> sending supported signature hash algorithms: sha256 sha384 sha512 identity
    05[ENC] <con1000|138> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    05[NET] sending packet: from 192.168.2.5[500] to 62.*.*.*[500] (464 bytes)
    14[NET] received packet: from 62.*.*.*[500] to 192.168.2.5[500] (464 bytes)
    14[ENC] <con1000|138> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    14[IKE] <con1000|138> received FRAGMENTATION_SUPPORTED notify
    14[IKE] <con1000|138> received SIGNATURE_HASH_ALGORITHMS notify
    14[CFG] <con1000|138> selecting proposal:
    14[CFG] <con1000|138> proposal matches
    14[CFG] <con1000|138> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    14[CFG] <con1000|138> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    14[CFG] <con1000|138> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    14[CFG] <con1000|138> received supported signature hash algorithms: sha256 sha384 sha512 identity
    14[IKE] <con1000|138> local host is behind NAT, sending keep alives
    14[IKE] <con1000|138> reinitiating already active tasks
    14[IKE] <con1000|138> IKE_CERT_PRE task
    14[IKE] <con1000|138> IKE_AUTH task
    14[IKE] authentication of '192.168.2.5' (myself) with pre-shared key
    14[IKE] <con1000|138> successfully created shared key MAC
    14[CFG] <con1000|138> proposing traffic selectors for us:
    14[CFG] 10.0.0.0/15|/0
    14[CFG] <con1000|138> proposing traffic selectors for other:
    14[CFG] 10.2.0.0/16|/0
    14[CFG] <con1000|138> configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ
    14[IKE] <con1000|138> establishing CHILD_SA con1000{41} reqid 7
    14[ENC] <con1000|138> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    14[NET] sending packet: from 192.168.2.5[4500] to 62.*.*.*[4500] (304 bytes)
    14[NET] received packet: from 62.*.*.*[4500] to 192.168.2.5[4500] (80 bytes)
    14[ENC] <con1000|138> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    14[IKE] <con1000|138> received AUTHENTICATION_FAILED notify error
    14[CHD] <con1000|138> CHILD_SA con1000{41} state change: CREATED => DESTROYING
    14[IKE] <con1000|138> IKE_SA con1000[138] state change: CONNECTING => DESTROYING
    Jan 12 07:03:36	charon		00[DMN] signal of type SIGINT received. Shutting down
    Jan 12 07:03:36	charon		00[CHD] CHILD_SA con1000{40} state change: ROUTED => DESTROYING
    

    Site B logs:

    06[CFG] <134> sending supported signature hash algorithms: sha256 sha384 sha512 identity
    06[ENC] <134> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    06[NET] <134> sending packet: from 62.*.*.*[500] to 94.*.*.*[500] (464 bytes)
    06[NET] <135> received packet: from 94.*.*.*[500] to 62.*.*.*[500] (464 bytes)
    06[ENC] <135> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    06[CFG] <135> looking for an IKEv2 config for 62.*.*.*...94.*.*.*
    06[CFG] <135> candidate: %any...%any, prio 24
    06[CFG] <135> candidate: 62.*.*.*...test-project.com, prio 3100
    06[CFG] <135> found matching ike config: 62.*.*.*...test-project.com with prio 3100
    06[IKE] <135> 94.*.*.* is initiating an IKE_SA
    06[IKE] <135> IKE_SA (unnamed)[135] state change: CREATED => CONNECTING
    06[CFG] <135> selecting proposal:
    06[CFG] <135> no acceptable ENCRYPTION_ALGORITHM found
    06[CFG] <135> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    06[CFG] <135> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    06[CFG] <135> looking for IKEv2 configs for 62.*.*.*...94.*.*.*
    06[CFG] <135> candidate: %any...%any, prio 24
    06[CFG] <135> candidate: 62.*.*.*...test-project.com, prio 3100
    06[IKE] <135> no matching proposal found, trying alternative config
    06[CFG] <135> selecting proposal:
    06[CFG] <135> proposal matches
    06[CFG] <135> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    06[CFG] <135> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
    06[CFG] <135> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    06[CFG] <135> received supported signature hash algorithms: sha256 sha384 sha512 identity
    06[IKE] <135> remote host is behind NAT
    06[CFG] <135> sending supported signature hash algorithms: sha256 sha384 sha512 identity
    06[ENC] <135> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    06[NET] <135> sending packet: from 62.*.*.*[500] to 94.*.*.*[500] (464 bytes)
    06[NET] <135> received packet: from 94.*.*.*[4500] to 62.*.*.*[4500] (304 bytes)
    06[ENC] <135> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    06[CFG] <135> looking for peer configs matching 62.*.*.*[62.*.*.*]...94.*.*.*[192.168.2.5]
    06[CFG] <135> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    06[CFG] <135> candidate "con1000", match: 20/20/3100 (me/other/ike)
    06[CFG] <135> ignore candidate 'con1000' without matching IKE proposal
    06[CFG] <bypasslan|135> selected peer config 'bypasslan'
    06[IKE] authentication of '192.168.2.5' with pre-shared key successful
    06[CFG] <bypasslan|135> constraint requires public key authentication, but pre-shared key was used
    06[CFG] <bypasslan|135> selected peer config 'bypasslan' unacceptable: non-matching authentication done
    06[CFG] <bypasslan|135> no alternative config found
    06[IKE] <bypasslan|135> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    06[ENC] <bypasslan|135> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    06[NET] sending packet: from 62.*.*.*[4500] to 94.*.*.*[4500] (80 bytes)
    06[IKE] <bypasslan|135> IKE_SA bypasslan[135] state change: CONNECTING => DESTROYING
    06[JOB] <134> deleting half open IKE_SA with 94.*.*.* after timeout
    06[IKE] <134> IKE_SA (unnamed)[134] state change: CONNECTING => DESTROYING
    00[DMN] signal of type SIGINT received. Shutting down
    00[CHD] CHILD_SA con1000{99} state change: ROUTED => DESTROYING
    
    1 Reply Last reply Reply Quote 0
    • J Offline
      jimp Rebel Alliance Developer Netgate
      last edited by Jan 14, 2020, 7:19 PM

      The logs are telling you that what is incoming does not match any configured tunnel.

      In the site B logs:

      06[CFG] <135> candidate: 62.*.*.*...test-project.com, prio 3100
      06[IKE] <135> no matching proposal found, trying alternative config
      
      06[CFG] <135> looking for peer configs matching 62.*.*.*[62.*.*.*]...94.*.*.*[192.168.2.5]
      
      06[CFG] <135> ignore candidate 'con1000' without matching IKE proposal
      

      Hard to say for sure with so much redacted, but it's at least not matching the local<->remote peer addresses even before it checks the IDs.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • E Offline
        Elegant
        last edited by Elegant Jan 15, 2020, 4:27 AM Jan 15, 2020, 2:06 AM

        Site A:
        Remote Gateway: remote.test-project.com
        Local Identifier: 192.168.2.5 (CARP address of interface)
        Remote Identifier: My peer address (remote.test-project.com)

        Site A updates the dynamic DNS of test-project.com with that of its external IP (since WAN IP is internal).

        Site B:
        Remote Gateway: test-project.com
        Local Identifier: WAN IP
        Remote Identifier: 192.168.2.5 (set manually)

        Site B updates the dynamic DNS of remote.test-project.com with that of its WAN IP.

        Identifiers aside, the local address of Site A would not match the peer address of Site B outright due to Site A's IP being internal and Site B using a dynamic DNS to an external. Would this cause the issue?

        1 Reply Last reply Reply Quote 0
        • J Offline
          jimp Rebel Alliance Developer Netgate
          last edited by Jan 15, 2020, 1:25 PM

          NAT will make that trickier but usually you can get around that by setting appropriate identifiers. I wouldn't use hostnames in those fields for identifiers, though. It isn't handled there like it is in the remote gateway field. Try setting the identifiers explicitly to a value on both sides and see what happens.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received