Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 2.4.4->2.4.5 IPsec peer-to-peer broken

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brma
      last edited by

      Since the upgrade of pfSense from 2.4.4 to 2.4.5 my IPsec peer-to-peer configuration is broken (please find the log at the end of this post - IP-adresses are all replaced by xxx.xxx.xxx.xxx).

      The issue seems to be

      received unsupported IKE version 0.4 from xxx.xxx.xxx.xxx, sending INVALID_MAJOR_VERSION
      

      where the "version" provided is changing at every attempt - so it's probably not showing the IKE-version used.
      In the change-log of v.2.4.5 I saw various changes to IPsec but none that should influence this peer-to-peer configuration.
      Does anybody have an idea how to get around this issue?

      Mar 26 20:20:49 	charon 		10[IKE] <con1000|2> retransmit 2 of request with message ID 1 
      Mar 26 20:20:42 	charon 		10[NET] <con1000|2> sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (320 bytes) 
      Mar 26 20:20:42 	charon 		10[IKE] <con1000|2> retransmit 1 of request with message ID 1 
      Mar 26 20:20:38 	charon 		03[NET] received unsupported IKE version 0.4 from xxx.xxx.xxx.xxx, sending INVALID_MAJOR_VERSION 
      Mar 26 20:20:38 	charon 		03[ENC] no message rules specified for this message type 
      Mar 26 20:20:38 	charon 		10[NET] <con1000|2> sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (320 bytes) 
      Mar 26 20:20:38 	charon 		10[ENC] <con1000|2> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 
      Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> establishing CHILD_SA con1000{7} 
      Mar 26 20:20:38 	charon 		10[CFG] <con1000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ 
      Mar 26 20:20:38 	charon 		10[CFG] <con1000|2> xxx.xxx.xxx.xxx/24|/0 
      Mar 26 20:20:38 	charon 		10[CFG] <con1000|2> proposing traffic selectors for other: 
      Mar 26 20:20:38 	charon 		10[CFG] <con1000|2> xxx.xxx.xxx.xxx/24|/0 
      Mar 26 20:20:38 	charon 		10[CFG] <con1000|2> proposing traffic selectors for us: 
      Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> successfully created shared key MAC 
      Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> authentication of 'brma.loc' (myself) with pre-shared key 
      Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> IKE_AUTH task 
      Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> IKE_CERT_PRE task 
      Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> reinitiating already active tasks
      
      1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate
        last edited by

        What device is on the remote side?

        1 Reply Last reply Reply Quote 0
        • B
          brma
          last edited by

          The issue is meanwhile resolved.
          Just in case others might have the same issue, I'd like to share the solution with you.

          The device on the remote site is a Sonicwall NSA-4600 with Sonic OS Enhanced 6.5.4.4-44N.
          The cause of the issue was a wrong configuration on the remote(!) site that didn't seem to be an issue before the upgrade of pfSense to 2.4.5.

          The connection is established using a KeyID-Tag in phase 1 both for the local and the remote site. On the remote site it was not configured as KeyID-Tag but as Domain-Name. However, up to now this worked fine.
          With the upgrade to pfSense 2.4.5 the wrong configuration on the remote(!) site turned into an issue but could be corrected easily changing the configuration on the SonicWall to using the KeyID-Tag as well.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Probably because we fixed this: https://redmine.pfsense.org/issues/9243

            It worked before because, technically, both sides were misconfigured :-)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.