pfSense 2.4.4->2.4.5 IPsec peer-to-peer broken

brma

Since the upgrade of pfSense from 2.4.4 to 2.4.5 my IPsec peer-to-peer configuration is broken (please find the log at the end of this post - IP-adresses are all replaced by xxx.xxx.xxx.xxx).

The issue seems to be

received unsupported IKE version 0.4 from xxx.xxx.xxx.xxx, sending INVALID_MAJOR_VERSION

where the "version" provided is changing at every attempt - so it's probably not showing the IKE-version used.
In the change-log of v.2.4.5 I saw various changes to IPsec but none that should influence this peer-to-peer configuration.
Does anybody have an idea how to get around this issue?

Mar 26 20:20:49 	charon 		10[IKE] <con1000|2> retransmit 2 of request with message ID 1 
Mar 26 20:20:42 	charon 		10[NET] <con1000|2> sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (320 bytes) 
Mar 26 20:20:42 	charon 		10[IKE] <con1000|2> retransmit 1 of request with message ID 1 
Mar 26 20:20:38 	charon 		03[NET] received unsupported IKE version 0.4 from xxx.xxx.xxx.xxx, sending INVALID_MAJOR_VERSION 
Mar 26 20:20:38 	charon 		03[ENC] no message rules specified for this message type 
Mar 26 20:20:38 	charon 		10[NET] <con1000|2> sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (320 bytes) 
Mar 26 20:20:38 	charon 		10[ENC] <con1000|2> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 
Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> establishing CHILD_SA con1000{7} 
Mar 26 20:20:38 	charon 		10[CFG] <con1000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ 
Mar 26 20:20:38 	charon 		10[CFG] <con1000|2> xxx.xxx.xxx.xxx/24|/0 
Mar 26 20:20:38 	charon 		10[CFG] <con1000|2> proposing traffic selectors for other: 
Mar 26 20:20:38 	charon 		10[CFG] <con1000|2> xxx.xxx.xxx.xxx/24|/0 
Mar 26 20:20:38 	charon 		10[CFG] <con1000|2> proposing traffic selectors for us: 
Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> successfully created shared key MAC 
Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> authentication of 'brma.loc' (myself) with pre-shared key 
Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> IKE_AUTH task 
Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> IKE_CERT_PRE task 
Mar 26 20:20:38 	charon 		10[IKE] <con1000|2> reinitiating already active tasks

viktor_g

What device is on the remote side?

brma

The issue is meanwhile resolved.
Just in case others might have the same issue, I'd like to share the solution with you.

The device on the remote site is a Sonicwall NSA-4600 with Sonic OS Enhanced 6.5.4.4-44N.
The cause of the issue was a wrong configuration on the remote(!) site that didn't seem to be an issue before the upgrade of pfSense to 2.4.5.

The connection is established using a KeyID-Tag in phase 1 both for the local and the remote site. On the remote site it was not configured as KeyID-Tag but as Domain-Name. However, up to now this worked fine.
With the upgrade to pfSense 2.4.5 the wrong configuration on the remote(!) site turned into an issue but could be corrected easily changing the configuration on the SonicWall to using the KeyID-Tag as well.

jimp

Probably because we fixed this: https://redmine.pfsense.org/issues/9243

It worked before because, technically, both sides were misconfigured :-)