Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec on Watchguard Firebox

    1.2.3-PRERELEASE-TESTING snapshots - RETIRED
    3
    6
    4621
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Phil
      last edited by

      Hi All,

      IPSec on Watchguard Firebox devices has been broken since 1.2.1. The tunnel establishes ok but no traffic will pass over it. If any of the devs have time to work through debugging this with me to hopefully fix it in the next snapshot, that'd be great.

      Cheers

      Phil

      1 Reply Last reply Reply Quote 0
      • P
        Phil
        last edited by

        As a note, the firebox has a Crypto card in it. I know that 1.2->1.2.1 was a full BSD upgrade so I wonder if it is trying to use this. When a packet is sent it leaves one side and hits the other but it isn't sent onto the network.

        Here is the debug logs of trying to send a packet from the pfsense side to the remote side. Nothing is logged when the remote side sends to pfsense side but the packet is received on the interface, as says tcpdump.

        2009-05-12 14:26:49: INFO: caught signal 2
        2009-05-12 14:26:49: DEBUG: pk_recv: retry[0] recv()
        2009-05-12 14:26:49: DEBUG: get pfkey FLUSH message
        2009-05-12 14:26:49: DEBUG: compute IV for phase2
        2009-05-12 14:26:49: DEBUG: phase1 last IV:
        2009-05-12 14:26:49: DEBUG:
        19799a3d ce660799 e8cfe13c
        2009-05-12 14:26:49: DEBUG: hash(sha1)
        2009-05-12 14:26:49: DEBUG: encryption(3des)
        2009-05-12 14:26:49: DEBUG: phase2 IV computed:
        2009-05-12 14:26:49: DEBUG:
        5e5c5d3c 52b7dd10
        2009-05-12 14:26:49: DEBUG: HASH with:
        2009-05-12 14:26:49: DEBUG:
        e8cfe13c 00000010 00000001 03040001 0a4a81a5
        2009-05-12 14:26:49: DEBUG: hmac(hmac_sha1)
        2009-05-12 14:26:49: DEBUG: HASH computed:
        2009-05-12 14:26:49: DEBUG:
        e211d5b8 a2805460 0e8bb371 7d2e47a9 b7fe5b47
        2009-05-12 14:26:49: DEBUG: begin encryption.
        2009-05-12 14:26:49: DEBUG: encryption(3des)
        2009-05-12 14:26:49: DEBUG: pad length = 8
        2009-05-12 14:26:49: DEBUG:
        0c000018 e211d5b8 a2805460 0e8bb371 7d2e47a9 b7fe5b47 00000010 00000001
        03040001 0a4a81a5 d492999b a385c607
        2009-05-12 14:26:49: DEBUG: encryption(3des)
        2009-05-12 14:26:49: DEBUG: with key:
        2009-05-12 14:26:49: DEBUG:
        a6d04f6b aa92aaf7 0ff760f8 a0db1bb3 0acddd2c 893f168c
        2009-05-12 14:26:49: DEBUG: encrypted payload by IV:
        2009-05-12 14:26:49: DEBUG:
        5e5c5d3c 52b7dd10
        2009-05-12 14:26:49: DEBUG: save IV for next:
        2009-05-12 14:26:49: DEBUG:
        cfdc92ab b6d80105
        2009-05-12 14:26:49: DEBUG: encrypted.
        2009-05-12 14:26:49: DEBUG: 76 bytes from (SRC IP)[500] to (DEST IP)[500]
        2009-05-12 14:26:49: DEBUG: sockname (SRC IP)[500]
        2009-05-12 14:26:49: DEBUG: send packet from 8(SRC IP)[500]
        2009-05-12 14:26:49: DEBUG: send packet to (DEST IP)[500]
        2009-05-12 14:26:49: DEBUG: 1 times of 76 bytes message will be sent to (DEST IP)[500]
        2009-05-12 14:26:49: DEBUG:
        60ffb008 19d4e1e6 bb4bf3a4 763e0cf8 08100501 e8cfe13c 0000004c 5d8c4a9d
        7500fd7e 814ab3cd 127a14bf 9d2bca17 fddc985a 1b9f6537 ebd4d0b6 38b9297a
        635b77fa cfdc92ab b6d80105
        2009-05-12 14:26:49: DEBUG: sendto Information delete.
        2009-05-12 14:26:49: DEBUG: IV freed
        2009-05-12 14:26:49: DEBUG: an undead schedule has been deleted.
        2009-05-12 14:26:49: DEBUG: IV freed
        2009-05-12 14:26:50: DEBUG: call pfkey_send_dump
        2009-05-12 14:26:50: DEBUG: pk_recv: retry[0] recv()
        2009-05-12 14:26:50: DEBUG: compute IV for phase2
        2009-05-12 14:26:50: DEBUG: phase1 last IV:
        2009-05-12 14:26:50: DEBUG:
        19799a3d ce660799 f4a6800c
        2009-05-12 14:26:50: DEBUG: hash(sha1)
        2009-05-12 14:26:50: DEBUG: encryption(3des)
        2009-05-12 14:26:50: DEBUG: phase2 IV computed:
        2009-05-12 14:26:50: DEBUG:
        abc1874e 6bf344fb
        2009-05-12 14:26:50: DEBUG: HASH with:
        2009-05-12 14:26:50: DEBUG:
        f4a6800c 0000001c 00000001 01100001 60ffb008 19d4e1e6 bb4bf3a4 763e0cf8
        2009-05-12 14:26:50: DEBUG: hmac(hmac_sha1)
        2009-05-12 14:26:50: DEBUG: HASH computed:
        2009-05-12 14:26:50: DEBUG:
        e0e6d2a2 d0d36b7c 858b2ae2 35caf366 ba68a100
        2009-05-12 14:26:50: DEBUG: begin encryption.
        2009-05-12 14:26:50: DEBUG: encryption(3des)
        2009-05-12 14:26:50: DEBUG: pad length = 4
        2009-05-12 14:26:50: DEBUG:
        0c000018 e0e6d2a2 d0d36b7c 858b2ae2 35caf366 ba68a100 0000001c 00000001
        01100001 60ffb008 19d4e1e6 bb4bf3a4 763e0cf8 8680f303
        2009-05-12 14:26:50: DEBUG: encryption(3des)
        2009-05-12 14:26:50: DEBUG: with key:
        2009-05-12 14:26:50: DEBUG:
        a6d04f6b aa92aaf7 0ff760f8 a0db1bb3 0acddd2c 893f168c
        2009-05-12 14:26:50: DEBUG: encrypted payload by IV:
        2009-05-12 14:26:50: DEBUG:
        abc1874e 6bf344fb
        2009-05-12 14:26:50: DEBUG: save IV for next:
        2009-05-12 14:26:50: DEBUG:
        bd19e907 d624825f
        2009-05-12 14:26:50: DEBUG: encrypted.
        2009-05-12 14:26:50: DEBUG: 84 bytes from (SRC IP)[500] to (DEST IP)[500]
        2009-05-12 14:26:50: DEBUG: sockname (SRC IP)[500]
        2009-05-12 14:26:50: DEBUG: send packet from (SRC IP)[500]
        2009-05-12 14:26:50: DEBUG: send packet to (DEST IP)[500]
        2009-05-12 14:26:50: DEBUG: 1 times of 84 bytes message will be sent to (DEST IP)[500]
        2009-05-12 14:26:50: DEBUG:
        60ffb008 19d4e1e6 bb4bf3a4 763e0cf8 08100501 f4a6800c 00000054 a63a70b5
        5794630a fecf339b b37eca7b 1e5ef7ab f579db7a 3822782e cd21b9bc d4b21c67
        cef8b76a 20bed411 c63c3cf1 bd19e907 d624825f
        2009-05-12 14:26:50: DEBUG: sendto Information delete.
        2009-05-12 14:26:50: DEBUG: IV freed
        2009-05-12 14:26:50: DEBUG: an undead schedule has been deleted.
        2009-05-12 14:26:50: DEBUG: IV freed
        2009-05-12 14:26:50: INFO: racoon shutdown

        1 Reply Last reply Reply Quote 0
        • M
          madas
          last edited by

          did you try removing the mini-pci card?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Likely a FreeBSD issue we can't do anything about. What kind of crypto card does it have?

            1 Reply Last reply Reply Quote 0
            • P
              Phil
              last edited by

              I'll try removing it tomorrow.

              Phil

              1 Reply Last reply Reply Quote 0
              • P
                Phil
                last edited by

                Finally got around to testing this - it works fine with Crypto card removed.

                Phil

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post