PfSense <–> Windows RRAS via IPsec
-
Hello all. I've searched the best I could but came up with nothing (a few topics but seemingly no resolutions).
My network has three sites, 2 using pfsense (SiteA, SiteB) and one using RRAS on a windows 2003 server (SiteC, and I know… but I can't avoid it). I have the two pfsense boxes talking via an IPsec tunnel and it works fantastically, and for the purposes of simplicity I will ignore SiteB from further diagrams/logs.
I'm trying to setup a tunnel from SiteA to SiteC (see below), I used the Microsoft KB article found here - http://support.microsoft.com/kb/816514 - for a step by step on creating an IPsec policy. As far as I can tell everything is setup identically, but I recieve the errors below...10.0.1.0 (SiteA) 76.x.x.x <---------INTERNET-------> 64.x.x.x (SiteC) 10.0.3.0
pfSense Logs (most recent on top):
Jun 22 19:13:08 racoon: [Vegas Tunnel]: ERROR: 64.x.x.x give up to get IPsec-SA due to time up to wait. Jun 22 19:12:38 racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Jun 22 19:12:38 racoon: [Vegas Tunnel]: INFO: initiate new phase 2 negotiation: 76.x.x.x[500]<=>64.x.x.x[500] Jun 22 19:12:37 racoon: [Vegas Tunnel]: INFO: ISAKMP-SA established 76.x.x.x[500]-64.x.x.x[500] spi:8d12.... Jun 22 19:12:37 racoon: WARNING: No ID match. Jun 22 19:12:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Jun 22 19:12:37 racoon: INFO: received Vendor ID: FRAGMENTATION Jun 22 19:12:37 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY Jun 22 19:12:37 racoon: INFO: begin Identity Protection mode. Jun 22 19:12:37 racoon: [Vegas Tunnel]: INFO: initiate new phase 1 negotiation: 76.x.x.x[500]<=>64.x.x.x[500] Jun 22 19:12:37 racoon: [Vegas Tunnel]: INFO: IPsec-SA request for 64.x.x.x queued due to no phase1 found. Jun 22 19:12:35 racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=15) Jun 22 19:12:35 racoon: [Self]: INFO: 76.x.x.x[500] used as isakmp port (fd=14) Jun 22 19:12:35 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13) Jun 22 19:12:35 racoon: INFO: unsupported PF_KEY message REGISTER
RRAS, oakley.log (most recent on bottom):
6-22: 19:18:40:434:bc8 Finding Responder Policy for SRC=10.0.1.0.0000 DST=10.0.3.0.0000, SRCMask=255.255.255.0, DSTMask=255.255.255.0, Prot=0 InTunnelEndpt 103a8c0 OutTunnelEndpt 1d6c762 6-22: 19:18:40:434:bc8 Failed to get TunnelPolicy 13015 6-22: 19:18:40:434:bc8 Responder failed to match filter(Phase II) 13015 6-22: 19:18:40:434:bc8 Data Protection Mode (Quick Mode) 6-22: 19:18:40:434:bc8 Source IP Address 10.0.3.0 Source IP Address Mask 255.255.255.0 Destination IP Address 10.0.1.0 Destination IP Address Mask 255.255.255.0 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr 10.0.3.1 IKE Peer Addr 76.x.x.x IKE Source Port 500 IKE Destination Port 500 Peer Private Addr 6-22: 19:18:40:434:bc8 Preshared key ID. Peer IP Address: 76.x.x.x 6-22: 19:18:40:434:bc8 Me 6-22: 19:18:40:434:bc8 No policy configured 6-22: 19:18:40:434:bc8 Processed third (ID) payload Responder. Delta Time 0 0x0 0x0 6-22: 19:18:40:434:bc8 isadb_set_status sa:000000000017ADD0 centry:0000000002F43350 status 3601 6-22: 19:18:40:434:bc8 ProcessFailure: sa:000000000017ADD0 centry:0000000002F43350 status:3601
Phase1/Main Mode appear to complete (both sides show phase 1 established), but phase 2 is failing. I can't imagine this problem is with pfsense as I have other ipsec tunnels working on this same box. I have opened isakmp and ipsec-nat-t on both ends (not required for the SiteA-SiteB tunnel…)
Any ideas? Experience? Design flaws or limitations I'm overlooking? I can post more if necessary: setups, screenshots, etc. Just ask. (IP's obviously masked)