IPSEC VPN problems to Snapgear Firewall



  • I'm having some VPN problems creating an IPSEC vpn between my pfSense 1.2.3 and a snapgear firewall.  I just removed my old snapgear which was working fine with the VPN.

    Both ends say the VPN is up, but no IP traffic flows.  I added rules that allow everything through the IPSEC interface.  I see some errors on the pfSense side.  The initial no Phase1 found was just before I enabled the tunnel.

    Jul 10 17:16:52 fw-us1 racoon: ERROR: failed to get sainfo.
    Jul 10 17:17:00 fw-us1 last message repeated 2 times
    Jul 10 17:17:03 fw-us1 racoon: ERROR: couldn't find configuration.
    Jul 10 17:17:03 fw-us1 racoon: INFO: unsupported PF_KEY message REGISTER
    Jul 10 17:17:04 fw-us1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Jul 10 17:17:04 fw-us1 racoon: INFO: 127.0.0.1[500] used for NAT-T
    Jul 10 17:17:04 fw-us1 racoon: INFO: 10.2.1.1[500] used as isakmp port (fd=15)
    Jul 10 17:17:04 fw-us1 racoon: INFO: 10.2.1.1[500] used for NAT-T
    Jul 10 17:17:04 fw-us1 racoon: INFO: MYIP[500] used as isakmp port (fd=16)
    Jul 10 17:17:04 fw-us1 racoon: INFO: MYIP[500] used for NAT-T
    Jul 10 17:17:07 fw-us1 racoon: INFO: IPsec-SA request for THEIRIP queued due to no phase1 found.
    Jul 10 17:17:07 fw-us1 racoon: INFO: initiate new phase 1 negotiation: MYIP[500]<=>THEIRIP[500]
    Jul 10 17:17:07 fw-us1 racoon: INFO: begin Identity Protection mode.
    Jul 10 17:17:07 fw-us1 racoon: phase1(ident I msg1): 0.000535
    Jul 10 17:17:07 fw-us1 racoon: INFO: received Vendor ID: DPD
    Jul 10 17:17:07 fw-us1 racoon: oakley_dh_generate(MODP1024): 0.018665
    Jul 10 17:17:07 fw-us1 racoon: phase1(ident I msg2): 0.019175
    Jul 10 17:17:07 fw-us1 racoon: oakley_dh_compute(MODP1024): 0.018220
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000077
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=145): 0.000017
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000016
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000016
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=1): 0.000014
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000015
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=340): 0.000019
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=56): 0.000058
    Jul 10 17:17:07 fw-us1 racoon: phase1(ident I msg3): 0.019792
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 0.000064
    Jul 10 17:17:07 fw-us1 racoon: WARNING: No ID match.
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=328): 0.000075
    Jul 10 17:17:07 fw-us1 racoon: oakley_validate_auth(pre-shared key): 0.000118
    Jul 10 17:17:07 fw-us1 racoon: phase1(ident R msg3): 0.000333
    Jul 10 17:17:07 fw-us1 racoon: phase1(Identity Protection): 0.720964
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000015
    Jul 10 17:17:07 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=56): 0.000027
    Jul 10 17:17:07 fw-us1 racoon: INFO: ISAKMP-SA established MYIP[500]-THEIRIP[500]

    spi:3eafad222046990e:79628bacf89f7cb8
    Jul 10 17:17:08 fw-us1 racoon: INFO: initiate new phase 2 negotiation: MYIP[500]<=>THEIRIP[500]
    Jul 10 17:17:08 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=104): 0.000037
    Jul 10 17:17:08 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=128): 0.000073
    Jul 10 17:17:08 fw-us1 racoon: phase2(quick I msg1): 0.000950
    Jul 10 17:17:09 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=128): 0.000083
    Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=120): 0.000072
    Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=37): 0.000016
    Jul 10 17:17:09 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=32): 0.000026
    Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=37): 0.000053
    Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=57): 0.000016
    Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=57): 0.000016
    Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=57): 0.000015
    Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=37): 0.000015
    Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=57): 0.000015
    Jul 10 17:17:09 fw-us1 last message repeated 2 times
    Jul 10 17:17:09 fw-us1 racoon: phase2(quick I msg2): 0.001640
    Jul 10 17:17:09 fw-us1 racoon: INFO: IPsec-SA established: ESP THEIRIP[0]->MYIP[0] spi=134999550(0x80bedfe)
    Jul 10 17:17:09 fw-us1 racoon: phase2(quick): 0.100193
    Jul 10 17:17:09 fw-us1 racoon: INFO: IPsec-SA established: ESP MYIP[500]->THEIRIP[500] spi=1064879293

    (0x3f78c4bd)
    Jul 10 17:17:18 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000075
    Jul 10 17:17:18 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000053
    Jul 10 17:17:18 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000014
    Jul 10 17:17:18 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000037
    Jul 10 17:17:20 fw-us1 racoon: ERROR: failed to get sainfo.
    Jul 10 17:17:25 fw-us1 racoon: ERROR: failed to get sainfo.
    Jul 10 17:17:27 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000076
    Jul 10 17:17:27 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000055
    Jul 10 17:17:27 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000013
    Jul 10 17:17:27 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000050
    Jul 10 17:17:36 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000080
    Jul 10 17:17:36 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000056
    Jul 10 17:17:36 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000014
    Jul 10 17:17:36 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000026
    Jul 10 17:17:37 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000047
    Jul 10 17:17:37 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000065
    Jul 10 17:17:37 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000054
    Jul 10 17:17:37 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000044
    Jul 10 17:17:43 fw-us1 racoon: ERROR: couldn't find configuration.
    Jul 10 17:17:46 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000077
    Jul 10 17:17:46 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000055
    Jul 10 17:17:46 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000014
    Jul 10 17:17:46 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000025
    Jul 10 17:17:48 fw-us1 racoon: ERROR: failed to get sainfo.
    Jul 10 17:17:53 fw-us1 racoon: ERROR: couldn't find configuration.
    Jul 10 17:17:55 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000077
    Jul 10 17:17:55 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000055
    Jul 10 17:17:55 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000015
    Jul 10 17:17:55 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000025
    Jul 10 17:18:04 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000078
    Jul 10 17:18:04 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000054
    Jul 10 17:18:04 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000014
    Jul 10 17:18:04 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000026

    racoon.conf is pretty simple

    cat racoon.conf

    This file is automatically generated. Do not edit

    listen {
           adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    }
    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    remote THEIRIP {
           exchange_mode main;
           my_identifier fqdn "xxx.gotdns.com";

    peers_identifier address THEIRIP;
           initial_contact on;
           dpd_delay 30;
           ike_frag on;
           support_proxy on;
           proposal_check obey;

    proposal {
                   encryption_algorithm 3des;
                   hash_algorithm sha1;
                   authentication_method pre_shared_key;
                   dh_group 2;
                   lifetime time 7200 secs;
           }
           lifetime time 7200 secs;
    }

    sainfo address 10.2.1.0/24 any address 10.4.1.0/24 any {
           encryption_algorithm 3des;
           authentication_algorithm hmac_sha1;
           compression_algorithm deflate;
           lifetime time 7200 secs;
    }

    Any thoughts?

    Thanks

    M



  • I have the same issue with a vpn to a friends site.  It works like a champ when it's up but when it's down it's a pain.  He can ping my site from his site and it stay's up no issue.

    It may stay up a week or it may stay up two hours, it just werid.

    We can't put a finger on why it happens.
    RC



  • I just set up 1.2.3RC1 with 3 IPSec tunnels to 3 SG300's running 3.2.2 firmware.  Tunnels are running great, I did specify what subnet to route over what tunnel via the Rules section.

    Do you want me to post my settings for both PFSense and the SG's?



  • that would be great
    rc



  • On the SG's:

    Click on Advanced for the IPSec Tunnel:

    Page 1:

    Keying: Main
    Local Address: Static IP Address
    Remote Address: dns hostname address
    Authentication: Pre-Shared Secret
    Uncheck Require Xauth Authenticaion

    Page 2:
    Check Initiate Tunnel Negotiation
    Optional Endpoint ID: Blank
    IP Payload Compression: Uncheck
    Dead Peer Detection: Checked
    Delay: 9
    Timeout: 30
    Initiate Phase 1 & 2 rekeying: Checked

    Page 3:
    Remote party DNS hostname: DNS address of remote PFSense box (okay to use dynamic DNS)
    Required Endpoint ID: email address

    Page 4:
    Key lifetime (sec) 3600
    Rekey margin (sec) 600
    Rekey fuzz (%) 100
    Preshared Secret: Your call on this
    Phase 1 Proposal: 3DES-SHA-DH Group 2 (1024)

    Page 5:
    Add your local and remote networks
    Key lifetime (sec) 3600
    Phase 2 Proposal: 3DES-SHA
    Perfect Forward Secrecy: Unchecked

    Click Finished.


Log in to reply