IPSEC VPN problems to Snapgear Firewall

madas

I'm having some VPN problems creating an IPSEC vpn between my pfSense 1.2.3 and a snapgear firewall.  I just removed my old snapgear which was working fine with the VPN.

Both ends say the VPN is up, but no IP traffic flows.  I added rules that allow everything through the IPSEC interface.  I see some errors on the pfSense side.  The initial no Phase1 found was just before I enabled the tunnel.

Jul 10 17:16:52 fw-us1 racoon: ERROR: failed to get sainfo.
Jul 10 17:17:00 fw-us1 last message repeated 2 times
Jul 10 17:17:03 fw-us1 racoon: ERROR: couldn't find configuration.
Jul 10 17:17:03 fw-us1 racoon: INFO: unsupported PF_KEY message REGISTER
Jul 10 17:17:04 fw-us1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Jul 10 17:17:04 fw-us1 racoon: INFO: 127.0.0.1[500] used for NAT-T
Jul 10 17:17:04 fw-us1 racoon: INFO: 10.2.1.1[500] used as isakmp port (fd=15)
Jul 10 17:17:04 fw-us1 racoon: INFO: 10.2.1.1[500] used for NAT-T
Jul 10 17:17:04 fw-us1 racoon: INFO: MYIP[500] used as isakmp port (fd=16)
Jul 10 17:17:04 fw-us1 racoon: INFO: MYIP[500] used for NAT-T
Jul 10 17:17:07 fw-us1 racoon: INFO: IPsec-SA request for THEIRIP queued due to no phase1 found.
Jul 10 17:17:07 fw-us1 racoon: INFO: initiate new phase 1 negotiation: MYIP[500]<=>THEIRIP[500]
Jul 10 17:17:07 fw-us1 racoon: INFO: begin Identity Protection mode.
Jul 10 17:17:07 fw-us1 racoon: phase1(ident I msg1): 0.000535
Jul 10 17:17:07 fw-us1 racoon: INFO: received Vendor ID: DPD
Jul 10 17:17:07 fw-us1 racoon: oakley_dh_generate(MODP1024): 0.018665
Jul 10 17:17:07 fw-us1 racoon: phase1(ident I msg2): 0.019175
Jul 10 17:17:07 fw-us1 racoon: oakley_dh_compute(MODP1024): 0.018220
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000077
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=145): 0.000017
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000016
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000016
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=1): 0.000014
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000015
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=340): 0.000019
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=56): 0.000058
Jul 10 17:17:07 fw-us1 racoon: phase1(ident I msg3): 0.019792
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 0.000064
Jul 10 17:17:07 fw-us1 racoon: WARNING: No ID match.
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=328): 0.000075
Jul 10 17:17:07 fw-us1 racoon: oakley_validate_auth(pre-shared key): 0.000118
Jul 10 17:17:07 fw-us1 racoon: phase1(ident R msg3): 0.000333
Jul 10 17:17:07 fw-us1 racoon: phase1(Identity Protection): 0.720964
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000015
Jul 10 17:17:07 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=56): 0.000027
Jul 10 17:17:07 fw-us1 racoon: INFO: ISAKMP-SA established MYIP[500]-THEIRIP[500]

spi:3eafad222046990e:79628bacf89f7cb8
Jul 10 17:17:08 fw-us1 racoon: INFO: initiate new phase 2 negotiation: MYIP[500]<=>THEIRIP[500]
Jul 10 17:17:08 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=104): 0.000037
Jul 10 17:17:08 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=128): 0.000073
Jul 10 17:17:08 fw-us1 racoon: phase2(quick I msg1): 0.000950
Jul 10 17:17:09 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=128): 0.000083
Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=120): 0.000072
Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=37): 0.000016
Jul 10 17:17:09 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=32): 0.000026
Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=37): 0.000053
Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=57): 0.000016
Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=57): 0.000016
Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=57): 0.000015
Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=37): 0.000015
Jul 10 17:17:09 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=57): 0.000015
Jul 10 17:17:09 fw-us1 last message repeated 2 times
Jul 10 17:17:09 fw-us1 racoon: phase2(quick I msg2): 0.001640
Jul 10 17:17:09 fw-us1 racoon: INFO: IPsec-SA established: ESP THEIRIP[0]->MYIP[0] spi=134999550(0x80bedfe)
Jul 10 17:17:09 fw-us1 racoon: phase2(quick): 0.100193
Jul 10 17:17:09 fw-us1 racoon: INFO: IPsec-SA established: ESP MYIP[500]->THEIRIP[500] spi=1064879293

(0x3f78c4bd)
Jul 10 17:17:18 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000075
Jul 10 17:17:18 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000053
Jul 10 17:17:18 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000014
Jul 10 17:17:18 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000037
Jul 10 17:17:20 fw-us1 racoon: ERROR: failed to get sainfo.
Jul 10 17:17:25 fw-us1 racoon: ERROR: failed to get sainfo.
Jul 10 17:17:27 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000076
Jul 10 17:17:27 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000055
Jul 10 17:17:27 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000013
Jul 10 17:17:27 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000050
Jul 10 17:17:36 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000080
Jul 10 17:17:36 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000056
Jul 10 17:17:36 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000014
Jul 10 17:17:36 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000026
Jul 10 17:17:37 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000047
Jul 10 17:17:37 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000065
Jul 10 17:17:37 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000054
Jul 10 17:17:37 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000044
Jul 10 17:17:43 fw-us1 racoon: ERROR: couldn't find configuration.
Jul 10 17:17:46 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000077
Jul 10 17:17:46 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000055
Jul 10 17:17:46 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000014
Jul 10 17:17:46 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000025
Jul 10 17:17:48 fw-us1 racoon: ERROR: failed to get sainfo.
Jul 10 17:17:53 fw-us1 racoon: ERROR: couldn't find configuration.
Jul 10 17:17:55 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000077
Jul 10 17:17:55 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000055
Jul 10 17:17:55 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000015
Jul 10 17:17:55 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000025
Jul 10 17:18:04 fw-us1 racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000078
Jul 10 17:18:04 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000054
Jul 10 17:18:04 fw-us1 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000014
Jul 10 17:18:04 fw-us1 racoon: alg_oakley_encdef_encrypt(3des klen=192 size=64): 0.000026

racoon.conf is pretty simple

cat racoon.conf

This file is automatically generated. Do not edit

listen {
       adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
}
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote THEIRIP {
       exchange_mode main;
       my_identifier fqdn "xxx.gotdns.com";

peers_identifier address THEIRIP;
       initial_contact on;
       dpd_delay 30;
       ike_frag on;
       support_proxy on;
       proposal_check obey;

proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
               lifetime time 7200 secs;
       }
       lifetime time 7200 secs;
}

sainfo address 10.2.1.0/24 any address 10.4.1.0/24 any {
       encryption_algorithm 3des;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
       lifetime time 7200 secs;
}

Any thoughts?

Thanks

M

fastcon68

I have the same issue with a vpn to a friends site.  It works like a champ when it's up but when it's down it's a pain.  He can ping my site from his site and it stay's up no issue.

It may stay up a week or it may stay up two hours, it just werid.

We can't put a finger on why it happens.
RC

rugby

I just set up 1.2.3RC1 with 3 IPSec tunnels to 3 SG300's running 3.2.2 firmware.  Tunnels are running great, I did specify what subnet to route over what tunnel via the Rules section.

Do you want me to post my settings for both PFSense and the SG's?

fastcon68

that would be great
rc

rugby

On the SG's:

Click on Advanced for the IPSec Tunnel:

Page 1:

Keying: Main
Local Address: Static IP Address
Remote Address: dns hostname address
Authentication: Pre-Shared Secret
Uncheck Require Xauth Authenticaion

Page 2:
Check Initiate Tunnel Negotiation
Optional Endpoint ID: Blank
IP Payload Compression: Uncheck
Dead Peer Detection: Checked
Delay: 9
Timeout: 30
Initiate Phase 1 & 2 rekeying: Checked

Page 3:
Remote party DNS hostname: DNS address of remote PFSense box (okay to use dynamic DNS)
Required Endpoint ID: email address

Page 4:
Key lifetime (sec) 3600
Rekey margin (sec) 600
Rekey fuzz (%) 100
Preshared Secret: Your call on this
Phase 1 Proposal: 3DES-SHA-DH Group 2 (1024)

Page 5:
Add your local and remote networks
Key lifetime (sec) 3600
Phase 2 Proposal: 3DES-SHA
Perfect Forward Secrecy: Unchecked

Click Finished.