Site-to-Site IPsec Configuration: Authentication with External IP Setup with Errors

Bot · Oct 14, 2023, 6:18 PM

I'm trying to set up a site-to-site connection using IPsec, but I'm facing authentication issues. The first time I did it, I created a test lab as follows:

Site A:
WAN: 192.168.15.5
LAN: 192.168.1.0/24

Site B:
WAN: 192.168.15.6
LAN: 192.168.2.0/24

The connection was established successfully in this setup, with a LAN-to-LAN site-to-site configuration for testing. However, in practice, I want to create a connection that uses an external IP address provided by the ISP. When I configure it this way, it results in an error, and I'm not sure what might be causing it. If anyone can help me, here is the log.

In case there are any questions, the pre-shared key is correct, and the IPsec rule is set up. I've opened and redirected ports 500 and 4500 to the firewall, but it still doesn't connect.

Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> IKE_SA con1[1] state change: CREATED => CONNECTING
Oct 14 14:49:46 charon 61102 12[CFG] <con1|1> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 14 14:49:46 charon 61102 12[CFG] <con1|1> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Oct 14 14:49:46 charon 61102 12[ENC] <con1|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 14 14:49:46 charon 61102 12[NET] <con1|1> sending packet: from 192.168.15.2[500] to xxx.xx.xx.236[500] (456 bytes)
Oct 14 14:49:46 charon 61102 12[NET] <con1|1> received packet: from xxx.xx.xx.236[500] to 192.168.15.2[500] (464 bytes)
Oct 14 14:49:46 charon 61102 12[ENC] <con1|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> received FRAGMENTATION_SUPPORTED notify
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> received SIGNATURE_HASH_ALGORITHMS notify
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> received CHILDLESS_IKEV2_SUPPORTED notify
Oct 14 14:49:46 charon 61102 12[CFG] <con1|1> selecting proposal:
Oct 14 14:49:46 charon 61102 12[CFG] <con1|1> proposal matches
Oct 14 14:49:46 charon 61102 12[CFG] <con1|1> received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 14 14:49:46 charon 61102 12[CFG] <con1|1> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 14 14:49:46 charon 61102 12[CFG] <con1|1> selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 14 14:49:46 charon 61102 12[CFG] <con1|1> received supported signature hash algorithms: sha256 sha384 sha512 identity
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> local host is behind NAT, sending keep alives
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> remote host is behind NAT
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> reinitiating already active tasks
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> IKE_CERT_PRE task
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> IKE_AUTH task
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> authentication of '192.168.15.2' (myself) with pre-shared key
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> successfully created shared key MAC
Oct 14 14:49:46 charon 61102 12[ENC] <con1|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct 14 14:49:46 charon 61102 12[NET] <con1|1> sending packet: from 192.168.15.2[4500] to xxx.xx.xx.236[4500] (153 bytes)
Oct 14 14:49:46 charon 61102 12[NET] <con1|1> received packet: from xxx.xxx.xxx.236[4500] to 192.168.15.2[4500] (65 bytes)
Oct 14 14:49:46 charon 61102 12[ENC] <con1|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> received AUTHENTICATION_FAILED notify error
Oct 14 14:49:46 charon 61102 12[IKE] <con1|1> IKE_SA con1[1] state change: CONNECTING => DESTROYING
Oct 14 14:49:46 charon 61102 09[CFG] vici client 6 disconnected
Oct 14 14:49:50 charon 61102 12[CFG] vici client 7 connected
Oct 14 14:49:50 charon 61102 09[CFG] vici client 7 registered for: list-sa
Oct 14 14:49:50 charon 61102 09[CFG] vici client 7 requests: list-sas
Oct 14 14:49:50 charon 61102 13[CFG] vici client 7 disconnected
Oct 14 14:49:55 charon 61102 13[CFG] vici client 8 connected
Oct 14 14:49:55 charon 61102 05[CFG] vici client 8 registered for: list-sa
Oct 14 14:49:55 charon 61102 13[CFG] vici client 8 requests: list-sas
Oct 14 14:49:55 charon 61102 05[CFG] vici client 8 disconnected

If anyone has any ideas, I've been trying to resolve this for several days now. I'm a beginner in pfSense, so I may be making some basic mistakes.

viragomann · Oct 14, 2023, 6:42 PM

@Bot
According to this log, the remote site refuses the authentication. So maybe you get a better information on what's wrong from the other site's log.

planedrop · Oct 16, 2023, 2:18 AM

Are both devices here pfSense?

I've had a similar issue before where I was using the peer identifier as it's IP address on an IPSec VPN and for some reason it would just not authenticate, manually specifying the same IP that was being used automatically ended up fixing the issue, it was a very odd bug (I would assume, I'm quite experienced with IPSec) from a while back, ended up rebuilding the VPN recently but went back to using the peer IP and it authed totally fine.

Are you on the latest pfSense?

Here is my original post about this from a while ago, it may not be the exact thing you are facing but sounded similar, never did get any replies from it (though I haven't encountered it again yet so I'm not to worried about it unless yours ends up being the same issue).

https://forum.netgate.com/topic/176502/had-to-manually-specify-identifier-ip-address-no-nat-involved-bug