ipsec not finding peer config

enegineirie · Dec 1, 2024, 6:34 PM

Hi Guys,
I have two pfsenses on distant location and I want to establish ipsec vpn site to site connection. I followed this documentation : https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html

PFSense A :
WAN IP : 46.4.42.59
LAN IP : 192.168.17.254 (network 192.168.17.248/29)

PFSense B :
WAN IP : 81.248.56.192
LAN IP : 192.168.1.254 (network 192.168.1.0/24)

Talking about IPSEC here are the conf :
PFSense A :
Phase 1 :
Remote Gateway : 81.248.56.192
Phase 2 :
Local Network : LAN Subnet
Remote Network : 192.168.1.0/24

PFSense B :
Phase 1 :
Remote Gateway : 46.4.42.59
Phase 2 :
Local Network : LAN Subnet
Remote Network : 192.168.17.248/29

Each time I try to connect Site A to Site B, the Site B's Logs say:

Dec 1 14:09:19 iya charon[6193]: 07[NET] <11> received packet: from 46.4.42.59[500] to 192.168.1.254[500] (464 bytes)
Dec 1 14:09:19 iya charon[6193]: 07[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> looking for an IKEv2 config for 192.168.1.254...46.4.42.59
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> candidate: 192.168.1.254...0.0.0.0/0, ::/0, prio 1048
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> candidate: 192.168.1.254...46.4.42.59, prio 3100
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> found matching ike config: 192.168.1.254...46.4.42.59 with prio 3100
Dec 1 14:09:19 iya charon[6193]: 07[IKE] <11> local endpoint changed from 0.0.0.0[500] to 192.168.1.254[500]
Dec 1 14:09:19 iya charon[6193]: 07[IKE] <11> remote endpoint changed from 0.0.0.0 to 46.4.42.59[500]
Dec 1 14:09:19 iya charon[6193]: 07[IKE] <11> 46.4.42.59 is initiating an IKE_SA
Dec 1 14:09:19 iya charon[6193]: 07[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> selecting proposal:
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> proposal matches
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> received supported signature hash algorithms: sha256 sha384 sha512 identity
Dec 1 14:09:19 iya charon[6193]: 07[IKE] <11> local host is behind NAT, sending keep alives
Dec 1 14:09:19 iya charon[6193]: 07[IKE] <11> remote host is behind NAT
Dec 1 14:09:19 iya charon[6193]: 07[CFG] <11> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Dec 1 14:09:19 iya charon[6193]: 07[IKE] <11> sending cert request for "CN=GermanEngineCA, C=GF, ST=Guyane, L=Cayenne, O=EngineIrie, OU=Germany"
Dec 1 14:09:19 iya charon[6193]: 07[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Dec 1 14:09:19 iya charon[6193]: 07[NET] <11> sending packet: from 192.168.1.254[500] to 46.4.42.59[500] (497 bytes)
Dec 1 14:09:19 iya charon[6193]: 07[NET] <11> received packet: from 46.4.42.59[4500] to 192.168.1.254[4500] (1236 bytes)
Dec 1 14:09:19 iya charon[6193]: 07[ENC] <11> parsed IKE_AUTH request 1 [ EF(1/2) ]
Dec 1 14:09:19 iya charon[6193]: 07[IKE] <11> local endpoint changed from 192.168.1.254[500] to 192.168.1.254[4500]
Dec 1 14:09:19 iya charon[6193]: 07[IKE] <11> remote endpoint changed from 46.4.42.59[500] to 46.4.42.59[4500]
Dec 1 14:09:19 iya charon[6193]: 07[ENC] <11> received fragment #1 of 2, waiting for complete IKE message
Dec 1 14:09:19 iya charon[6193]: 06[NET] <11> received packet: from 46.4.42.59[4500] to 192.168.1.254[4500] (740 bytes)
Dec 1 14:09:19 iya charon[6193]: 06[ENC] <11> parsed IKE_AUTH request 1 [ EF(2/2) ]
Dec 1 14:09:19 iya charon[6193]: 06[ENC] <11> received fragment #2 of 2, reassembled fragmented IKE message (1904 bytes)
Dec 1 14:09:19 iya charon[6193]: 06[ENC] <11> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Dec 1 14:09:19 iya charon[6193]: 06[IKE] <11> received cert request for "CN=GermanEngineCA, C=GF, ST=Guyane, L=Cayenne, O=EngineIrie, OU=Germany"
Dec 1 14:09:19 iya charon[6193]: 06[IKE] <11> received end entity cert "CN=engineirie.com, C=GF, ST=Guyane, L=Cayenne, O=EngineIrie, OU=Germany"
Dec 1 14:09:19 iya charon[6193]: 06[CFG] <11> looking for peer configs matching 192.168.1.254[81.248.56.192]...46.4.42.59[46.4.42.59]
Dec 1 14:09:19 iya charon[6193]: 06[CFG] <11> no matching peer config found
Dec 1 14:09:19 iya charon[6193]: 06[IKE] <11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 1 14:09:19 iya charon[6193]: 06[ENC] <11> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 1 14:09:19 iya charon[6193]: 06[NET] <11> sending packet: from 192.168.1.254[4500] to 46.4.42.59[4500] (80 bytes)
Dec 1 14:09:19 iya charon[6193]: 06[IKE] <11> IKE_SA (unnamed)[11] state change: CONNECTING => DESTROYING

Could anybody explain/help me to understand why no peer config are found please ?

viragomann · Dec 1, 2024, 10:20 PM

@enegineirie
State the respective local public IP as "My identifier" in phase 1 on either site.

enegineirie · Dec 2, 2024, 12:43 PM

@viragomann said in ipsec not finding peer config:

State the respective local public IP as "My identifier" in phase 1 on either site.

You are right it fixed it.
It was set to "My IP Address" and not explicitly as IP Adress.
Thank you for this advice

enegineirie · Dec 2, 2024, 12:55 PM

@viragomann thank you very much it now works.

It was set as "My IP Address" but seems that it don't work when it is not explicitly set.