Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    My Identifier being ignored by Racoon - IPSec fails Phase 1

    IPsec
    3
    3
    9.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BenKenobe
      last edited by

      I have a block of 8 IP addresses, I have one specific 'public IP' over which I am trying to link via IPSec to a remote site (not mine).

      The vendor at the other site has configured this specific public IP address 1.2.3.4 as his remote endpoint.

      for example

      My Settings
      Local IP : 1.2.3.4 (well it isn't but just for example)
      Remote IP : 2.3.4.5

      Remote Site Settings
      Local IP : 2.3.4.5
      Remote IP : 1.2.3.4

      Does that make sense?

      I have configured the 'My Identifier' section of the IPSec phase 1 configuration to be IP Address (NOT My IP Address) and entered 1.2.3.4 in the box to its right.

      My DSL modem connects to the ISP and uses the public facing address of 5.6.7.8

      The problem - my IPSec is failing Phase 1 with the error

      INFO: IPsec-SA request for 2.3.4.5 queued due to no phase1 found.

      but the log shows that it is using 5.6.7.8 as my identifier as shown by the error

      racoon: [Self]: INFO: 5.6.7.8[500] used as isakmp port (fd=14)

      this is wrong, this is NOT what I need - does the My Identifier IP address option work?

      am I going nuts or should I be seeing racoon: [Self]: INFO: 1.2.3.4[500] used as isakmp port (fd=14) as part of the phase 1 negotiation and in accordance with the My Identifier setting.

      Can anyone point me in the right direction please.

      Addendum

      I can now confirm that this IS a problem in pFsense. I spent 4 hours playing (I had a Cisco man monitoring the foreign system) we confirmed 100% that pFsense never presents the correct identifier during phase 1 negotiation. There seems to be no way to get pFsense to present the IP address specified in the phase 1 setup 'My identifier' section - it ALWAYS presents 'My IP Address' (in my case the IP used by my DSL modem / WAN) the racoon.conf file is correct and points so my feeling is that this piece of code is broken.

      The proof that this setting is the problem - When we configured the foreign system to expect my 'DSL Modem/WAN' IP the IPSEC works fine and the tunnel was up straight away.

      1 Reply Last reply Reply Quote 0
      • B
        bwlang
        last edited by

        I don't think this is a problem with the identifier setting…
        I think it's a problem of racoon using the first IP address, and there being no way to switch that to a virtual IP address.

        I think you never get to the "identifier" bit, because the remote side is using the source address to decide which tunnel to work with - the identifier bit comes in later.

        1 Reply Last reply Reply Quote 0
        • C
          crazyfinx
          last edited by

          I have a similar problem, but in my case I have two wan connections each with its own WAN IP going back to the same remote site, configured with two different tunnels. I setup FQDN's as the identifiers but with no results. I can establish the the first Tunnel without a problem, but the second tunnel always fails phase 2 because phase 1 is incorrect. Oddly enough if I enable the second tunnel first then start the first tunnel and everything is great until the timetolive expires then I have the same problem.

          For Example

          Tunnel 1
          Local IP : 1.1.1.1
          Remote IP : 2.3.4.5

          Tunnel 2
          Local IP : 2.2.2.2
          Remote IP : 2.3.4.5

          Remote Site Settings
          Local IP : 2.3.4.5
          Remote IP 1: 1.1.1.1
          Remote IP 2: 2.2.2.2

          I get this for tunnel 1 and it works

          racoon: [Tunnel 1]: INFO: initiate new phase 1 negotiation: 1.1.1.1[500]<=>2.3.4.5[500]

          then tunnel 2 initiates and I get this, which never establishes unless I enabled it first.

          racoon: [Tunnel 1]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>2.3.4.5[500]
          racoon: [Tunnel 1]: INFO: IPsec-SA request for 2.3.4.5 queued due to no phase1 found.
          racoon: ERROR: none message must be encrypted
          racoon: ERROR: phase1 negotiation failed due to time up. 750d4b65cf70f0f1:07e5cb35030fb0fd
          racoon: INFO: delete phase 2 handler.
          racoon: [Tunnel 1]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 2.3.4.5[0]->2.2.2.2[0]
          racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
          racoon: [Tunnel 1]: NOTIFY: the packet is retransmitted by 2.3.4.5[500] (1).
          racoon: [Tunnel 1]: WARNING: the packet retransmitted in a short time from 2.3.4.5[500]
          racoon: [Tunnel 1]: NOTIFY: the packet is retransmitted by 2.3.4.5[500] (1).
          racoon: [Tunnel 1]: WARNING: the packet retransmitted in a short time from 2.3.4.5[500]
          racoon: [Tunnel 1]: NOTIFY: the packet is retransmitted by 2.3.4.5[500] (1).

          Shouldn't I receive this?

          racoon: [Tunnel 2]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>2.3.4.5[500]

          Have you been able to find a fix for this, or I am doing something wrong here?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.