Help with IPSEC VPN tunnel issue!



  • I am in urgent need for advice on why my pfSense IPSEC VPN tunnel is not working.  The remote end is an IPCop firewall, the other end pfSense 2 BETA snapshot dated 10 June.  I tested this before on another pfSense box to the same IPCop server, using exactly the same settings and it worked just fine.  However on this pfSense box, the only difference is I am not using DHCP for my WAN interface but a static configuration for DSL, with a static GW. This is my log:

    
    Jun 15 11:28:33	racoon: [Saskatoon VPN Tunnel]: INFO: ISAKMP-SA expired <localip>[500]-<remoteip>[500] spi:87430816108d2467:04b5777e921a8d59
    Jun 15 11:28:34	racoon: [Saskatoon VPN Tunnel]: INFO: respond new phase 1 negotiation: <localip>[500]<=><remoteip>[500]
    Jun 15 11:28:34	racoon: INFO: begin Identity Protection mode.
    Jun 15 11:28:34	racoon: INFO: received Vendor ID: RFC 3947
    Jun 15 11:28:34	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jun 15 11:28:34	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jun 15 11:28:34	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Jun 15 11:28:34	racoon: INFO: received Vendor ID: DPD
    Jun 15 11:28:34	racoon: INFO: Selected NAT-T version: RFC 3947
    Jun 15 11:28:34	racoon: INFO: Hashing <localip>[500] with algo #1
    Jun 15 11:28:34	racoon: INFO: NAT-D payload #0 verified
    Jun 15 11:28:34	racoon: [Saskatoon VPN Tunnel]: INFO: Hashing <remoteip>[500] with algo #1
    Jun 15 11:28:34	racoon: INFO: NAT-D payload #1 verified
    Jun 15 11:28:34	racoon: INFO: NAT not detected
    Jun 15 11:28:34	racoon: [Saskatoon VPN Tunnel]: INFO: Hashing <remoteip>[500] with algo #1
    Jun 15 11:28:34	racoon: INFO: Hashing <localip>[500] with algo #1
    Jun 15 11:28:34	racoon: INFO: Adding remote and local NAT-D payloads.
    Jun 15 11:28:34	racoon: [Saskatoon VPN Tunnel]: INFO: ISAKMP-SA established <localip>[500]-<remoteip>[500] spi:952fd72dd9ae4008:583c1e8444dfe45b
    Jun 15 11:28:34	racoon: [Saskatoon VPN Tunnel]: INFO: respond new phase 2 negotiation: <localip>[500]<=><remoteip>[500]
    Jun 15 11:28:34	racoon: ERROR: not matched
    Jun 15 11:28:34	racoon: ERROR: no suitable policy found.
    Jun 15 11:28:34	racoon: ERROR: failed to pre-process packet.
    Jun 15 11:28:35	racoon: [Saskatoon VPN Tunnel]: INFO: ISAKMP-SA deleted <localip>[500]-<remoteip>[500] spi:87490816508e2467:04b5727e921a8f59
    Jun 15 11:28:44	racoon: [Saskatoon VPN Tunnel]: INFO: respond new phase 2 negotiation: <localip>[500]<=><remoteip>[500]
    Jun 15 11:28:44	racoon: ERROR: not matched
    Jun 15 11:28:44	racoon: ERROR: no suitable policy found.
    Jun 15 11:28:44	racoon: ERROR: failed to pre-process packet.</remoteip></localip></remoteip></localip></remoteip></localip></remoteip></localip></localip></remoteip></remoteip></localip></remoteip></localip></remoteip></localip>
    

  • Rebel Alliance Developer Netgate

    Jun 15 11:28:44	racoon: ERROR: no suitable policy found.
    

    That means that the settings did not match. Check them all again, particularly the phase 2 encryption settings.



  • Yep I figured as much.  All settings matched.  The one that broke it was "Negotiate compression" on the IPCop.  When I disabled that it worked.


Locked