Phase 2 problem between pfSense and Centos (ipsec tunnel)

Chimpen · Nov 29, 2010, 1:24 PM

I cannot get phase 2 of this ipsec connection to pass. Running this between two Centos works as it should.

Let's start with the network.

pfSense 1.2.3
–------
external ip: 1.1.1.1
internal ip: 172.20.1.20
internal network: 172.20.1.0/24

Centos 5.5

external ip: 2.2.2.2
internal ip: 172.20.2.1
internal network: 172.20.2.0/24

pfSense config from a reset.

Firewall rule to allow all ipsec communication (all protocols).

pfSense ipsec config

Mode: Tunnel
Interface: WAN (I'm not sure this should be WAN, but changing it to LAN makes no difference)
Local subnet: 172.20.1.0/24
Remote subnet: 172.20.2.0/24
Remote gateway: 2.2.2.2

Phase 1
Negotiation mode: agressive
My identifier: My IP adress
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 2
Authentication method: Pre-shared key
Pre-Shared Key: secret

Phase 2
Protocol: ESP
Encryption algorithms: Rijndael (AES)
Hash algorithms: SHA1
PFS key group: 2

Centos ipsec config

/etc/sysconfig/network-scripts/ifcfg-ipsec0

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=172.20.2.1
DSTGW=172.20.1.20
SRCNET=172.20.2.0/24
DSTNET=172.20.1.0/24
DST=1.1.1.1

/etc/sysconfig/network-scripts/keys-ipsec0
IKE_PSK=secret

/etc/racoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm rijndael ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
include "/etc/racoon/1.1.1.1.conf";

/etc/racoon/1.1.1.1.conf
remote 1.1.1.1
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

Ipsec log of pfSense

Nov 28 19:38:11 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Nov 28 19:38:11 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Nov 28 19:38:11 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Nov 28 19:38:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Nov 28 19:38:11 racoon: [Self]: INFO: 1.1.1.1[500] used as isakmp port (fd=15)
Nov 28 19:38:11 racoon: [Self]: INFO: 172.20.1.20[500] used as isakmp port (fd=16)
Nov 28 19:38:11 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 28 19:38:11 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=out
Nov 28 19:38:11 racoon: ERROR: such policy already exists. anyway replace it: 172.20.2.0/24[0] 172.20.1.0/24[0] proto=any dir=in
Nov 28 19:38:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Nov 28 19:38:11 racoon: [Self]: INFO: 1.1.1.1[500] used as isakmp port (fd=15)
Nov 28 19:38:11 racoon: [Self]: INFO: 172.20.1.20[500] used as isakmp port (fd=16)
Nov 28 19:41:11 racoon: [IPsec tunnel]: INFO: respond new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Nov 28 19:41:11 racoon: INFO: begin Aggressive mode.
Nov 28 19:41:11 racoon: INFO: received Vendor ID: DPD
Nov 28 19:41:11 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Nov 28 19:41:11 racoon: [IPsec tunnel]: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:36580e589a8cb1e8:f3cef1de14e3ec5e
Nov 28 19:41:12 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
Nov 28 19:41:12 racoon: ERROR: not matched
Nov 28 19:41:12 racoon: ERROR: no suitable policy found.
Nov 28 19:41:12 racoon: ERROR: failed to pre-process packet.
Nov 28 19:41:22 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
Nov 28 19:41:22 racoon: ERROR: not matched
Nov 28 19:41:22 racoon: ERROR: no suitable policy found.
Nov 28 19:41:22 racoon: ERROR: failed to pre-process packet.
Nov 28 19:41:32 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
Nov 28 19:41:32 racoon: ERROR: not matched
Nov 28 19:41:32 racoon: ERROR: no suitable policy found.
Nov 28 19:41:32 racoon: ERROR: failed to pre-process packet.

/var/log/messages of Centos
–--------------------------
Nov 28 19:40:34 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 28 19:40:34 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=37)
Nov 28 19:40:34 racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 28 19:40:34 racoon: INFO: 2.2.2.2[500] used as isakmp port (fd=38)
Nov 28 19:40:34 racoon: INFO: 2.2.2.2[500] used for NAT-T
Nov 28 19:40:34 racoon: INFO: 172.20.2.1[500] used as isakmp port (fd=39)
Nov 28 19:40:34 racoon: INFO: 172.20.2.1[500] used for NAT-T
Nov 28 19:40:34 racoon: INFO: ::1[500] used as isakmp port (fd=40)
Nov 28 19:40:34 racoon: INFO: fe80::216:1aff:fed9:1fc5%eth0[500] used as isakmp port (fd=41)
Nov 28 19:40:44 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 28 19:40:44 last message repeated 4 times
Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.2.0/24[0] 172.20.1.0/24[0] proto=any dir=out
Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=in
Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=fwd
Nov 28 19:40:44 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=38)
Nov 28 19:40:44 racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 28 19:40:44 racoon: INFO: 2.2.2.2[500] used as isakmp port (fd=39)
Nov 28 19:40:44 racoon: INFO: 2.2.2.2[500] used for NAT-T
Nov 28 19:40:44 racoon: INFO: 172.20.2.1[500] used as isakmp port (fd=40)
Nov 28 19:40:44 racoon: INFO: 172.20.2.1[500] used for NAT-T
Nov 28 19:40:44 racoon: INFO: ::1[500] used as isakmp port (fd=41)
Nov 28 19:40:44 racoon: INFO: fe80::216:1aff:fed9:1fc5%eth0[500] used as isakmp port (fd=42)
Nov 28 19:41:09 racoon: INFO: IPsec-SA request for 1.1.1.1 queued due to no phase1 found.
Nov 28 19:41:09 racoon: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Nov 28 19:41:09 racoon: INFO: begin Aggressive mode.
Nov 28 19:41:09 racoon: INFO: received Vendor ID: DPD
Nov 28 19:41:09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Nov 28 19:41:09 racoon: INFO: ISAKMP-SA established 2.2.2.2[500]-1.1.1.1[500] spi:36580e589a8cb1e8:f3cef1de14e3ec5e
Nov 28 19:41:10 racoon: INFO: initiate new phase 2 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Nov 28 19:41:10 racoon: ERROR: unknown notify message, no phase2 handle found.
Nov 28 19:41:30 last message repeated 2 times
Nov 28 19:41:40 racoon: INFO: IPsec-SA expired: AH/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=206806147(0xc539c83)
Nov 28 19:41:40 racoon: WARNING: the expire message is received but the handler has not been established.
Nov 28 19:41:40 racoon: ERROR: 1.1.1.1 give up to get IPsec-SA due to time up to wait.
Nov 28 19:41:40 racoon: INFO: IPsec-SA expired: ESP/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=72570967(0x4535857)

I have tried to change settings for phase 2 on both ends but nothing appears to make any difference (whether they match or not).

Does anyone have any hint on what I'm doing wrong?

This guide was followed for Centos settings: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html

Chimpen · Dec 1, 2010, 9:16 PM

I was able to solve the problem from this post: http://efwsupport.com/index.php?topic=497.0

@daytron:

Following the RH/Centos doc for establishing a networ-to-network tunnel between two RH/Centos boxes is dead easy. However what is not documented is that by default both AH and ESP encryption are used in stage 2. By default, Endian/openswan only uses ESP encryption.

This also appears to be true for pfSense.

I changed the config of the Centos computer and now the tunnel works.

Centos ipsec config
–-----------------
/etc/sysconfig/network-scripts/ifcfg-ipsec0

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
AH_PROTO=none
SRCGW=172.20.2.1
DSTGW=172.20.1.20
SRCNET=172.20.2.0/24
DSTNET=172.20.1.0/24
DST=1.1.1.1