Phase 2 problem between pfSense and Centos (ipsec tunnel)



  • I cannot get phase 2 of this ipsec connection to pass. Running this between two Centos works as it should.

    Let's start with the network.

    pfSense 1.2.3
    –------
    external ip: 1.1.1.1
    internal ip: 172.20.1.20
    internal network: 172.20.1.0/24

    Centos 5.5

    external ip: 2.2.2.2
    internal ip: 172.20.2.1
    internal network: 172.20.2.0/24

    pfSense config from a reset.

    Firewall rule to allow all ipsec communication (all protocols).

    pfSense ipsec config

    Mode: Tunnel
    Interface: WAN (I'm not sure this should be WAN, but changing it to LAN makes no difference)
    Local subnet: 172.20.1.0/24
    Remote subnet: 172.20.2.0/24
    Remote gateway: 2.2.2.2

    Phase 1
    Negotiation mode: agressive
    My identifier: My IP adress
    Encryption algorithm: 3DES
    Hash algorithm: SHA1
    DH key group: 2
    Authentication method: Pre-shared key
    Pre-Shared Key: secret

    Phase 2
    Protocol: ESP
    Encryption algorithms: Rijndael (AES)
    Hash algorithms: SHA1
    PFS key group: 2

    Centos ipsec config

    /etc/sysconfig/network-scripts/ifcfg-ipsec0

    TYPE=IPSEC
    ONBOOT=yes
    IKE_METHOD=PSK
    SRCGW=172.20.2.1
    DSTGW=172.20.1.20
    SRCNET=172.20.2.0/24
    DSTNET=172.20.1.0/24
    DST=1.1.1.1

    /etc/sysconfig/network-scripts/keys-ipsec0
    IKE_PSK=secret

    /etc/racoon/racoon.conf
    path include "/etc/racoon";
    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";
    sainfo anonymous
    {
           pfs_group 2;
           lifetime time 1 hour ;
           encryption_algorithm rijndael ;
           authentication_algorithm hmac_sha1 ;
           compression_algorithm deflate ;
    }
    include "/etc/racoon/1.1.1.1.conf";

    /etc/racoon/1.1.1.1.conf
    remote 1.1.1.1
    {
           exchange_mode aggressive, main;
           my_identifier address;
           proposal {
                   encryption_algorithm 3des;
                   hash_algorithm sha1;
                   authentication_method pre_shared_key;
                   dh_group 2;
           }
    }

    Ipsec log of pfSense

    Nov 28 19:38:11 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
    Nov 28 19:38:11 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Nov 28 19:38:11 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Nov 28 19:38:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Nov 28 19:38:11 racoon: [Self]: INFO: 1.1.1.1[500] used as isakmp port (fd=15)
    Nov 28 19:38:11 racoon: [Self]: INFO: 172.20.1.20[500] used as isakmp port (fd=16)
    Nov 28 19:38:11 racoon: INFO: unsupported PF_KEY message REGISTER
    Nov 28 19:38:11 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=out
    Nov 28 19:38:11 racoon: ERROR: such policy already exists. anyway replace it: 172.20.2.0/24[0] 172.20.1.0/24[0] proto=any dir=in
    Nov 28 19:38:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Nov 28 19:38:11 racoon: [Self]: INFO: 1.1.1.1[500] used as isakmp port (fd=15)
    Nov 28 19:38:11 racoon: [Self]: INFO: 172.20.1.20[500] used as isakmp port (fd=16)
    Nov 28 19:41:11 racoon: [IPsec tunnel]: INFO: respond new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
    Nov 28 19:41:11 racoon: INFO: begin Aggressive mode.
    Nov 28 19:41:11 racoon: INFO: received Vendor ID: DPD
    Nov 28 19:41:11 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Nov 28 19:41:11 racoon: [IPsec tunnel]: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:36580e589a8cb1e8:f3cef1de14e3ec5e
    Nov 28 19:41:12 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
    Nov 28 19:41:12 racoon: ERROR: not matched
    Nov 28 19:41:12 racoon: ERROR: no suitable policy found.
    Nov 28 19:41:12 racoon: ERROR: failed to pre-process packet.
    Nov 28 19:41:22 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
    Nov 28 19:41:22 racoon: ERROR: not matched
    Nov 28 19:41:22 racoon: ERROR: no suitable policy found.
    Nov 28 19:41:22 racoon: ERROR: failed to pre-process packet.
    Nov 28 19:41:32 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
    Nov 28 19:41:32 racoon: ERROR: not matched
    Nov 28 19:41:32 racoon: ERROR: no suitable policy found.
    Nov 28 19:41:32 racoon: ERROR: failed to pre-process packet.

    /var/log/messages of Centos
    –--------------------------
    Nov 28 19:40:34 racoon: INFO: unsupported PF_KEY message REGISTER
    Nov 28 19:40:34 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=37)
    Nov 28 19:40:34 racoon: INFO: 127.0.0.1[500] used for NAT-T
    Nov 28 19:40:34 racoon: INFO: 2.2.2.2[500] used as isakmp port (fd=38)
    Nov 28 19:40:34 racoon: INFO: 2.2.2.2[500] used for NAT-T
    Nov 28 19:40:34 racoon: INFO: 172.20.2.1[500] used as isakmp port (fd=39)
    Nov 28 19:40:34 racoon: INFO: 172.20.2.1[500] used for NAT-T
    Nov 28 19:40:34 racoon: INFO: ::1[500] used as isakmp port (fd=40)
    Nov 28 19:40:34 racoon: INFO: fe80::216:1aff:fed9:1fc5%eth0[500] used as isakmp port (fd=41)
    Nov 28 19:40:44 racoon: INFO: unsupported PF_KEY message REGISTER
    Nov 28 19:40:44 last message repeated 4 times
    Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.2.0/24[0] 172.20.1.0/24[0] proto=any dir=out
    Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=in
    Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=fwd
    Nov 28 19:40:44 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=38)
    Nov 28 19:40:44 racoon: INFO: 127.0.0.1[500] used for NAT-T
    Nov 28 19:40:44 racoon: INFO: 2.2.2.2[500] used as isakmp port (fd=39)
    Nov 28 19:40:44 racoon: INFO: 2.2.2.2[500] used for NAT-T
    Nov 28 19:40:44 racoon: INFO: 172.20.2.1[500] used as isakmp port (fd=40)
    Nov 28 19:40:44 racoon: INFO: 172.20.2.1[500] used for NAT-T
    Nov 28 19:40:44 racoon: INFO: ::1[500] used as isakmp port (fd=41)
    Nov 28 19:40:44 racoon: INFO: fe80::216:1aff:fed9:1fc5%eth0[500] used as isakmp port (fd=42)
    Nov 28 19:41:09 racoon: INFO: IPsec-SA request for 1.1.1.1 queued due to no phase1 found.
    Nov 28 19:41:09 racoon: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
    Nov 28 19:41:09 racoon: INFO: begin Aggressive mode.
    Nov 28 19:41:09 racoon: INFO: received Vendor ID: DPD
    Nov 28 19:41:09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Nov 28 19:41:09 racoon: INFO: ISAKMP-SA established 2.2.2.2[500]-1.1.1.1[500] spi:36580e589a8cb1e8:f3cef1de14e3ec5e
    Nov 28 19:41:10 racoon: INFO: initiate new phase 2 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
    Nov 28 19:41:10 racoon: ERROR: unknown notify message, no phase2 handle found.
    Nov 28 19:41:30 last message repeated 2 times
    Nov 28 19:41:40 racoon: INFO: IPsec-SA expired: AH/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=206806147(0xc539c83)
    Nov 28 19:41:40 racoon: WARNING: the expire message is received but the handler has not been established.
    Nov 28 19:41:40 racoon: ERROR: 1.1.1.1 give up to get IPsec-SA due to time up to wait.
    Nov 28 19:41:40 racoon: INFO: IPsec-SA expired: ESP/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=72570967(0x4535857)

    I have tried to change settings for phase 2 on both ends but nothing appears to make any difference (whether they match or not).

    Does anyone have any hint on what I'm doing wrong?

    This guide was followed for Centos settings: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html



  • I was able to solve the problem from this post: http://efwsupport.com/index.php?topic=497.0

    @daytron:

    Following the RH/Centos doc for establishing a networ-to-network tunnel between two RH/Centos boxes is dead easy. However what is not documented is that by default both AH and ESP encryption are used in stage 2. By default, Endian/openswan only uses ESP encryption.

    This also appears to be true for pfSense.

    I changed the config of the Centos computer and now the tunnel works.

    Centos ipsec config
    –-----------------
    /etc/sysconfig/network-scripts/ifcfg-ipsec0

    TYPE=IPSEC
    ONBOOT=yes
    IKE_METHOD=PSK
    AH_PROTO=none
    SRCGW=172.20.2.1
    DSTGW=172.20.1.20
    SRCNET=172.20.2.0/24
    DSTNET=172.20.1.0/24
    DST=1.1.1.1


Log in to reply