Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Phase 2 problem between pfSense and Centos (ipsec tunnel)

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 8.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Chimpen
      last edited by

      I cannot get phase 2 of this ipsec connection to pass. Running this between two Centos works as it should.

      Let's start with the network.

      pfSense 1.2.3
      –------
      external ip: 1.1.1.1
      internal ip: 172.20.1.20
      internal network: 172.20.1.0/24

      Centos 5.5

      external ip: 2.2.2.2
      internal ip: 172.20.2.1
      internal network: 172.20.2.0/24

      pfSense config from a reset.

      Firewall rule to allow all ipsec communication (all protocols).

      pfSense ipsec config

      Mode: Tunnel
      Interface: WAN (I'm not sure this should be WAN, but changing it to LAN makes no difference)
      Local subnet: 172.20.1.0/24
      Remote subnet: 172.20.2.0/24
      Remote gateway: 2.2.2.2

      Phase 1
      Negotiation mode: agressive
      My identifier: My IP adress
      Encryption algorithm: 3DES
      Hash algorithm: SHA1
      DH key group: 2
      Authentication method: Pre-shared key
      Pre-Shared Key: secret

      Phase 2
      Protocol: ESP
      Encryption algorithms: Rijndael (AES)
      Hash algorithms: SHA1
      PFS key group: 2

      Centos ipsec config

      /etc/sysconfig/network-scripts/ifcfg-ipsec0

      TYPE=IPSEC
      ONBOOT=yes
      IKE_METHOD=PSK
      SRCGW=172.20.2.1
      DSTGW=172.20.1.20
      SRCNET=172.20.2.0/24
      DSTNET=172.20.1.0/24
      DST=1.1.1.1

      /etc/sysconfig/network-scripts/keys-ipsec0
      IKE_PSK=secret

      /etc/racoon/racoon.conf
      path include "/etc/racoon";
      path pre_shared_key "/etc/racoon/psk.txt";
      path certificate "/etc/racoon/certs";
      sainfo anonymous
      {
             pfs_group 2;
             lifetime time 1 hour ;
             encryption_algorithm rijndael ;
             authentication_algorithm hmac_sha1 ;
             compression_algorithm deflate ;
      }
      include "/etc/racoon/1.1.1.1.conf";

      /etc/racoon/1.1.1.1.conf
      remote 1.1.1.1
      {
             exchange_mode aggressive, main;
             my_identifier address;
             proposal {
                     encryption_algorithm 3des;
                     hash_algorithm sha1;
                     authentication_method pre_shared_key;
                     dh_group 2;
             }
      }

      Ipsec log of pfSense

      Nov 28 19:38:11 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
      Nov 28 19:38:11 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
      Nov 28 19:38:11 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
      Nov 28 19:38:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
      Nov 28 19:38:11 racoon: [Self]: INFO: 1.1.1.1[500] used as isakmp port (fd=15)
      Nov 28 19:38:11 racoon: [Self]: INFO: 172.20.1.20[500] used as isakmp port (fd=16)
      Nov 28 19:38:11 racoon: INFO: unsupported PF_KEY message REGISTER
      Nov 28 19:38:11 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=out
      Nov 28 19:38:11 racoon: ERROR: such policy already exists. anyway replace it: 172.20.2.0/24[0] 172.20.1.0/24[0] proto=any dir=in
      Nov 28 19:38:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
      Nov 28 19:38:11 racoon: [Self]: INFO: 1.1.1.1[500] used as isakmp port (fd=15)
      Nov 28 19:38:11 racoon: [Self]: INFO: 172.20.1.20[500] used as isakmp port (fd=16)
      Nov 28 19:41:11 racoon: [IPsec tunnel]: INFO: respond new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
      Nov 28 19:41:11 racoon: INFO: begin Aggressive mode.
      Nov 28 19:41:11 racoon: INFO: received Vendor ID: DPD
      Nov 28 19:41:11 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Nov 28 19:41:11 racoon: [IPsec tunnel]: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:36580e589a8cb1e8:f3cef1de14e3ec5e
      Nov 28 19:41:12 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
      Nov 28 19:41:12 racoon: ERROR: not matched
      Nov 28 19:41:12 racoon: ERROR: no suitable policy found.
      Nov 28 19:41:12 racoon: ERROR: failed to pre-process packet.
      Nov 28 19:41:22 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
      Nov 28 19:41:22 racoon: ERROR: not matched
      Nov 28 19:41:22 racoon: ERROR: no suitable policy found.
      Nov 28 19:41:22 racoon: ERROR: failed to pre-process packet.
      Nov 28 19:41:32 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
      Nov 28 19:41:32 racoon: ERROR: not matched
      Nov 28 19:41:32 racoon: ERROR: no suitable policy found.
      Nov 28 19:41:32 racoon: ERROR: failed to pre-process packet.

      /var/log/messages of Centos
      –--------------------------
      Nov 28 19:40:34 racoon: INFO: unsupported PF_KEY message REGISTER
      Nov 28 19:40:34 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=37)
      Nov 28 19:40:34 racoon: INFO: 127.0.0.1[500] used for NAT-T
      Nov 28 19:40:34 racoon: INFO: 2.2.2.2[500] used as isakmp port (fd=38)
      Nov 28 19:40:34 racoon: INFO: 2.2.2.2[500] used for NAT-T
      Nov 28 19:40:34 racoon: INFO: 172.20.2.1[500] used as isakmp port (fd=39)
      Nov 28 19:40:34 racoon: INFO: 172.20.2.1[500] used for NAT-T
      Nov 28 19:40:34 racoon: INFO: ::1[500] used as isakmp port (fd=40)
      Nov 28 19:40:34 racoon: INFO: fe80::216:1aff:fed9:1fc5%eth0[500] used as isakmp port (fd=41)
      Nov 28 19:40:44 racoon: INFO: unsupported PF_KEY message REGISTER
      Nov 28 19:40:44 last message repeated 4 times
      Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.2.0/24[0] 172.20.1.0/24[0] proto=any dir=out
      Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=in
      Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=fwd
      Nov 28 19:40:44 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=38)
      Nov 28 19:40:44 racoon: INFO: 127.0.0.1[500] used for NAT-T
      Nov 28 19:40:44 racoon: INFO: 2.2.2.2[500] used as isakmp port (fd=39)
      Nov 28 19:40:44 racoon: INFO: 2.2.2.2[500] used for NAT-T
      Nov 28 19:40:44 racoon: INFO: 172.20.2.1[500] used as isakmp port (fd=40)
      Nov 28 19:40:44 racoon: INFO: 172.20.2.1[500] used for NAT-T
      Nov 28 19:40:44 racoon: INFO: ::1[500] used as isakmp port (fd=41)
      Nov 28 19:40:44 racoon: INFO: fe80::216:1aff:fed9:1fc5%eth0[500] used as isakmp port (fd=42)
      Nov 28 19:41:09 racoon: INFO: IPsec-SA request for 1.1.1.1 queued due to no phase1 found.
      Nov 28 19:41:09 racoon: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
      Nov 28 19:41:09 racoon: INFO: begin Aggressive mode.
      Nov 28 19:41:09 racoon: INFO: received Vendor ID: DPD
      Nov 28 19:41:09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Nov 28 19:41:09 racoon: INFO: ISAKMP-SA established 2.2.2.2[500]-1.1.1.1[500] spi:36580e589a8cb1e8:f3cef1de14e3ec5e
      Nov 28 19:41:10 racoon: INFO: initiate new phase 2 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
      Nov 28 19:41:10 racoon: ERROR: unknown notify message, no phase2 handle found.
      Nov 28 19:41:30 last message repeated 2 times
      Nov 28 19:41:40 racoon: INFO: IPsec-SA expired: AH/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=206806147(0xc539c83)
      Nov 28 19:41:40 racoon: WARNING: the expire message is received but the handler has not been established.
      Nov 28 19:41:40 racoon: ERROR: 1.1.1.1 give up to get IPsec-SA due to time up to wait.
      Nov 28 19:41:40 racoon: INFO: IPsec-SA expired: ESP/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=72570967(0x4535857)

      I have tried to change settings for phase 2 on both ends but nothing appears to make any difference (whether they match or not).

      Does anyone have any hint on what I'm doing wrong?

      This guide was followed for Centos settings: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html

      1 Reply Last reply Reply Quote 0
      • C
        Chimpen
        last edited by

        I was able to solve the problem from this post: http://efwsupport.com/index.php?topic=497.0

        @daytron:

        Following the RH/Centos doc for establishing a networ-to-network tunnel between two RH/Centos boxes is dead easy. However what is not documented is that by default both AH and ESP encryption are used in stage 2. By default, Endian/openswan only uses ESP encryption.

        This also appears to be true for pfSense.

        I changed the config of the Centos computer and now the tunnel works.

        Centos ipsec config
        –-----------------
        /etc/sysconfig/network-scripts/ifcfg-ipsec0

        TYPE=IPSEC
        ONBOOT=yes
        IKE_METHOD=PSK
        AH_PROTO=none
        SRCGW=172.20.2.1
        DSTGW=172.20.1.20
        SRCNET=172.20.2.0/24
        DSTNET=172.20.1.0/24
        DST=1.1.1.1

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.