IPSEC Between 2 pfSense, Comcast SMC in between. SA established then lost.

Kruzen

Hi Everyone,

I am trying to set up IPSEC between our offices and our datacenter.

Currently our configuration is like this

Office (Tunnel IP 10.1.1.5)
Comcast SMC8014 (Set to allow all traffic through, confirmed by comcast to be the closet thing to bridged possible) - > pfSense (1.2-RELEASE )

Data Center (Tunnel IP 10.1.1.6)
Uplink - > pfSense (1.2.3-RELEASE)

What is Known:

UDP 4500 for Nat-T is open on both ends and confirmed via probe
UDP 500 is open on both ends and confirmed via probe
ANY traffic is allowed through both ends of the tunnel.
TCP 51 is open on both ends.

x.x.x.x = Office WAN IP
y.y.y.y = DataCenter WAN IP

DataCenter racoon.conf

$ cat /var/etc/racoon.conf
# This file is automatically generated. Do not edit
listen {
	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
}
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote x.x.x.x {
	exchange_mode main;
	my_identifier address "y.y.y.y";

	peers_identifier address x.x.x.x;
	initial_contact on;

	ike_frag on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 172.26.0.0/24 any address 10.1.1.5/30 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 3600 secs;
}

Office racoon.conf

$ cat /var/etc/racoon.conf
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote y.y.y.y {
	exchange_mode main;
	my_identifier address "x.x.x.x";

	peers_identifier address y.y.y.y;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 192.168.168.0/24 any address 10.1.1.6/30 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 3600 secs;
}

Ping from DataCenter LAN to 10.1.1.5 (Office tunnel IP)

2011-01-05 11:27:21: DEBUG: 292 bytes message received from y.y.y.y[500] to x.x.x.x[500]
2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: compute IV for phase2
2011-01-05 11:27:21: DEBUG: phase1 last IV:
2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: hash(sha1)
2011-01-05 11:27:21: DEBUG: encryption(3des)
2011-01-05 11:27:21: DEBUG: phase2 IV computed:
2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: ===
2011-01-05 11:27:21: INFO: respond new phase 2 negotiation: x.x.x.x[0]<=>y.y.y.y[0]
2011-01-05 11:27:21: DEBUG: begin decryption.
2011-01-05 11:27:21: DEBUG: encryption(3des)
2011-01-05 11:27:21: DEBUG: IV was saved for next processing:
2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: encryption(3des)
2011-01-05 11:27:21: DEBUG: with key:
2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: decrypted payload by IV:
2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: decrypted payload, but not trimed.
2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: padding len=4
2011-01-05 11:27:21: DEBUG: skip to trim padding.
2011-01-05 11:27:21: DEBUG: decrypted.
2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: begin.
2011-01-05 11:27:21: DEBUG: seen nptype=8(hash)
2011-01-05 11:27:21: DEBUG: seen nptype=1(sa)
2011-01-05 11:27:21: DEBUG: seen nptype=10(nonce)
2011-01-05 11:27:21: DEBUG: seen nptype=4(ke)
2011-01-05 11:27:21: DEBUG: seen nptype=5(id)
2011-01-05 11:27:21: DEBUG: seen nptype=5(id)
2011-01-05 11:27:21: DEBUG: succeed.
2011-01-05 11:27:21: DEBUG: received IDci2:2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: received IDcr2:2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: HASH(1) validate:2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: HASH with:
2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: hmac(hmac_sha1)
2011-01-05 11:27:21: DEBUG: HASH computed:
2011-01-05 11:27:21: DEBUG:
****HASH****
2011-01-05 11:27:21: DEBUG: configuration found for y.y.y.y.
2011-01-05 11:27:21: DEBUG: getsainfo params: loc='10.1.1.5/30' rmt='172.26.0.0/24' peer='y.y.y.y' client='y.y.y.y' id=0
2011-01-05 11:27:21: DEBUG: evaluating sainfo: loc='192.168.168.0/24', rmt='10.1.1.6/30', peer='ANY', id=0
2011-01-05 11:27:21: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
2011-01-05 11:27:21: DEBUG: cmpid target: '10.1.1.5/30'
2011-01-05 11:27:21: DEBUG: cmpid source: '192.168.168.0/24'
2011-01-05 11:27:21: ERROR: failed to get sainfo.
2011-01-05 11:27:21: ERROR: failed to get sainfo.
2011-01-05 11:27:21: ERROR: failed to pre-process packet.
2011-01-05 11:27:21: DEBUG: IV freed

Ping from Office LAN to DC Tunnel (10.1.1.6)

Jan 5 11:30:03	racoon: ERROR: failed to pre-process packet.
Jan 5 11:30:03	racoon: ERROR: failed to get sainfo.
Jan 5 11:30:03	racoon: ERROR: failed to get sainfo.
Jan 5 11:30:03	racoon: [tunnel to gig harbor]: INFO: respond new phase 2 negotiation: y.y.y.y[0]<=>x.x.x.x[0]
Jan 5 11:30:03	racoon: INFO: received Vendor ID: DPD
Jan 5 11:30:03	racoon: INFO: begin Identity Protection mode.
Jan 5 11:30:03	racoon: [tunnel to gig harbor]: INFO: respond new phase 1 negotiation: y.y.y.y[500]<=>x.x.x.x[500]

The above would be as verbose as the other but for reasons unknown to me racoon -F -dd -f /var/etc/racoon.conf stops running after spitting out this at the data center.

#: racoon -F -dd -f /var/etc/racoon.conf
Foreground mode.
2011-01-05 11:03:29: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
2011-01-05 11:03:29: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
2011-01-05 11:03:29: INFO: Reading configuration from "/var/etc/racoon.conf"
2011-01-05 11:03:29: DEBUG: call pfkey_send_register for AH
2011-01-05 11:03:29: DEBUG: call pfkey_send_register for ESP
2011-01-05 11:03:29: DEBUG: call pfkey_send_register for IPCOMP
2011-01-05 11:03:29: DEBUG: reading config file /var/etc/racoon.conf
2011-01-05 11:03:29: DEBUG2: lifetime = 28800
2011-01-05 11:03:29: DEBUG2: lifebyte = 0
2011-01-05 11:03:29: DEBUG2: encklen=0
2011-01-05 11:03:29: DEBUG2: p:1 t:1
2011-01-05 11:03:29: DEBUG2: 3DES-CBC(5)
2011-01-05 11:03:29: DEBUG2: SHA(2)
2011-01-05 11:03:29: DEBUG2: 1024-bit MODP group(2)
2011-01-05 11:03:29: DEBUG2: pre-shared key(1)
2011-01-05 11:03:29: DEBUG2:
2011-01-05 11:03:29: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2011-01-05 11:03:29: DEBUG: getsainfo params: loc='172.26.0.0/24', rmt='10.1.1.5/30', peer='NULL', id=0
2011-01-05 11:03:29: DEBUG: getsainfo pass #2
2011-01-05 11:03:29: DEBUG2: parse successed.
2011-01-05 11:03:29: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
2011-01-05 11:03:29: DEBUG: my interface: y.y.y.y (vr0)
2011-01-05 11:03:29: DEBUG: my interface: 172.26.0.254 (vr1)
2011-01-05 11:03:29: DEBUG: my interface: 127.0.0.1 (lo0)
2011-01-05 11:03:29: DEBUG: configuring default isakmp port.
2011-01-05 11:03:29: DEBUG: 3 addrs are configured successfully
2011-01-05 11:03:29: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use).
2011-01-05 11:03:29: ERROR: failed to bind to address 172.26.0.254[500] (Address already in use).
2011-01-05 11:03:29: ERROR: failed to bind to address y.y.y.y[500] (Address already in use).
2011-01-05 11:03:29: ERROR: no address could be bound.

Any help is much appreciated.. Been working on this for almost two weeks now trying to nail down all the possible problems..

Kruzen

I turned on Packet Logging for those as well and ISAKMP[500] packets are successfully getting a PASS when pining from office to datacenter as well as datacenter to office.

brcisna

Kruzen,

I just thought I would post this "how to" on IPsec vpn setup in case you never seen this in the "how to's" on the pfSense docs. I followed this to the tee and had two vpn's working the first time I connected each of the three pfSense boxes at each building. May help you see something you possibly overlooked.

http://doc.pfsense.org/index.php/VPN_Capability_IPsec

Also, Question, is the one pfSense,in fact pfSense-1.2-RELEASE as you have listed in your  original post ( and not pfSense-1.2.3-RELEASE) ? I wonder if there may be a descrepency between the two versions if in fact you are using two different versions of pfSense. It would seem they should play together,but just a thought?

Barry

Kruzen

There is a discrepency between the two versions of pfsense, however I did not consider it to be a substantial issue considering ipsec should work cross-platform, let alone between different firmware versions..

Hopefully I'm right, but I am running out of options and maybe be headed down that path now.

Kruzen

Really wish I could find some answers on this :(

jimp

You got that last racoon error (address already in use) most likely because racoon was already running and needed to be killed first.

However this may be the real issue:

2011-01-05 11:27:21: DEBUG: getsainfo params: loc='10.1.1.5/30' rmt='172.26.0.0/24' peer='y.y.y.y' client='y.y.y.y' id=0
2011-01-05 11:27:21: DEBUG: evaluating sainfo: loc='192.168.168.0/24', rmt='10.1.1.6/30', peer='ANY', id=0
2011-01-05 11:27:21: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
2011-01-05 11:27:21: DEBUG: cmpid target: '10.1.1.5/30'
2011-01-05 11:27:21: DEBUG: cmpid source: '192.168.168.0/24'

The phase 2 subnets do not match between the peers

Normally the phase 2 subnets are mirrors of each other, such as:

Site A:

sainfo address 192.168.254.0/24 any address 192.168.10.0/24 any {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 secs;
}

Site B:

sainfo address 192.168.10.0/24 any address 192.168.254.0/24 any {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 secs;
}

IPsec tunnels have no address themselves.

Kruzen

@jimp:

You got that last racoon error (address already in use) most likely because racoon was already running and needed to be killed first.

However this may be the real issue:

2011-01-05 11:27:21: DEBUG: getsainfo params: loc='10.1.1.5/30' rmt='172.26.0.0/24' peer='y.y.y.y' client='y.y.y.y' id=0
2011-01-05 11:27:21: DEBUG: evaluating sainfo: loc='192.168.168.0/24', rmt='10.1.1.6/30', peer='ANY', id=0
2011-01-05 11:27:21: DEBUG: check and compare ids : valu mismatch (IPv4_subnet)
2011-01-05 11:27:21: DEBUG: cmpid target: '10.1.1.5/30'
2011-01-05 11:27:21: DEBUG: cmpid source: '192.168.168.0/24'

The phase 2 subnets do not match between the peers

Normally the phase 2 subnets are mirrors of each other, such as:

Site A:

sainfo address 192.168.254.0/24 any address 192.168.10.0/24 any {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 secs;
}

Site B:

sainfo address 192.168.10.0/24 any address 192.168.254.0/24 any {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 secs;
}

IPsec tunnels have no address themselves.

Wow! This fixed it for me. Outstanding my friend. I was working under the understanding that ipsec tunnels had a 'gateway ip'. Everything is working now :)