Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Only the Best –>>> PIX Static IP ---- pfSense Dynamic IP (Site to Site)

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maynarja
      last edited by

      Cannot connect remote site to PIX. Remote device is pfsense and it is using dynamic IP and intiates the connection.

      PIX has a static IP.

      Debug

      SENDING PACKET to XXX.XXX.XXX.XXX
      ISAKMP Header
        Initiator COOKIE: d9 24 1c 9b 7c df f7 55
        Responder COOKIE: a7 84 d6 76 d7 38 03 b1
        Next Payload: Security Association
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (none)
        MessageID: 00000000
        Length: 108
        Payload Security Association
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 56
          DOI: IPsec
          Situation:(SIT_IDENTITY_ONLY)
          Payload Proposal
            Next Payload: None
            Reserved: 00
            Payload Length: 44
            Proposal #: 1
            Protocol-Id: PROTO_ISAKMP
            SPI Size: 0
            # of transforms: 1
            Payload Transform
              Next Payload: None
              Reserved: 00
              Payload Length: 36
              Transform #: 1
              Transform-Id: KEY_IKE
              Reserved2: 0000
              Encryption Algorithm: 3DES-CBC
              Hash Algorithm: SHA1
              Group Description: Group 2
              Authentication Method: Preshared key
              Life Type: seconds
              Life Duration (Hex): 00 01 51 80
        Payload Vendor ID
          Next Payload: None
          Reserved: 00
          Payload Length: 24
          Data (In Hex):
            40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
            c0 00 00 00

      IKE Recv RAW packet dump
      d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U…v.8..
      04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84    |  ................
      80 e8 95 6e 06 c1 4b 38 f0 30 74 11 63 73 af 24    |  ...n..K8.0t.cs.$
      42 4a 21 fe 6d 0b 50 44 6e 42 b5 d3 3b 8a f8 62    |  BJ!.m.PDnB..;..b
      c1 e3 c0 19 f1 75 7b 2e 3a e2 43 e0 4a 86 7e cb    |  .....u{.:.C.J.~.
      a4 95 08 83 e5 0c 3f 1f 77 35 27 fb ec bb c1 4d    |  ......?.w5'....M
      28 79 0a 7b d9 3c d9 57 61 f3 ce be 7d 30 95 d0    |  (y.{.<.Wa...}0..
      fa cc 9c b7 ad 39 cc ea 8a 5e 11 5f f6 9b ae 93    |  .....9...^.....
      60 5f 1f 85 2a 41 c4 89 43 5e b9 68 3d b3 e4 c8    |  `      ..*A..C^.h=...
      02 c6 75 73 6e a6 fd 72 0e 48 80 9b 26 3c ed 25    |  ..usn..r.H..&<.%
      00 00 00 14 85 29 50 e8 2b 00 d1 47 85 70 18 13    |  .....)P.+..G.p..
      fd 49 cc ef                                        |  .I..

      RECV PACKET from XXX.XXX.XXX.XXX
      ISAKMP Header
        Initiator COOKIE: d9 24 1c 9b 7c df f7 55
        Responder COOKIE: a7 84 d6 76 d7 38 03 b1
        Next Payload: Key Exchange
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (none)
        MessageID: 00000000
        Length: 180
        Payload Key Exchange
          Next Payload: Nonce
          Reserved: 00
          Payload Length: 132
          Data:
            80 e8 95 6e 06 c1 4b 38 f0 30 74 11 63 73 af 24
            42 4a 21 fe 6d 0b 50 44 6e 42 b5 d3 3b 8a f8 62
            c1 e3 c0 19 f1 75 7b 2e 3a e2 43 e0 4a 86 7e cb
            a4 95 08 83 e5 0c 3f 1f 77 35 27 fb ec bb c1 4d
            28 79 0a 7b d9 3c d9 57 61 f3 ce be 7d 30 95 d0
            fa cc 9c b7 ad 39 cc ea 8a 5e 11 5f f6 9b ae 93
            60 5f 1f 85 2a 41 c4 89 43 5e b9 68 3d b3 e4 c8
            02 c6 75 73 6e a6 fd 72 0e 48 80 9b 26 3c ed 25
        Payload Nonce
          Next Payload: None
          Reserved: 00
          Payload Length: 20
          Data:
            85 29 50 e8 2b 00 d1 47 85 70 18 13 fd 49 cc ef
      Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE RECEIVED Message (msgid=
      0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing ke payload
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing ISA_KE
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing nonce payload
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing ke payload
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing nonce payload
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing Cisco Unity VID
      payload
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing xauth V6 VID pay
      load
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Send IOS VID
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Constructing ASA spoofing IOS
      Vendor ID payload (version: 1.0.0, capabilities: 20000001)
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing VID payload
      Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Send Altiga/Cisco VPN3000/Cis
      co ASA GW VID
      Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group D
      efaultRAGroup
      Jan 25 06:58:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Gener
      ating keys for Responder…
      Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE SENDING Message (msgid=0
      ) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR
      (13) + VENDOR (13) + NONE (0) total length : 256

      SENDING PACKET to XXX.XXX.XXX.XXX
      ISAKMP Header
        Initiator COOKIE: d9 24 1c 9b 7c df f7 55
        Responder COOKIE: a7 84 d6 76 d7 38 03 b1
        Next Payload: Key Exchange
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (none)
        MessageID: 00000000
        Length: 256
        Payload Key Exchange
          Next Payload: Nonce
          Reserved: 00
          Payload Length: 132
          Data:
            1c 96 72 24 2c 1b fa d3 32 47 82 96 a7 65 e0 39
            a8 2a 1e b1 71 16 92 33 12 aa a3 4a 41 90 02 ac
            0c a6 5d 5c d5 2d 05 d6 83 c1 ae a3 a6 2b e8 e5
            b0 50 fb b6 8b cd b4 50 6d 8f fc 32 6b c3 07 92
            2e 61 43 5a 7e 86 14 b9 ae bf ea a7 bf 3f d4 c8
            d2 76 e5 3b 80 35 19 6e f2 bc 9b ff be e1 1e 7a
            83 c2 d1 87 e1 0e a6 89 0c 25 4c a6 f9 99 73 ab
            3d 3c b3 a2 44 2f e5 3b 98 f9 61 81 b4 97 14 c0
        Payload Nonce
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 24
          Data:
            5f b2 63 b9 08 b7 c1 7c 0a fa e1 02 20 bc b8 c7
            e8 3d ac ea
        Payload Vendor ID
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 20
          Data (In Hex):
            12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
        Payload Vendor ID
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 12
          Data (In Hex): 09 00 26 89 df d6 b7 12
        Payload Vendor ID
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 20
          Data (In Hex):
            52 43 71 6b d7 39 03 b1 44 10 04 f9 45 a5 5b bc
        Payload Vendor ID
          Next Payload: None
          Reserved: 00
          Payload Length: 20
          Data (In Hex):
            1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00

      IKE Recv RAW packet dump
      d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U…v.8..
      05 10 02 01 00 00 00 00 00 00 00 44 22 86 54 ea    |  ...........D".T.
      47 7d 1c e9 7f e2 9a 67 7e 8b 47 a3 63 f5 48 68    |  G}..⌂..g~.G.c.Hh
      bd d7 0c ff 08 f5 4a 97 fe de 33 5c 4c a7 2e af    |  ......J...3\L...
      93 17 85 19                                        |  ....

      RECV PACKET from XXX.XXX.XXX.XXX
      ISAKMP Header
        Initiator COOKIE: d9 24 1c 9b 7c df f7 55
        Responder COOKIE: a7 84 d6 76 d7 38 03 b1
        Next Payload: Identification
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (Encryption)
        MessageID: 00000000
        Length: 68

      AFTER DECRYPTION
      ISAKMP Header
        Initiator COOKIE: d9 24 1c 9b 7c df f7 55
        Responder COOKIE: a7 84 d6 76 d7 38 03 b1
        Next Payload: Identification
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (Encryption)
        MessageID: 00000000
        Length: 68
        Payload Identification
          Next Payload: Hash
          Reserved: 00
          Payload Length: 15
          ID Type: FQDN (2)
          Protocol ID (UDP/TCP, etc...): 0
          Port: 0
          ID Data: urb.lan
        Payload Hash
          Next Payload: None
          Reserved: 00
          Payload Length: 24
          Data:
            b5 16 23 1b 1f 83 4e 11 a2 df 3e 99 62 51 cb da
            cd 93 f6 22
      Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE RECEIVED Message (msgid=
      0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 67
      Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Proce
      ssing ID
      Jan 25 06:58:12 [IKEv1 DECODE]: ID_FQDN ID received, len 7
      0000: 7572622E 6C616E                        urb.lan

      Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, proce
      ssing hash
      Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, compu
      ting hash
      Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group D
      efaultRAGroup
      Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Client is u
      sing an unsupported Transaction Mode v2 version.Tunnel terminated.
      Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, IKE M
      M Responder FSM error history (struct &0x252f370)  <state>, <event>:  MM_DONE, E
      V_ERROR–>MM_BLD_MSG6, EV_BLOCK_V2-->MM_BLD_MSG6, EV_CHECK_NAT_T-->MM_BLD_MSG6,
      EV_GROUP_LOOKUP
      Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, IKE S
      A MM:76d684a7 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
      Jan 25 06:58:12 [IKEv1 DEBUG]: sending delete/delete with reason message
      Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, const
      ructing blank hash
      Jan 25 06:58:12 [IKEv1 DEBUG]: constructing IKE delete payload
      Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, const
      ructing qm hash
      Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE SENDING Message (msgid=8
      8ddcf55) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length :
      80

      BEFORE ENCRYPTION
      RAW PACKET DUMP on SEND
      d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U…v.8..
      08 10 05 00 55 cf dd 88 1c 00 00 00 0c 00 00 18    |  ....U...........
      5e f5 76 46 08 41 f8 38 14 ed 80 aa 42 08 fe 44    |  ^.vF.A.8....B..D
      7d f0 08 45 00 00 00 1c 00 00 00 01 01 10 00 01    |  }..E............
      d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U...v.8..

      ISAKMP Header
        Initiator COOKIE: d9 24 1c 9b 7c df f7 55
        Responder COOKIE: a7 84 d6 76 d7 38 03 b1
        Next Payload: Hash
        Version: 1.0
        Exchange Type: Informational
        Flags: (none)
        MessageID: 55CFDD88
        Length: 469762048
        Payload Hash
          Next Payload: Delete
          Reserved: 00
          Payload Length: 24
          Data:
            5e f5 76 46 08 41 f8 38 14 ed 80 aa 42 08 fe 44
            7d f0 08 45
        Payload Delete
          Next Payload: None
          Reserved: 00
          Payload Length: 28
          DOI: IPsec
          Protocol-ID: PROTO_ISAKMP
          Spi Size: 16
          # of SPIs: 1
          SPI (Hex dump):
            d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1

      ISAKMP Header
        Initiator COOKIE: d9 24 1c 9b 7c df f7 55
        Responder COOKIE: a7 84 d6 76 d7 38 03 b1
        Next Payload: Hash
        Version: 1.0
        Exchange Type: Informational
        Flags: (Encryption)
        MessageID: 88DDCF55
        Length: 84
      Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Removing pe
      er from peer table failed, no match!
      Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Error: Unab
      le to remove PeerTblEntry</event></state>

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Can you add the pfSense config and the pfSense ipsec logs too? Just use placeholders for secrets/public IPs and so on for posting here.

        1 Reply Last reply Reply Quote 0
        • M
          maynarja
          last edited by

          Update - I noticed that in the PIX when using the "isakmp key ***** address 0.0.0.0 netmask 0.0.0.0" it used the defaultRAGroup–-> I removed the pre shared key from that group and added it to the dafaultl2lGroup and on the PIX is looks like phase 1 is getting further....

          but this is the config and log from pfsense which still indicates phase1 is failing.

          <remote-subnet>192.168.0.0/16</remote-subnet>
          <remote-gateway>XXX.XXX.XXX.XXX</remote-gateway>
          <mode>main</mode>
          <myident><fqdn>xxx.xxx.xxx.xxX</fqdn> (Tried Domain Name as well)</myident>
          <encryption-algorithm>3des</encryption-algorithm>
          <hash-algorithm>sha1</hash-algorithm>
          <dhgroup>2</dhgroup><lifetime>86400</lifetime>
          <pre-shared-key>***********</pre-shared-key>
          <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method>

          <protocol>esp</protocol>
          <encryption-algorithm-option>3des</encryption-algorithm-option>

          <hash-algorithm-option>hmac_sha1</hash-algorithm-option>

          <pfsgroup>0</pfsgroup>

          <lifetime>43200</lifetime>

          <descr>cORP LAN</descr>
          <pinghost>192.168.5.2</pinghost>

          lOGS

          racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:39:59 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:40:00 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
          Jan 25 04:40:00 racoon: INFO: delete phase 2 handler.
          Jan 25 04:40:02 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:40:09 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
          Jan 25 04:40:09 racoon: INFO: delete phase 2 handler.
          Jan 25 04:40:09 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:40:16 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
          Jan 25 04:40:16 racoon: INFO: delete phase 2 handler.
          Jan 25 04:40:21 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:40:29 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
          Jan 25 04:40:29 racoon: INFO: delete phase 2 handler.
          Jan 25 04:40:29 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:40:30 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
          Jan 25 04:40:30 racoon: INFO: delete phase 2 handler.
          Jan 25 04:40:33 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
          Jan 25 04:40:33 racoon: INFO: delete phase 2 handler.
          Jan 25 04:40:38 racoon: ERROR: phase1 negotiation failed due to time up. 0b0e11a47a759cc2:41e11b2ae20b8eb4
          Jan 25 04:40:40 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
          Jan 25 04:40:40 racoon: INFO: delete phase 2 handler.
          Jan 25 04:40:42 racoon: INFO: IPsec-SA request for Corp_lan queued due to no phase1 found.
          Jan 25 04:40:42 racoon: INFO: initiate new phase 1 negotiation: remote_lan[500]<=>Corp_lan[500]
          Jan 25 04:40:42 racoon: INFO: begin Identity Protection mode.
          Jan 25 04:40:43 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
          Jan 25 04:40:43 racoon: INFO: received Vendor ID: CISCO-UNITY
          Jan 25 04:40:43 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
          Jan 25 04:40:43 racoon: INFO: received Vendor ID: DPD
          Jan 25 04:40:43 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
          Jan 25 04:40:43 racoon: ERROR: invalid ID payload.
          Jan 25 04:40:49 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:40:52 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:40:52 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
          Jan 25 04:40:52 racoon: INFO: delete phase 2 handler.
          Jan 25 04:40:53 racoon: INFO: received Vendor ID: DPD
          Jan 25 04:40:53 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
          Jan 25 04:40:53 racoon: ERROR: invalid ID payload.
          Jan 25 04:40:58 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:41:00 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
          Jan 25 04:41:00 racoon: INFO: delete phase 2 handler.
          Jan 25 04:41:01 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
          Jan 25 04:41:03 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:41:03 racoon: INFO: received Vendor ID: DPD
          Jan 25 04:41:03 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
          Jan 25 04:41:03 racoon: ERROR: invalid ID payload.
          Jan 25 04:41:03 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
          Jan 25 04:41:07 last message repeated 2 times
          Jan 25 04:41:12 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
          Jan 25 04:41:13 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
          Jan 25 04:41:13 racoon: INFO: delete phase 2 handler.</peercert></cert></private-key>

          1 Reply Last reply Reply Quote 0
          • M
            maynarja
            last edited by

            Got it !

            On the PIX side I needed "isakmp identity auto"

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              Cool  :D

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.