Only the Best –>>> PIX Static IP ---- pfSense Dynamic IP (Site to Site)



  • Cannot connect remote site to PIX. Remote device is pfsense and it is using dynamic IP and intiates the connection.

    PIX has a static IP.

    Debug

    SENDING PACKET to XXX.XXX.XXX.XXX
    ISAKMP Header
      Initiator COOKIE: d9 24 1c 9b 7c df f7 55
      Responder COOKIE: a7 84 d6 76 d7 38 03 b1
      Next Payload: Security Association
      Version: 1.0
      Exchange Type: Identity Protection (Main Mode)
      Flags: (none)
      MessageID: 00000000
      Length: 108
      Payload Security Association
        Next Payload: Vendor ID
        Reserved: 00
        Payload Length: 56
        DOI: IPsec
        Situation:(SIT_IDENTITY_ONLY)
        Payload Proposal
          Next Payload: None
          Reserved: 00
          Payload Length: 44
          Proposal #: 1
          Protocol-Id: PROTO_ISAKMP
          SPI Size: 0
          # of transforms: 1
          Payload Transform
            Next Payload: None
            Reserved: 00
            Payload Length: 36
            Transform #: 1
            Transform-Id: KEY_IKE
            Reserved2: 0000
            Encryption Algorithm: 3DES-CBC
            Hash Algorithm: SHA1
            Group Description: Group 2
            Authentication Method: Preshared key
            Life Type: seconds
            Life Duration (Hex): 00 01 51 80
      Payload Vendor ID
        Next Payload: None
        Reserved: 00
        Payload Length: 24
        Data (In Hex):
          40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
          c0 00 00 00

    IKE Recv RAW packet dump
    d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U…v.8..
    04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84    |  ................
    80 e8 95 6e 06 c1 4b 38 f0 30 74 11 63 73 af 24    |  ...n..K8.0t.cs.$
    42 4a 21 fe 6d 0b 50 44 6e 42 b5 d3 3b 8a f8 62    |  BJ!.m.PDnB..;..b
    c1 e3 c0 19 f1 75 7b 2e 3a e2 43 e0 4a 86 7e cb    |  .....u{.:.C.J.~.
    a4 95 08 83 e5 0c 3f 1f 77 35 27 fb ec bb c1 4d    |  ......?.w5'....M
    28 79 0a 7b d9 3c d9 57 61 f3 ce be 7d 30 95 d0    |  (y.{.<.Wa...}0..
    fa cc 9c b7 ad 39 cc ea 8a 5e 11 5f f6 9b ae 93    |  .....9...^.....
    60 5f 1f 85 2a 41 c4 89 43 5e b9 68 3d b3 e4 c8    |  `
    ..*A..C^.h=...
    02 c6 75 73 6e a6 fd 72 0e 48 80 9b 26 3c ed 25    |  ..usn..r.H..&<.%
    00 00 00 14 85 29 50 e8 2b 00 d1 47 85 70 18 13    |  .....)P.+..G.p..
    fd 49 cc ef                                        |  .I..

    RECV PACKET from XXX.XXX.XXX.XXX
    ISAKMP Header
      Initiator COOKIE: d9 24 1c 9b 7c df f7 55
      Responder COOKIE: a7 84 d6 76 d7 38 03 b1
      Next Payload: Key Exchange
      Version: 1.0
      Exchange Type: Identity Protection (Main Mode)
      Flags: (none)
      MessageID: 00000000
      Length: 180
      Payload Key Exchange
        Next Payload: Nonce
        Reserved: 00
        Payload Length: 132
        Data:
          80 e8 95 6e 06 c1 4b 38 f0 30 74 11 63 73 af 24
          42 4a 21 fe 6d 0b 50 44 6e 42 b5 d3 3b 8a f8 62
          c1 e3 c0 19 f1 75 7b 2e 3a e2 43 e0 4a 86 7e cb
          a4 95 08 83 e5 0c 3f 1f 77 35 27 fb ec bb c1 4d
          28 79 0a 7b d9 3c d9 57 61 f3 ce be 7d 30 95 d0
          fa cc 9c b7 ad 39 cc ea 8a 5e 11 5f f6 9b ae 93
          60 5f 1f 85 2a 41 c4 89 43 5e b9 68 3d b3 e4 c8
          02 c6 75 73 6e a6 fd 72 0e 48 80 9b 26 3c ed 25
      Payload Nonce
        Next Payload: None
        Reserved: 00
        Payload Length: 20
        Data:
          85 29 50 e8 2b 00 d1 47 85 70 18 13 fd 49 cc ef
    Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE RECEIVED Message (msgid=
    0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing ke payload
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing ISA_KE
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing nonce payload
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing ke payload
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing nonce payload
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing Cisco Unity VID
    payload
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing xauth V6 VID pay
    load
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Send IOS VID
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Constructing ASA spoofing IOS
    Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing VID payload
    Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Send Altiga/Cisco VPN3000/Cis
    co ASA GW VID
    Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group D
    efaultRAGroup
    Jan 25 06:58:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Gener
    ating keys for Responder…
    Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE SENDING Message (msgid=0
    ) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR
    (13) + VENDOR (13) + NONE (0) total length : 256

    SENDING PACKET to XXX.XXX.XXX.XXX
    ISAKMP Header
      Initiator COOKIE: d9 24 1c 9b 7c df f7 55
      Responder COOKIE: a7 84 d6 76 d7 38 03 b1
      Next Payload: Key Exchange
      Version: 1.0
      Exchange Type: Identity Protection (Main Mode)
      Flags: (none)
      MessageID: 00000000
      Length: 256
      Payload Key Exchange
        Next Payload: Nonce
        Reserved: 00
        Payload Length: 132
        Data:
          1c 96 72 24 2c 1b fa d3 32 47 82 96 a7 65 e0 39
          a8 2a 1e b1 71 16 92 33 12 aa a3 4a 41 90 02 ac
          0c a6 5d 5c d5 2d 05 d6 83 c1 ae a3 a6 2b e8 e5
          b0 50 fb b6 8b cd b4 50 6d 8f fc 32 6b c3 07 92
          2e 61 43 5a 7e 86 14 b9 ae bf ea a7 bf 3f d4 c8
          d2 76 e5 3b 80 35 19 6e f2 bc 9b ff be e1 1e 7a
          83 c2 d1 87 e1 0e a6 89 0c 25 4c a6 f9 99 73 ab
          3d 3c b3 a2 44 2f e5 3b 98 f9 61 81 b4 97 14 c0
      Payload Nonce
        Next Payload: Vendor ID
        Reserved: 00
        Payload Length: 24
        Data:
          5f b2 63 b9 08 b7 c1 7c 0a fa e1 02 20 bc b8 c7
          e8 3d ac ea
      Payload Vendor ID
        Next Payload: Vendor ID
        Reserved: 00
        Payload Length: 20
        Data (In Hex):
          12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
      Payload Vendor ID
        Next Payload: Vendor ID
        Reserved: 00
        Payload Length: 12
        Data (In Hex): 09 00 26 89 df d6 b7 12
      Payload Vendor ID
        Next Payload: Vendor ID
        Reserved: 00
        Payload Length: 20
        Data (In Hex):
          52 43 71 6b d7 39 03 b1 44 10 04 f9 45 a5 5b bc
      Payload Vendor ID
        Next Payload: None
        Reserved: 00
        Payload Length: 20
        Data (In Hex):
          1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00

    IKE Recv RAW packet dump
    d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U…v.8..
    05 10 02 01 00 00 00 00 00 00 00 44 22 86 54 ea    |  ...........D".T.
    47 7d 1c e9 7f e2 9a 67 7e 8b 47 a3 63 f5 48 68    |  G}..⌂..g~.G.c.Hh
    bd d7 0c ff 08 f5 4a 97 fe de 33 5c 4c a7 2e af    |  ......J...3\L...
    93 17 85 19                                        |  ....

    RECV PACKET from XXX.XXX.XXX.XXX
    ISAKMP Header
      Initiator COOKIE: d9 24 1c 9b 7c df f7 55
      Responder COOKIE: a7 84 d6 76 d7 38 03 b1
      Next Payload: Identification
      Version: 1.0
      Exchange Type: Identity Protection (Main Mode)
      Flags: (Encryption)
      MessageID: 00000000
      Length: 68

    AFTER DECRYPTION
    ISAKMP Header
      Initiator COOKIE: d9 24 1c 9b 7c df f7 55
      Responder COOKIE: a7 84 d6 76 d7 38 03 b1
      Next Payload: Identification
      Version: 1.0
      Exchange Type: Identity Protection (Main Mode)
      Flags: (Encryption)
      MessageID: 00000000
      Length: 68
      Payload Identification
        Next Payload: Hash
        Reserved: 00
        Payload Length: 15
        ID Type: FQDN (2)
        Protocol ID (UDP/TCP, etc...): 0
        Port: 0
        ID Data: urb.lan
      Payload Hash
        Next Payload: None
        Reserved: 00
        Payload Length: 24
        Data:
          b5 16 23 1b 1f 83 4e 11 a2 df 3e 99 62 51 cb da
          cd 93 f6 22
    Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE RECEIVED Message (msgid=
    0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 67
    Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Proce
    ssing ID
    Jan 25 06:58:12 [IKEv1 DECODE]: ID_FQDN ID received, len 7
    0000: 7572622E 6C616E                        urb.lan

    Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, proce
    ssing hash
    Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, compu
    ting hash
    Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group D
    efaultRAGroup
    Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Client is u
    sing an unsupported Transaction Mode v2 version.Tunnel terminated.
    Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, IKE M
    M Responder FSM error history (struct &0x252f370)  <state>, <event>:  MM_DONE, E
    V_ERROR–>MM_BLD_MSG6, EV_BLOCK_V2-->MM_BLD_MSG6, EV_CHECK_NAT_T-->MM_BLD_MSG6,
    EV_GROUP_LOOKUP
    Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, IKE S
    A MM:76d684a7 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
    Jan 25 06:58:12 [IKEv1 DEBUG]: sending delete/delete with reason message
    Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, const
    ructing blank hash
    Jan 25 06:58:12 [IKEv1 DEBUG]: constructing IKE delete payload
    Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, const
    ructing qm hash
    Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE SENDING Message (msgid=8
    8ddcf55) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length :
    80

    BEFORE ENCRYPTION
    RAW PACKET DUMP on SEND
    d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U…v.8..
    08 10 05 00 55 cf dd 88 1c 00 00 00 0c 00 00 18    |  ....U...........
    5e f5 76 46 08 41 f8 38 14 ed 80 aa 42 08 fe 44    |  ^.vF.A.8....B..D
    7d f0 08 45 00 00 00 1c 00 00 00 01 01 10 00 01    |  }..E............
    d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U...v.8..

    ISAKMP Header
      Initiator COOKIE: d9 24 1c 9b 7c df f7 55
      Responder COOKIE: a7 84 d6 76 d7 38 03 b1
      Next Payload: Hash
      Version: 1.0
      Exchange Type: Informational
      Flags: (none)
      MessageID: 55CFDD88
      Length: 469762048
      Payload Hash
        Next Payload: Delete
        Reserved: 00
        Payload Length: 24
        Data:
          5e f5 76 46 08 41 f8 38 14 ed 80 aa 42 08 fe 44
          7d f0 08 45
      Payload Delete
        Next Payload: None
        Reserved: 00
        Payload Length: 28
        DOI: IPsec
        Protocol-ID: PROTO_ISAKMP
        Spi Size: 16
        # of SPIs: 1
        SPI (Hex dump):
          d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1

    ISAKMP Header
      Initiator COOKIE: d9 24 1c 9b 7c df f7 55
      Responder COOKIE: a7 84 d6 76 d7 38 03 b1
      Next Payload: Hash
      Version: 1.0
      Exchange Type: Informational
      Flags: (Encryption)
      MessageID: 88DDCF55
      Length: 84
    Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Removing pe
    er from peer table failed, no match!
    Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Error: Unab
    le to remove PeerTblEntry</event></state>



  • Can you add the pfSense config and the pfSense ipsec logs too? Just use placeholders for secrets/public IPs and so on for posting here.



  • Update - I noticed that in the PIX when using the "isakmp key ***** address 0.0.0.0 netmask 0.0.0.0" it used the defaultRAGroup–-> I removed the pre shared key from that group and added it to the dafaultl2lGroup and on the PIX is looks like phase 1 is getting further....

    but this is the config and log from pfsense which still indicates phase1 is failing.

    <remote-subnet>192.168.0.0/16</remote-subnet>
    <remote-gateway>XXX.XXX.XXX.XXX</remote-gateway>
    <mode>main</mode>
    <myident><fqdn>xxx.xxx.xxx.xxX</fqdn> (Tried Domain Name as well)</myident>
    <encryption-algorithm>3des</encryption-algorithm>
    <hash-algorithm>sha1</hash-algorithm>
    <dhgroup>2</dhgroup><lifetime>86400</lifetime>
    <pre-shared-key>***********</pre-shared-key>
    <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method>

    <protocol>esp</protocol>
    <encryption-algorithm-option>3des</encryption-algorithm-option>

    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>

    <pfsgroup>0</pfsgroup>

    <lifetime>43200</lifetime>

    <descr>cORP LAN</descr>
    <pinghost>192.168.5.2</pinghost>

    lOGS

    racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:39:59 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:40:00 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
    Jan 25 04:40:00 racoon: INFO: delete phase 2 handler.
    Jan 25 04:40:02 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:40:09 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
    Jan 25 04:40:09 racoon: INFO: delete phase 2 handler.
    Jan 25 04:40:09 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:40:16 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
    Jan 25 04:40:16 racoon: INFO: delete phase 2 handler.
    Jan 25 04:40:21 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:40:29 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
    Jan 25 04:40:29 racoon: INFO: delete phase 2 handler.
    Jan 25 04:40:29 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:40:30 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
    Jan 25 04:40:30 racoon: INFO: delete phase 2 handler.
    Jan 25 04:40:33 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
    Jan 25 04:40:33 racoon: INFO: delete phase 2 handler.
    Jan 25 04:40:38 racoon: ERROR: phase1 negotiation failed due to time up. 0b0e11a47a759cc2:41e11b2ae20b8eb4
    Jan 25 04:40:40 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
    Jan 25 04:40:40 racoon: INFO: delete phase 2 handler.
    Jan 25 04:40:42 racoon: INFO: IPsec-SA request for Corp_lan queued due to no phase1 found.
    Jan 25 04:40:42 racoon: INFO: initiate new phase 1 negotiation: remote_lan[500]<=>Corp_lan[500]
    Jan 25 04:40:42 racoon: INFO: begin Identity Protection mode.
    Jan 25 04:40:43 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Jan 25 04:40:43 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jan 25 04:40:43 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jan 25 04:40:43 racoon: INFO: received Vendor ID: DPD
    Jan 25 04:40:43 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
    Jan 25 04:40:43 racoon: ERROR: invalid ID payload.
    Jan 25 04:40:49 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:40:52 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:40:52 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
    Jan 25 04:40:52 racoon: INFO: delete phase 2 handler.
    Jan 25 04:40:53 racoon: INFO: received Vendor ID: DPD
    Jan 25 04:40:53 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
    Jan 25 04:40:53 racoon: ERROR: invalid ID payload.
    Jan 25 04:40:58 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:41:00 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
    Jan 25 04:41:00 racoon: INFO: delete phase 2 handler.
    Jan 25 04:41:01 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 25 04:41:03 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:41:03 racoon: INFO: received Vendor ID: DPD
    Jan 25 04:41:03 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
    Jan 25 04:41:03 racoon: ERROR: invalid ID payload.
    Jan 25 04:41:03 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 25 04:41:07 last message repeated 2 times
    Jan 25 04:41:12 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 25 04:41:13 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
    Jan 25 04:41:13 racoon: INFO: delete phase 2 handler.</peercert></cert></private-key>



  • Got it !

    On the PIX side I needed "isakmp identity auto"



  • Cool  :D


Log in to reply