Only the Best –>>> PIX Static IP ---- pfSense Dynamic IP (Site to Site)

maynarja

Cannot connect remote site to PIX. Remote device is pfsense and it is using dynamic IP and intiates the connection.

PIX has a static IP.

Debug

SENDING PACKET to XXX.XXX.XXX.XXX
ISAKMP Header
  Initiator COOKIE: d9 24 1c 9b 7c df f7 55
  Responder COOKIE: a7 84 d6 76 d7 38 03 b1
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 108
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 56
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 44
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 1
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00

IKE Recv RAW packet dump
d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U…v.8..
04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84    |  ................
80 e8 95 6e 06 c1 4b 38 f0 30 74 11 63 73 af 24    |  ...n..K8.0t.cs.$
42 4a 21 fe 6d 0b 50 44 6e 42 b5 d3 3b 8a f8 62    |  BJ!.m.PDnB..;..b
c1 e3 c0 19 f1 75 7b 2e 3a e2 43 e0 4a 86 7e cb    |  .....u{.:.C.J.~.
a4 95 08 83 e5 0c 3f 1f 77 35 27 fb ec bb c1 4d    |  ......?.w5'....M
28 79 0a 7b d9 3c d9 57 61 f3 ce be 7d 30 95 d0    |  (y.{.<.Wa...}0..
fa cc 9c b7 ad 39 cc ea 8a 5e 11 5f f6 9b ae 93    |  .....9...^.....
60 5f 1f 85 2a 41 c4 89 43 5e b9 68 3d b3 e4 c8    |  `..*A..C^.h=...
02 c6 75 73 6e a6 fd 72 0e 48 80 9b 26 3c ed 25    |  ..usn..r.H..&<.%
00 00 00 14 85 29 50 e8 2b 00 d1 47 85 70 18 13    |  .....)P.+..G.p..
fd 49 cc ef                                        |  .I..

RECV PACKET from XXX.XXX.XXX.XXX
ISAKMP Header
  Initiator COOKIE: d9 24 1c 9b 7c df f7 55
  Responder COOKIE: a7 84 d6 76 d7 38 03 b1
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 180
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
      80 e8 95 6e 06 c1 4b 38 f0 30 74 11 63 73 af 24
      42 4a 21 fe 6d 0b 50 44 6e 42 b5 d3 3b 8a f8 62
      c1 e3 c0 19 f1 75 7b 2e 3a e2 43 e0 4a 86 7e cb
      a4 95 08 83 e5 0c 3f 1f 77 35 27 fb ec bb c1 4d
      28 79 0a 7b d9 3c d9 57 61 f3 ce be 7d 30 95 d0
      fa cc 9c b7 ad 39 cc ea 8a 5e 11 5f f6 9b ae 93
      60 5f 1f 85 2a 41 c4 89 43 5e b9 68 3d b3 e4 c8
      02 c6 75 73 6e a6 fd 72 0e 48 80 9b 26 3c ed 25
  Payload Nonce
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data:
      85 29 50 e8 2b 00 d1 47 85 70 18 13 fd 49 cc ef
Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE RECEIVED Message (msgid=
0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing ke payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing ISA_KE
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, processing nonce payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing ke payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing nonce payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing Cisco Unity VID
payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing xauth V6 VID pay
load
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Send IOS VID
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Constructing ASA spoofing IOS
Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, constructing VID payload
Jan 25 06:58:11 [IKEv1 DEBUG]: IP = XXX.XXX.XXX.XXX, Send Altiga/Cisco VPN3000/Cis
co ASA GW VID
Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group D
efaultRAGroup
Jan 25 06:58:11 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Gener
ating keys for Responder…
Jan 25 06:58:11 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE SENDING Message (msgid=0
) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR
(13) + VENDOR (13) + NONE (0) total length : 256

SENDING PACKET to XXX.XXX.XXX.XXX
ISAKMP Header
  Initiator COOKIE: d9 24 1c 9b 7c df f7 55
  Responder COOKIE: a7 84 d6 76 d7 38 03 b1
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 256
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
      1c 96 72 24 2c 1b fa d3 32 47 82 96 a7 65 e0 39
      a8 2a 1e b1 71 16 92 33 12 aa a3 4a 41 90 02 ac
      0c a6 5d 5c d5 2d 05 d6 83 c1 ae a3 a6 2b e8 e5
      b0 50 fb b6 8b cd b4 50 6d 8f fc 32 6b c3 07 92
      2e 61 43 5a 7e 86 14 b9 ae bf ea a7 bf 3f d4 c8
      d2 76 e5 3b 80 35 19 6e f2 bc 9b ff be e1 1e 7a
      83 c2 d1 87 e1 0e a6 89 0c 25 4c a6 f9 99 73 ab
      3d 3c b3 a2 44 2f e5 3b 98 f9 61 81 b4 97 14 c0
  Payload Nonce
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data:
      5f b2 63 b9 08 b7 c1 7c 0a fa e1 02 20 bc b8 c7
      e8 3d ac ea
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 12
    Data (In Hex): 09 00 26 89 df d6 b7 12
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      52 43 71 6b d7 39 03 b1 44 10 04 f9 45 a5 5b bc
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00

IKE Recv RAW packet dump
d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U…v.8..
05 10 02 01 00 00 00 00 00 00 00 44 22 86 54 ea    |  ...........D".T.
47 7d 1c e9 7f e2 9a 67 7e 8b 47 a3 63 f5 48 68    |  G}..⌂..g~.G.c.Hh
bd d7 0c ff 08 f5 4a 97 fe de 33 5c 4c a7 2e af    |  ......J...3\L...
93 17 85 19                                        |  ....

RECV PACKET from XXX.XXX.XXX.XXX
ISAKMP Header
  Initiator COOKIE: d9 24 1c 9b 7c df f7 55
  Responder COOKIE: a7 84 d6 76 d7 38 03 b1
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (Encryption)
  MessageID: 00000000
  Length: 68

AFTER DECRYPTION
ISAKMP Header
  Initiator COOKIE: d9 24 1c 9b 7c df f7 55
  Responder COOKIE: a7 84 d6 76 d7 38 03 b1
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (Encryption)
  MessageID: 00000000
  Length: 68
  Payload Identification
    Next Payload: Hash
    Reserved: 00
    Payload Length: 15
    ID Type: FQDN (2)
    Protocol ID (UDP/TCP, etc...): 0
    Port: 0
    ID Data: urb.lan
  Payload Hash
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data:
      b5 16 23 1b 1f 83 4e 11 a2 df 3e 99 62 51 cb da
      cd 93 f6 22
Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE RECEIVED Message (msgid=
0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 67
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Proce
ssing ID
Jan 25 06:58:12 [IKEv1 DECODE]: ID_FQDN ID received, len 7
0000: 7572622E 6C616E                        urb.lan

Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, proce
ssing hash
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, compu
ting hash
Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, Connection landed on tunnel_group D
efaultRAGroup
Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Client is u
sing an unsupported Transaction Mode v2 version.Tunnel terminated.
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, IKE M
M Responder FSM error history (struct &0x252f370)  <state>, <event>:  MM_DONE, E
V_ERROR–>MM_BLD_MSG6, EV_BLOCK_V2-->MM_BLD_MSG6, EV_CHECK_NAT_T-->MM_BLD_MSG6,
EV_GROUP_LOOKUP
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, IKE S
A MM:76d684a7 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jan 25 06:58:12 [IKEv1 DEBUG]: sending delete/delete with reason message
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, const
ructing blank hash
Jan 25 06:58:12 [IKEv1 DEBUG]: constructing IKE delete payload
Jan 25 06:58:12 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, const
ructing qm hash
Jan 25 06:58:12 [IKEv1]: IP = XXX.XXX.XXX.XXX, IKE DECODE SENDING Message (msgid=8
8ddcf55) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length :
80

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U…v.8..
08 10 05 00 55 cf dd 88 1c 00 00 00 0c 00 00 18    |  ....U...........
5e f5 76 46 08 41 f8 38 14 ed 80 aa 42 08 fe 44    |  ^.vF.A.8....B..D
7d f0 08 45 00 00 00 1c 00 00 00 01 01 10 00 01    |  }..E............
d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1    |  .$..|..U...v.8..

ISAKMP Header
  Initiator COOKIE: d9 24 1c 9b 7c df f7 55
  Responder COOKIE: a7 84 d6 76 d7 38 03 b1
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 55CFDD88
  Length: 469762048
  Payload Hash
    Next Payload: Delete
    Reserved: 00
    Payload Length: 24
    Data:
      5e f5 76 46 08 41 f8 38 14 ed 80 aa 42 08 fe 44
      7d f0 08 45
  Payload Delete
    Next Payload: None
    Reserved: 00
    Payload Length: 28
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    # of SPIs: 1
    SPI (Hex dump):
      d9 24 1c 9b 7c df f7 55 a7 84 d6 76 d7 38 03 b1

ISAKMP Header
  Initiator COOKIE: d9 24 1c 9b 7c df f7 55
  Responder COOKIE: a7 84 d6 76 d7 38 03 b1
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (Encryption)
  MessageID: 88DDCF55
  Length: 84
Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Removing pe
er from peer table failed, no match!
Jan 25 06:58:12 [IKEv1]: Group = DefaultRAGroup, IP = XXX.XXX.XXX.XXX, Error: Unab
le to remove PeerTblEntry</event></state>

hoba

Can you add the pfSense config and the pfSense ipsec logs too? Just use placeholders for secrets/public IPs and so on for posting here.

maynarja

Update - I noticed that in the PIX when using the "isakmp key ***** address 0.0.0.0 netmask 0.0.0.0" it used the defaultRAGroup–-> I removed the pre shared key from that group and added it to the dafaultl2lGroup and on the PIX is looks like phase 1 is getting further....

but this is the config and log from pfsense which still indicates phase1 is failing.

<remote-subnet>192.168.0.0/16</remote-subnet>
<remote-gateway>XXX.XXX.XXX.XXX</remote-gateway>
<mode>main</mode>
<myident><fqdn>xxx.xxx.xxx.xxX</fqdn> (Tried Domain Name as well)</myident>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup><lifetime>86400</lifetime>
<pre-shared-key>***********</pre-shared-key>
<private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method>

<protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>

<hash-algorithm-option>hmac_sha1</hash-algorithm-option>

<pfsgroup>0</pfsgroup>

<lifetime>43200</lifetime>

<descr>cORP LAN</descr>
<pinghost>192.168.5.2</pinghost>

lOGS

racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:39:59 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:00 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:00 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:02 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:09 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:09 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:09 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:16 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:16 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:21 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:29 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:29 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:29 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:30 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:30 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:33 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:33 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:38 racoon: ERROR: phase1 negotiation failed due to time up. 0b0e11a47a759cc2:41e11b2ae20b8eb4
Jan 25 04:40:40 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:40 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:42 racoon: INFO: IPsec-SA request for Corp_lan queued due to no phase1 found.
Jan 25 04:40:42 racoon: INFO: initiate new phase 1 negotiation: remote_lan[500]<=>Corp_lan[500]
Jan 25 04:40:42 racoon: INFO: begin Identity Protection mode.
Jan 25 04:40:43 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jan 25 04:40:43 racoon: INFO: received Vendor ID: CISCO-UNITY
Jan 25 04:40:43 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 25 04:40:43 racoon: INFO: received Vendor ID: DPD
Jan 25 04:40:43 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
Jan 25 04:40:43 racoon: ERROR: invalid ID payload.
Jan 25 04:40:49 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:52 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:40:52 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:40:52 racoon: INFO: delete phase 2 handler.
Jan 25 04:40:53 racoon: INFO: received Vendor ID: DPD
Jan 25 04:40:53 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
Jan 25 04:40:53 racoon: ERROR: invalid ID payload.
Jan 25 04:40:58 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:41:00 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:41:00 racoon: INFO: delete phase 2 handler.
Jan 25 04:41:01 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
Jan 25 04:41:03 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:41:03 racoon: INFO: received Vendor ID: DPD
Jan 25 04:41:03 racoon: ERROR: Expecting IP address type in main mode, but FQDN.
Jan 25 04:41:03 racoon: ERROR: invalid ID payload.
Jan 25 04:41:03 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
Jan 25 04:41:07 last message repeated 2 times
Jan 25 04:41:12 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 25 04:41:13 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP Corp_lan[500]->remote_lan[500]
Jan 25 04:41:13 racoon: INFO: delete phase 2 handler.</peercert></cert></private-key>

maynarja

Got it !

On the PIX side I needed "isakmp identity auto"

hoba

Cool  :D