Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense and Openswan issues

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    5 Posts 3 Posters 6.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leap
      last edited by

      Hi,

      I would like to get some advise on how to solve this issue below

      Jun 27 10:39:17 wyeuweb300 pluto[13301]: "PP-GG" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
      Jun 27 10:39:17 wyeuweb300 pluto[13301]: "PP-GG" #2: starting keying attempt 2 of an unlimited number
      Jun 27 10:39:17 wyeuweb300 pluto[13301]: "PP-GG" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #2 {using isakmp#1 msgid:61a345c5 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}

      Configurations

      1. Pfsense

      Remote gateway : xxx.xxx.xxx.xx
      Authentication method: Mutual PSK
      Negotiation mode: Main
      My identifier : xxx.xxx.xxx.xxx (PFSense WAN)
      Peer identifier : xxx.xxx.xxx.xxx (Openswan WAN)
      Pre-Shared Key: xxxx
      Proposal Checking: Default
      Encryption algorithm: 3DES
      Hash algorithm: SHA1
      DH key group: 2
      Lifetime: 288800
      NAT Traversal: Enable

      errror on pfSense

      Jun 27 15:45:18 racoon: []: INFO: respond new phase 2 negotiation: 111.92.240.242[500]<=>92.243.23.96[500]
      Jun 27 15:45:07 racoon: ERROR: failed to pre-process packet.
      Jun 27 15:45:07 racoon: ERROR: failed to get sainfo.
      Jun 27 15:45:07 racoon: ERROR: failed to get sainfo.
      Jun 27 15:45:07 racoon: []: INFO: respond new phase 2 negotiation: 111.92.240.242[500]<=>92.243.23.96[500]
      Jun 27 15:44:29 racoon: INFO: unsupported PF_KEY message REGISTER
      Jun 27 15:44:29 racoon: INFO: 192.168.1.1[4500] used for NAT-T
      Jun 27 15:44:29 racoon: [Self]: INFO: 192.168.1.1[4500] used as isakmp port (fd=25)
      Jun 27 15:44:29 racoon: INFO: 192.168.1.1[500] used for NAT-T
      Jun 27 15:44:27 racoon: []: INFO: respond new phase 2 negotiation: 111.92.240.242[500]<=>92.243.23.96[500]

      2. Openswan

      config setup

      nat_traversal=yes
              virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
              oe=off
              protostack=auto
              interfaces=%defaultroute

      conn myipsec

      authby=secret
              type=tunnel
              left=xxx.xxx.xxx.xxx (Openwans WAN)
              leftsubnet=xxx.xxx.xxx.xxx (Openswan subnet)/22
              leftnexthop=xxx.xxx.xxx.xxx (Openwans gw)
              right=(PFsense WAN)
              rightsubnet=192.168.1.0/24
              rightnexthop=xxx.xxx.xxx.xxx (PFsense gw)
              auto=start
              auth=esp
              esp=3des-sha1;modp1024
              ike=3des-sha1;modp1024
              keyexchange=ike
              pfs=yes
              salifetime=12h
              ikelifetime=4h

      Errors on openswan site

      Jun 27 10:45:07 wyeuweb300 pluto[13301]: "PP-GG" #7: starting keying attempt 7 of an unlimited number
      Jun 27 10:45:07 wyeuweb300 pluto[13301]: "PP-GG" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #7 {using isakmp#1 msgid:9b64967a proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
      Jun 27 10:46:17 wyeuweb300 pluto[13301]: "PP-GG" #8: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
      Jun 27 10:46:17 wyeuweb300 pluto[13301]: "PP-GG" #8: starting keying attempt 8 of an unlimited number
      Jun 27 10:46:17 wyeuweb300 pluto[13301]: "PP-GG" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #8 {using isakmp#1 msgid:a51fef21 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
      Jun 27 10:47:27 wyeuweb300 pluto[13301]: "PP-GG" #9: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
      Jun 27 10:47:27 wyeuweb300 pluto[13301]: "PP-GG" #9: starting keying attempt 9 of an unlimited number
      Jun 27 10:47:27 wyeuweb300 pluto[13301]: "PP-GG" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #9 {using isakmp#1 msgid:d2009332 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
      Jun 27 10:48:37 wyeuweb300 pluto[13301]: "PP-GG" #10: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
      Jun 27 10:48:37 wyeuweb300 pluto[13301]: "PP-GG" #10: starting keying attempt 10 of an unlimited number
      Jun 27 10:48:37 wyeuweb300 pluto[13301]: "PP-GG" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #10 {using isakmp#1 msgid:240cfffd proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
      Jun 27 10:49:47 wyeuweb300 pluto[13301]: "PP-GG" #11: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
      Jun 27 10:49:47 wyeuweb300 pluto[13301]: "PP-GG" #11: starting keying attempt 11 of an unlimited number
      Jun 27 10:49:47 wyeuweb300 pluto[13301]: "PP-GG" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #11 {using isakmp#1 msgid:66413aea proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}

      1 Reply Last reply Reply Quote 0
      • L
        leap
        last edited by

        Hi,

        Can anyone help me on this?

        Regards,
        Leap

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Probably not many people here all that familiar with Openswan. You can get more detailed debug logs by checking the debug option under System>Advanced, Misc. If the Openswan side is initiating the connection that will provide more details on why the attempt fails. Not sure on Openswan how to increase the logging.

          1 Reply Last reply Reply Quote 0
          • L
            leap
            last edited by

            I can't find any debug mode enable on System: Advanced: Miscellaneous. I am using 2.0 version.

            Thanks

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              @leap:

              I can't find any debug mode enable on System: Advanced: Miscellaneous. I am using 2.0 version.

              What snapshot are you on? If you are on a current snapshot (Or at least RC3) it should be there. It's under "Security Associations" and above "Maximum MSS"

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.