PfSense and Openswan issues



  • Hi,

    I would like to get some advise on how to solve this issue below

    Jun 27 10:39:17 wyeuweb300 pluto[13301]: "PP-GG" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Jun 27 10:39:17 wyeuweb300 pluto[13301]: "PP-GG" #2: starting keying attempt 2 of an unlimited number
    Jun 27 10:39:17 wyeuweb300 pluto[13301]: "PP-GG" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #2 {using isakmp#1 msgid:61a345c5 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}

    Configurations

    1. Pfsense

    Remote gateway : xxx.xxx.xxx.xx
    Authentication method: Mutual PSK
    Negotiation mode: Main
    My identifier : xxx.xxx.xxx.xxx (PFSense WAN)
    Peer identifier : xxx.xxx.xxx.xxx (Openswan WAN)
    Pre-Shared Key: xxxx
    Proposal Checking: Default
    Encryption algorithm: 3DES
    Hash algorithm: SHA1
    DH key group: 2
    Lifetime: 288800
    NAT Traversal: Enable

    errror on pfSense

    Jun 27 15:45:18 racoon: []: INFO: respond new phase 2 negotiation: 111.92.240.242[500]<=>92.243.23.96[500]
    Jun 27 15:45:07 racoon: ERROR: failed to pre-process packet.
    Jun 27 15:45:07 racoon: ERROR: failed to get sainfo.
    Jun 27 15:45:07 racoon: ERROR: failed to get sainfo.
    Jun 27 15:45:07 racoon: []: INFO: respond new phase 2 negotiation: 111.92.240.242[500]<=>92.243.23.96[500]
    Jun 27 15:44:29 racoon: INFO: unsupported PF_KEY message REGISTER
    Jun 27 15:44:29 racoon: INFO: 192.168.1.1[4500] used for NAT-T
    Jun 27 15:44:29 racoon: [Self]: INFO: 192.168.1.1[4500] used as isakmp port (fd=25)
    Jun 27 15:44:29 racoon: INFO: 192.168.1.1[500] used for NAT-T
    Jun 27 15:44:27 racoon: []: INFO: respond new phase 2 negotiation: 111.92.240.242[500]<=>92.243.23.96[500]

    2. Openswan

    config setup

    nat_traversal=yes
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
            oe=off
            protostack=auto
            interfaces=%defaultroute

    conn myipsec

    authby=secret
            type=tunnel
            left=xxx.xxx.xxx.xxx (Openwans WAN)
            leftsubnet=xxx.xxx.xxx.xxx (Openswan subnet)/22
            leftnexthop=xxx.xxx.xxx.xxx (Openwans gw)
            right=(PFsense WAN)
            rightsubnet=192.168.1.0/24
            rightnexthop=xxx.xxx.xxx.xxx (PFsense gw)
            auto=start
            auth=esp
            esp=3des-sha1;modp1024
            ike=3des-sha1;modp1024
            keyexchange=ike
            pfs=yes
            salifetime=12h
            ikelifetime=4h

    Errors on openswan site

    Jun 27 10:45:07 wyeuweb300 pluto[13301]: "PP-GG" #7: starting keying attempt 7 of an unlimited number
    Jun 27 10:45:07 wyeuweb300 pluto[13301]: "PP-GG" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #7 {using isakmp#1 msgid:9b64967a proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
    Jun 27 10:46:17 wyeuweb300 pluto[13301]: "PP-GG" #8: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Jun 27 10:46:17 wyeuweb300 pluto[13301]: "PP-GG" #8: starting keying attempt 8 of an unlimited number
    Jun 27 10:46:17 wyeuweb300 pluto[13301]: "PP-GG" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #8 {using isakmp#1 msgid:a51fef21 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
    Jun 27 10:47:27 wyeuweb300 pluto[13301]: "PP-GG" #9: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Jun 27 10:47:27 wyeuweb300 pluto[13301]: "PP-GG" #9: starting keying attempt 9 of an unlimited number
    Jun 27 10:47:27 wyeuweb300 pluto[13301]: "PP-GG" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #9 {using isakmp#1 msgid:d2009332 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
    Jun 27 10:48:37 wyeuweb300 pluto[13301]: "PP-GG" #10: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Jun 27 10:48:37 wyeuweb300 pluto[13301]: "PP-GG" #10: starting keying attempt 10 of an unlimited number
    Jun 27 10:48:37 wyeuweb300 pluto[13301]: "PP-GG" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #10 {using isakmp#1 msgid:240cfffd proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
    Jun 27 10:49:47 wyeuweb300 pluto[13301]: "PP-GG" #11: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Jun 27 10:49:47 wyeuweb300 pluto[13301]: "PP-GG" #11: starting keying attempt 11 of an unlimited number
    Jun 27 10:49:47 wyeuweb300 pluto[13301]: "PP-GG" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #11 {using isakmp#1 msgid:66413aea proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}



  • Hi,

    Can anyone help me on this?

    Regards,
    Leap



  • Probably not many people here all that familiar with Openswan. You can get more detailed debug logs by checking the debug option under System>Advanced, Misc. If the Openswan side is initiating the connection that will provide more details on why the attempt fails. Not sure on Openswan how to increase the logging.



  • I can't find any debug mode enable on System: Advanced: Miscellaneous. I am using 2.0 version.

    Thanks


  • Rebel Alliance Developer Netgate

    @leap:

    I can't find any debug mode enable on System: Advanced: Miscellaneous. I am using 2.0 version.

    What snapshot are you on? If you are on a current snapshot (Or at least RC3) it should be there. It's under "Security Associations" and above "Maximum MSS"


Locked