Migrating from 1.2.3 to 2.0rc3 problem



  • Hi all,

    I've read about as much as I can read on my problems but feel like I'm not getting anywhere.

    I have an IPsec tunnel between two subnets 192.168.192.0/24 (pfsense) and 192.168.5.0/24 (fortinet)which has been up running quite well for a few years running pfsense-1.2.3.

    An opportunity to upgrade hardware arose and I figure moving to 2.0rc3 would be ideal.  Everything works except for the VPN.  No matter how closely I pay attention to the config from my old setup, I'm not able to establish my tunnel.  The Fortinet device consistently logs the error "status=negotiate_error error_reason=peer SA proposal not match local policy".

    A hint in the right direction would be very much appreciated.



  • I've had to go back to 1.2.3, sadly.  I was unable to tweak 2.0rc3 to work with the Fortinet device at the remote end.

    For what it's worth, my config for the tunnel is (sensitive stuff hidden):

    <tunnel><interface>carp10</interface>
            <local-subnet><network>lan</network></local-subnet>
            <remote-subnet>192.168.5.0/24</remote-subnet>
            <remote-gateway>...</remote-gateway>
            <dpddelay>15</dpddelay>
            <p1><mode>main</mode>
                    <myident><myaddress></myaddress></myident>
                    <encryption-algorithm>3des</encryption-algorithm>
                    <hash-algorithm>sha1</hash-algorithm>
                    <dhgroup>5</dhgroup>
                    <lifetime>28800</lifetime>
                    <pre-shared-key>*************</pre-shared-key>
                    <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
            <p2><protocol>esp</protocol>
                    <encryption-algorithm-option>3des</encryption-algorithm-option>
                    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                    <pfsgroup>5</pfsgroup>
                    <lifetime>3600</lifetime></p2>
            <descr><pinghost>192.168.5.200</pinghost></descr></tunnel>


  • Rebel Alliance Developer Netgate

    If you try 2.0 again, under System > Advanced, on the misc tab I believe, is a checkbox to put racoon in debug mode. It will be very verbose about what it's doing, and what errors it encounters.



  • I did switch on debug and found that I had phase 1 policy mismatch errors.  Despite setting up the pfsense side of the tunnel exactly as needed, things didn't work.  I suspect that the 2.0 version of the web pages that deal with IPsec and maybe even racoon itself are a bit more bolted down.  This would explain why I'd get a mismatch.

    After much fiddling with Ids, I managed to get p1 working and had an SA, or so I thought.  Nothing, but nothing I did with the very simple p2 config worked, every time failing with an error.




  • Rebel Alliance Developer Netgate

    What exactly did it say mismatched? What errors prevented a working phase 2? We need as many specifics as possible, log entries, etc. Unfortunately in a case like this, without details it tells us nothing, and speculation is practically worthless.



  • Hello Jimp,

    I understand and appreciate your position.  Unfortunately I've had to go back to 1.2.3 and will not be in a position to try 2.0 for a couple of weeks (in October).  I'm keen to work this problem out though so I'll let you and others know when I next get a chance to see what is happening.



  • Hi guys!

    I tried from pf 1.2.3 to 2.0rc3 configuration backup / restore to migrate, but it received a nasty message …:

    "The following input errors were detected:

    The configuration could not be restored.

    "

    I try with Restore area changes but nothing happened... (after reboot too)
    What can I do?
    one by one set that up the rules, configs? :O  ???

    best wishes


  • Rebel Alliance Developer Netgate



  • Hi Jimp and All.  I'm back and have a few quiet days of being able to work through this issue.  The VPN between my two data centres will not be needed so I'm keen to dig in and figure this out.

    I've just installed the 2.0 release and have been working on this to see if it'd work but alas, no.  My tunnel target is a Fortigate 200B and the settings there have not changed.  The current error I'm seeing is "ERROR: notification NO-PROPOSAL-CHOSEN".  There are a few more ph1 options in 2.0 so I'm not sure what needs to be matched up for things to line up.  I'll keep reading, playing but assistance and guidance would be appreciated.

    Thanks



  • I think I've found a bug in the web config for phase 2.  If selecting PFS key group 5, what ends up in /var/etc/racoon.conf is 2, not 5.  I now have a VPN working :)


  • Rebel Alliance Developer Netgate

    I just tried this out and that is most definitely not the case. I select 2, save/apply, and 2 is in the config. I select 5, save/apply, and 5 is in the config.

    So if you are changing to 5, then save/apply, and it's still set to 2, there is something else going on, perhaps it's not actually rewriting the config. But it's most certainly not writing the incorrect thing.



  • I've played a bit more with the link.  I can change the PFS group setting in my browser (Firefox 7.0.1 Linux) and it will remember the setting for the PFS key group, whether it's off, 1, 2 or 5.  However, there's nothing in the /var/etc/racoon.conf file which deviates from pfs_group 2.  I can change any other setting in phase 2 and it will be reflected in racoon.conf.  Only the pfs_group setting remains unchanged, weird.  At the tunnel target end, I now simply keep the PFS group to 2, just works.  It'd be good to know what's going on though.  Is there anything I can do to help understand what's going on?


  • Rebel Alliance Developer Netgate

    Go to Diagnostics > Commands, in the PHP exec box and put in:

    var_dump($config['ipsec']['client']);
    

    Is there a pfs setting in there?



  • The following comes up:

    array(3) {
      ["enable"]=>
      string(0) ""
      ["user_source"]=>
      string(6) "system"
      ["group_source"]=>
      string(6) "system"
    }
    

  • Rebel Alliance Developer Netgate

    ok, the only place I saw that could have possibly overridden the chosen pfs_group setting would have been in there. I don't see any other way that what you choose isn't ending up in the racoon.conf


Log in to reply