IPSEC Site-to-Site VPN Broken after Snapshot Update
-
Hi guys,
I updated my pfSense box to a newer snapshot yesterday (pfSense-Full-Update-2.1-DEVELOPMENT-i386-20120622-1613.tgz) and I just noticed that my Site-to-Site VPN stopped working. The pfSense box is my home firewall, so it's not a huge deal, but I'd like to get it fixed. The device on the other end of the VPN is a Cisco ASA 5510 at our colo provider. Here are the errors I'm seeing in the IPSEC log:
Jun 25 00:13:33 racoon: [VPNDevice]: INFO: ISAKMP-SA deleted 71.XXX.XXX.XXX[500]-65.XXX.XXX.XXX[500] spi:03a1bb627606e599:5dca9fbccaadae02
Jun 25 00:13:33 racoon: INFO: purged ISAKMP-SA spi=03a1bb627606e599:5dca9fbccaadae02.
Jun 25 00:13:33 racoon: INFO: purging ISAKMP-SA spi=03a1bb627606e599:5dca9fbccaadae02.
Jun 25 00:13:32 racoon: ERROR: failed to get sainfo.
Jun 25 00:13:25 racoon: [VPNDevice]: [65.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jun 25 00:13:25 racoon: ERROR: failed to get sainfo.
Jun 25 00:13:25 racoon: ERROR: failed to get sainfo.
Jun 25 00:13:25 racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: received INITIAL-CONTACT
Jun 25 00:13:25 racoon: [VPNDevice]: INFO: respond new phase 2 negotiation: 71.XXX.XXX.XXX[500]<=>65.XXX.XXX.XXX[500]
Jun 25 00:13:17 racoon: [VPNDevice]: [65.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jun 25 00:13:17 racoon: ERROR: failed to get sainfo.
Jun 25 00:13:17 racoon: ERROR: failed to get sainfo.
Jun 25 00:13:17 racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: received INITIAL-CONTACT
Jun 25 00:13:17 racoon: [VPNDevice]: INFO: respond new phase 2 negotiation: 71.XXX.XXX.XXX[500]<=>65.XXX.XXX.XXX[500]
Jun 25 00:13:09 racoon: [VPNDevice]: [65.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jun 25 00:13:09 racoon: ERROR: failed to get sainfo.
Jun 25 00:13:09 racoon: ERROR: failed to get sainfo.
Jun 25 00:13:09 racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: received INITIAL-CONTACT
Jun 25 00:13:09 racoon: [VPNDevice]: INFO: respond new phase 2 negotiation: 71.XXX.XXX.XXX[500]<=>65.XXX.XXX.XXX[500]
Jun 25 00:13:01 racoon: [VPNDevice]: [65.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jun 25 00:13:01 racoon: ERROR: failed to get sainfo.
Jun 25 00:13:01 racoon: ERROR: failed to get sainfo.
Jun 25 00:13:01 racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: received INITIAL-CONTACT
Jun 25 00:13:01 racoon: [VPNDevice]: INFO: respond new phase 2 negotiation: 71.XXX.XXX.XXX[500]<=>65.XXX.XXX.XXX[500]
Jun 25 00:13:01 racoon: [VPNDevice]: INFO: ISAKMP-SA established 71.XXX.XXX.XXX[500]-65.XXX.XXX.XXX[500] spi:03a1bb627606e599:5dca9fbccaadae02
Jun 25 00:13:01 racoon: WARNING: port 500 expected, but 0
Jun 25 00:13:01 racoon: INFO: received Vendor ID: DPD
Jun 25 00:13:01 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 25 00:13:01 racoon: [Self]: [71.XXX.XXX.XXX] INFO: Hashing 71.XXX.XXX.XXX[500] with algo #2
Jun 25 00:13:01 racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: Hashing 65.XXX.XXX.XXX[500] with algo #2
Jun 25 00:13:00 racoon: INFO: NAT not detected
Jun 25 00:13:00 racoon: INFO: NAT-D payload #1 verified
Jun 25 00:13:00 racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: Hashing 65.XXX.XXX.XXX[500] with algo #2
Jun 25 00:13:00 racoon: INFO: NAT-D payload #0 verified
Jun 25 00:13:00 racoon: [Self]: [71.XXX.XXX.XXX] INFO: Hashing 71.XXX.XXX.XXX[500] with algo #2
Jun 25 00:13:00 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jun 25 00:13:00 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 25 00:13:00 racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: Selected NAT-T version: RFC 3947
Jun 25 00:13:00 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jun 25 00:13:00 racoon: INFO: received Vendor ID: RFC 3947
Jun 25 00:13:00 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 25 00:13:00 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 25 00:13:00 racoon: INFO: begin Identity Protection mode.
Jun 25 00:13:00 racoon: [VPNDevice]: INFO: respond new phase 1 negotiation: 71.XXX.XXX.XXX[500]<=>65.XXX.XXX.XXX[500]When I try to establish a connection from my end, I don't see any phase 1 or phase 2 logs on the Cisco ASA. It almost seems like racoon can't reach the ASA or isn't even trying to establish a connection.
Any ideas? AFAIK the only thing that changed was the snapshot update I applied. I tried recreating the VPN with the same settings to see if it would resolve the issue and it hasn't.
Thanks,
Derek -
Unlikely that has any relation to the upgrade, as IPsec hasn't changed in quite some time, and that's indicative of a config mismatch. Not hard to configure an ASA with different initiator vs. responder settings, so my guess is it's probably negotiating in a direction it hasn't previously that you've noticed at least (or potentially something else changed on the ASA as it's not hard to break one connection when setting up/changing another). Enable debug logging under System>Advanced, Misc, and you should see more specifically why p2 doesn't match.
-
Hi cmb,
Thanks for your response. I enabled debug mode like you suggested and here is what I see in the log:
Jun 25 03:47:51 racoon: ERROR: failed to get sainfo.
Jun 25 03:47:51 racoon: DEBUG: remoteid mismatch: 2 != 1
Jun 25 03:47:51 racoon: DEBUG: evaluating sainfo: loc='10.0.0.0/24', rmt='ANONYMOUS', peer='ANY', id=2
Jun 25 03:47:51 racoon: DEBUG: getsainfo params: loc='10.0.0.3' rmt='10.61.15.0/24' peer='NULL' client='NULL' id=1
Jun 25 03:47:51 racoon: [VPNDevice]: [65.XXX.XXX.XXX] DEBUG: configuration "65.XXX.XXX.XXX[500]" selected.
Jun 25 03:47:51 racoon: DEBUG: new acquire 10.0.0.3/32[0] 10.61.15.0/24[0] proto=any dir=out
Jun 25 03:47:51 racoon: DEBUG: suitable inbound SP found: 10.61.15.0/24[0] 10.0.0.3/32[0] proto=any dir=in.Any idea what could be causing that? I double checked my config and nothing has changed recently.
Thanks,
Derek -
Where your end expects 10.0.0.0/24 (which is sane for a site to site connection), the remote is sending "ANONYMOUS" which is generally for mobile IPsec clients. Did your WAN IP change and no longer matches the site to site you have on the ASA? Somehow it's not using the ACL you have (or had at least when it worked) defined for the P2.
-
Nope, my external IP has not changed. My end is actually only configured to allow two IP's to use the VPN… 10.0.0.3 and 10.0.0.4. The ASA is setup to expect that. I setup the VPN to allow access to a few ranges on the ASA side: 10.61.8.0/24, 10.61.11.0/24, 10.61.12.0/24, 10.61.13.0/24, 10.61.14.0/24, 10.61.15.0/24, and 10.61.16.0/24.
Thanks,
Derek -
I just fixed it! For some reason it did not like that I set the local network to "Address." I changed it to "Network" and selected /32 as the prefix and it started working. Maybe a bug in the web interface?
-
what are the exact phase 2 local and remote definitions you have now and had previously?
-
Attached screenshots. It doesn't work when I select Address and type 10.0.0.3 for local. If I change it to Network with a mask of /32 it works fine.
I gitsynced against git://github.com/bsdperimeter/pfsense.git too… maybe the bug was introduced there.
 -
I am having a similar problem. I was running 2.0 on one site, and 2.0-RC2 on the other. Upgraded the first side to 2.1 (8/15 snapshot) and boom, there goes the Phase 1 SA!
Message in the logs is:
racoon: []: [xxx] ERROR: couldn't find the pskey for xxx.xxx.xxx.xxx.
racoon: []: [xxx] ERROR: failed to process ph1 packet (side: 1, status: 4).
racoon: []: [xxx] ERROR: phase1 negotiation failed.Pretty clearly a new problem with the keying. I have gone back and checked the settings on both sides and they are identical. But now I am having a keying problem. Something clearly changed in the 2.1 Development series. Anyone have any ideas?
–tkr
-
Only changes were to the GUI to add some additional options for hashes and such, nothing that would have hurt/helped an existing config.
What does your /var/etc/racoon.conf look like on both sides? and also /var/etc/spd.conf
