RV042 to pfsense tunnel help- pfsense to pfsense works



  • Hi,
    I'm trying to setup a tunnel between a RV042 and pfsense v2.0.1. I've searched the forum and found a few old threads but nothing that really helped and most were before pfsense v2. Here is the log I get when trying to start the tunnel.

    Thanks for any help.

    Jul 16 15:09:05 racoon: []: [68.118..] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Jul 16 15:09:05 racoon: []: INFO: respond new phase 2 negotiation: 68.116.
    .[500]<=>68.118..[500]
    Jul 16 15:08:55 racoon: []: [68.118..] ERROR: phase2 negotiation failed.
    Jul 16 15:08:55 racoon: []: [68.118..] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 0, status 5).
    Jul 16 15:08:55 racoon: ERROR: mismatched IDci was returned.
    Jul 16 15:08:55 racoon: []: INFO: initiate new phase 2 negotiation: 68.116.
    .[500]<=>68.118..*[500]

    phase 1:

    Phase 2:

    The RV042 side:



  • Update:

    I changed the option Proposal Checking on pfsense to Obey instead of Default and the tunnel came right up. What does default do that's different than say obey?

    Thanks,
    Matt



  • OK spoke too soon.
    I can get a tunnel only if I initiate it from the RV042. I can't get a tunnel initiating from the pfsense side. I enabled debug mode and these are the last few lines where it fails. Yet phase 2 settings look the same between the two. Again the tunnel work if started from teh RV042 side.

    Any thoughts?

    Jul 16 19:33:59 racoon: DEBUG: IV freed
    Jul 16 19:33:59 racoon: []: [68.186.***.***] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Jul 16 19:33:59 racoon: DEBUG: invalid length of payload
    Jul 16 19:33:59 racoon: DEBUG: seen nptype=8(hash)
    Jul 16 19:33:59 racoon: DEBUG: begin.
    Jul 16 19:33:59 racoon: DEBUG: d79e6d02 cf9a005c 4a37c525 56497fcf 08102001 814a4aea 0000009c 9aa1768f f7f830cd d1f93e04 471ffc70 1c48b864 c8bc2c4e 0a000034 00000001 00000001 00000028 01030401 4a718b7a 0000001c 01030000 80010001 80020e10 80040003 80050001 80030002 04000014 87fa5484 2fe32c6c fba7078f 1b018ced 05000010 04000000 c0a80000 ffffff00 00000010 04000000 c0a80100 ffffff00
    Jul 16 19:33:59 racoon: DEBUG: decrypted.
    Jul 16 19:33:59 racoon: DEBUG: skip to trim padding.
    Jul 16 19:33:59 racoon: DEBUG: padding len=1
    Jul 16 19:33:59 racoon: DEBUG: 9aa1768f f7f830cd d1f93e04 471ffc70 1c48b864 c8bc2c4e 0a000034 00000001 00000001 00000028 01030401 4a718b7a 0000001c 01030000 80010001 80020e10 80040003 80050001 80030002 04000014 87fa5484 2fe32c6c fba7078f 1b018ced 05000010 04000000 c0a80000 ffffff00 00000010 04000000 c0a80100 ffffff00
    Jul 16 19:33:59 racoon: DEBUG: decrypted payload, but not trimed.
    Jul 16 19:33:59 racoon: DEBUG: 47524e22 03c79bc7
    Jul 16 19:33:59 racoon: DEBUG: decrypted payload by IV:
    Jul 16 19:33:59 racoon: DEBUG: d6fa5098 1442f243 b739d858 34ff36e8 81e1b71c d04b8a6f
    Jul 16 19:33:59 racoon: DEBUG: with key:
    Jul 16 19:33:59 racoon: DEBUG: encryption(3des)
    Jul 16 19:33:59 racoon: DEBUG: acd93131 c862c79c
    Jul 16 19:33:59 racoon: DEBUG: IV was saved for next processing:
    Jul 16 19:33:59 racoon: DEBUG: encryption(3des)
    Jul 16 19:33:59 racoon: DEBUG: begin decryption.
    Jul 16 19:33:59 racoon: []: INFO: respond new phase 2 negotiation: 68.116.***.***[4500]<=>68.186.***.***[4500]
    Jul 16 19:33:59 racoon: DEBUG: ===


  • Rebel Alliance Developer Netgate

    If it works with Obey and only when they initiate, then you have a settings mismatch. Most likely in Phase 1.

    With Obey, it is more lenient and will accept the Phase 1 settings proposed by the initiator, rather than strictly using exactly what you set.



  • Thanks for the reply, I've checked everything in phase 1 and I can't see anything different. I tried changing Identifiers to the actual IP's instead of My Ip and Peer IP didn't seem to help. I switched Obey back to Default and I see this in the log "ERROR: none message must be encrypted" I have no idea what that means.


  • Rebel Alliance Developer Netgate

    You have PFS enabled on the P2 on the pfSense end and it's not enabled on the other side. (Not sure how, but I didn't see the screenshots when I replied before…)



  • Thank you for your help Jimp, I rechecked PFS on the RV042 but it still didn't work. After changing and changing back a few other settings I ended up setting both sides to Main instead of Aggressive. I was able to initiate a tunnel from the pfsense side this time and it seems to be working good now.

    Again Thanks


Log in to reply