Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RV042 to pfsense tunnel help- pfsense to pfsense works

    Scheduled Pinned Locked Moved IPsec
    7 Posts 2 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      justsomeguy6575
      last edited by

      Hi,
      I'm trying to setup a tunnel between a RV042 and pfsense v2.0.1. I've searched the forum and found a few old threads but nothing that really helped and most were before pfsense v2. Here is the log I get when trying to start the tunnel.

      Thanks for any help.

      Jul 16 15:09:05 racoon: []: [68.118..] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
      Jul 16 15:09:05 racoon: []: INFO: respond new phase 2 negotiation: 68.116.
      .[500]<=>68.118..[500]
      Jul 16 15:08:55 racoon: []: [68.118..] ERROR: phase2 negotiation failed.
      Jul 16 15:08:55 racoon: []: [68.118.
      .] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 0, status 5).
      Jul 16 15:08:55 racoon: ERROR: mismatched IDci was returned.
      Jul 16 15:08:55 racoon: []: INFO: initiate new phase 2 negotiation: 68.116..[500]<=>68.118.*.[500]

      phase 1:

      Phase 2:

      The RV042 side:

      1 Reply Last reply Reply Quote 0
      • J
        justsomeguy6575
        last edited by

        Update:

        I changed the option Proposal Checking on pfsense to Obey instead of Default and the tunnel came right up. What does default do that's different than say obey?

        Thanks,
        Matt

        1 Reply Last reply Reply Quote 0
        • J
          justsomeguy6575
          last edited by

          OK spoke too soon.
          I can get a tunnel only if I initiate it from the RV042. I can't get a tunnel initiating from the pfsense side. I enabled debug mode and these are the last few lines where it fails. Yet phase 2 settings look the same between the two. Again the tunnel work if started from teh RV042 side.

          Any thoughts?

          Jul 16 19:33:59 racoon: DEBUG: IV freed
          Jul 16 19:33:59 racoon: []: [68.186..] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
          Jul 16 19:33:59 racoon: DEBUG: invalid length of payload
          Jul 16 19:33:59 racoon: DEBUG: seen nptype=8(hash)
          Jul 16 19:33:59 racoon: DEBUG: begin.
          Jul 16 19:33:59 racoon: DEBUG: d79e6d02 cf9a005c 4a37c525 56497fcf 08102001 814a4aea 0000009c 9aa1768f f7f830cd d1f93e04 471ffc70 1c48b864 c8bc2c4e 0a000034 00000001 00000001 00000028 01030401 4a718b7a 0000001c 01030000 80010001 80020e10 80040003 80050001 80030002 04000014 87fa5484 2fe32c6c fba7078f 1b018ced 05000010 04000000 c0a80000 ffffff00 00000010 04000000 c0a80100 ffffff00
          Jul 16 19:33:59 racoon: DEBUG: decrypted.
          Jul 16 19:33:59 racoon: DEBUG: skip to trim padding.
          Jul 16 19:33:59 racoon: DEBUG: padding len=1
          Jul 16 19:33:59 racoon: DEBUG: 9aa1768f f7f830cd d1f93e04 471ffc70 1c48b864 c8bc2c4e 0a000034 00000001 00000001 00000028 01030401 4a718b7a 0000001c 01030000 80010001 80020e10 80040003 80050001 80030002 04000014 87fa5484 2fe32c6c fba7078f 1b018ced 05000010 04000000 c0a80000 ffffff00 00000010 04000000 c0a80100 ffffff00
          Jul 16 19:33:59 racoon: DEBUG: decrypted payload, but not trimed.
          Jul 16 19:33:59 racoon: DEBUG: 47524e22 03c79bc7
          Jul 16 19:33:59 racoon: DEBUG: decrypted payload by IV:
          Jul 16 19:33:59 racoon: DEBUG: d6fa5098 1442f243 b739d858 34ff36e8 81e1b71c d04b8a6f
          Jul 16 19:33:59 racoon: DEBUG: with key:
          Jul 16 19:33:59 racoon: DEBUG: encryption(3des)
          Jul 16 19:33:59 racoon: DEBUG: acd93131 c862c79c
          Jul 16 19:33:59 racoon: DEBUG: IV was saved for next processing:
          Jul 16 19:33:59 racoon: DEBUG: encryption(3des)
          Jul 16 19:33:59 racoon: DEBUG: begin decryption.
          Jul 16 19:33:59 racoon: []: INFO: respond new phase 2 negotiation: 68.116..[4500]<=>68.186..[4500]
          Jul 16 19:33:59 racoon: DEBUG: ===

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            If it works with Obey and only when they initiate, then you have a settings mismatch. Most likely in Phase 1.

            With Obey, it is more lenient and will accept the Phase 1 settings proposed by the initiator, rather than strictly using exactly what you set.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              justsomeguy6575
              last edited by

              Thanks for the reply, I've checked everything in phase 1 and I can't see anything different. I tried changing Identifiers to the actual IP's instead of My Ip and Peer IP didn't seem to help. I switched Obey back to Default and I see this in the log "ERROR: none message must be encrypted" I have no idea what that means.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                You have PFS enabled on the P2 on the pfSense end and it's not enabled on the other side. (Not sure how, but I didn't see the screenshots when I replied before…)

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • J
                  justsomeguy6575
                  last edited by

                  Thank you for your help Jimp, I rechecked PFS on the RV042 but it still didn't work. After changing and changing back a few other settings I ended up setting both sides to Main instead of Aggressive. I was able to initiate a tunnel from the pfsense side this time and it seems to be working good now.

                  Again Thanks

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.