Can't connect two pfSense site-to-site IPSec vpn's

nullifi

Greetings,

I'm having a terrible time trying to get two pfSense boxes to connect via IPSec. I'm hoping someone can shed some light on what I'm doing wrong. Here's my setup:

SiteA-1 (CARP Primary) \                  / SiteB-1 (CARP Primary)
                                 |-> IPSec <-|
SiteA-2 (CARP Backup) /                  \ SiteB-2 (CARP Backup)

Before we got SiteB-2 set up, SiteB-1 was configured and connected successfully to SiteA. We setup SiteB-2, enabled CARP, and created some virtual IP's to take over the VPN. After reconfiguring the VPN to use the virtual IP's, the VPN will no longer connect. I've deleted the settings on both SiteA and SiteB, recreated them, tried different encryption settings, and nothing seems to work.

Here's debug output from SiteB-1:

Aug 21 21:07:41	racoon: INFO: unsupported PF_KEY message REGISTER
Aug 21 21:07:41	racoon: DEBUG: got pfkey REGISTER message
Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:41	racoon: DEBUG: getsainfo params: loc='172.17.0.0/16' rmt='172.16.0.0/16' peer='NULL' client='NULL' id=1
Aug 21 21:07:41	racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
Aug 21 21:07:41	racoon: DEBUG: reading config file /var/etc/racoon.conf
Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[2] recv()
Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[1] recv()
Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:41	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a910: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
Aug 21 21:07:41	racoon: DEBUG: sub:0x7fffffffe580: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
Aug 21 21:07:41	racoon: DEBUG: db :0x80163a790: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
Aug 21 21:07:41	racoon: DEBUG: sub:0x7fffffffe580: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
Aug 21 21:07:41	racoon: DEBUG: sub:0x7fffffffe580: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
Aug 21 21:07:41	racoon: DEBUG: got pfkey X_SPDDUMP message
Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:41	racoon: DEBUG: db :0x80163a790: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
Aug 21 21:07:41	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe580: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
Aug 21 21:07:41	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe580: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
Aug 21 21:07:41	racoon: DEBUG: got pfkey X_SPDDUMP message
Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:41	racoon: DEBUG: sub:0x7fffffffe580: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
Aug 21 21:07:41	racoon: DEBUG: got pfkey X_SPDDUMP message
Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:41	racoon: DEBUG: got pfkey X_SPDDUMP message
Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:41	racoon: INFO: unsupported PF_KEY message REGISTER
Aug 21 21:07:41	racoon: DEBUG: got pfkey REGISTER message
Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:39	racoon: DEBUG: db :0x80163a910: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
Aug 21 21:07:39	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a610: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
Aug 21 21:07:39	racoon: DEBUG: got pfkey X_SPDADD message
Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
Aug 21 21:07:39	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a610: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
Aug 21 21:07:39	racoon: DEBUG: got pfkey X_SPDADD message
Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:39	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a610: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.17.1.0/24[0] 172.17.1.149/32[0] proto=any dir=in
Aug 21 21:07:39	racoon: DEBUG: got pfkey X_SPDADD message
Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:39	racoon: DEBUG: got pfkey X_SPDADD message
Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:39	racoon: INFO: unsupported PF_KEY message REGISTER
Aug 21 21:07:39	racoon: DEBUG: got pfkey REGISTER message
Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:39	racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
Aug 21 21:07:39	racoon: DEBUG: got pfkey X_SPDDUMP message
Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
Aug 21 21:07:39	racoon: [Self]: INFO: 192.168.1.74[500] used as isakmp port (fd=15)
Aug 21 21:07:39	racoon: [Self]: INFO: 192.168.1.74[500] used for NAT-T
Aug 21 21:07:39	racoon: [Self]: INFO: 192.168.1.74[4500] used as isakmp port (fd=14)
Aug 21 21:07:39	racoon: [Self]: INFO: 192.168.1.74[4500] used for NAT-T
Aug 21 21:07:39	racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
Aug 21 21:07:39	racoon: DEBUG: getsainfo params: loc='172.17.0.0/16' rmt='172.16.0.0/16' peer='NULL' client='NULL' id=1
Aug 21 21:07:39	racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
Aug 21 21:07:39	racoon: DEBUG: reading config file /var/etc/racoon.conf
Aug 21 21:07:39	racoon: DEBUG: call pfkey_send_register for IPCOMP
Aug 21 21:07:39	racoon: DEBUG: call pfkey_send_register for ESP
Aug 21 21:07:39	racoon: DEBUG: call pfkey_send_register for AH
Aug 21 21:07:39	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 21 21:07:39	racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Aug 21 21:07:39	racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)

SiteA-1 does not have debug turned on (I don't want to kill our active VPN's yet) but all it has during the above time frame is:

racoon: INFO: unsupported PF_KEY message REGISTER

At first I thought it was a side effect of setting up CARP and moving to a virtual IP. I turned off CARP, removed the vip and flipped it all back to the originally working config. It still would never connect. Any ideas what might be causing this?

nullifi

Here's the racoon.conf files for the above systems. Please note I've changed the first three octets of the IP's, but other than that they should be the same.

The IP's involved will be:
WAN:
SiteA vip: 192.168.1.66
SiteA-1: 192.168.1.76
SiteA-2: 192.168.1.77

SiteB vip: 192.168.1.74
SiteB-1: 192.168.73
SiteB-2: 192.168.72

LAN:
SiteA network: 172.16.0.0/16
SiteB network: 172.17.0.0/16

SiteA-1-racoon.conf.txt
SiteA-2-racoon.conf.txt
SiteB-1-racoon.conf.txt
SiteB-2-racoon.conf.txt

cmb

"Unknown Gateway/Dynamic" indicates you setup the wrong "remote" endpoint IP on that side.

nullifi

It's not though, at least not in the config or the web ui. We're going to reformat them since they aren't doing anything important. See if that makes a difference.

cmb

It's not Windows. :) Unless you've been mucking with source code, the format and reinstall routine isn't going to change anything.

Without seeing non-anonymized configs, I can't offer further suggestions.

nullifi

Aye, I'm getting to used to Windows here..

Anyways, I think we figured it out. We had the two systems on the same network segment. And.. I used the same vhid and carp passwords for both. Once we moved them behind another router on another network, it's been working fine. This also solved our seemingly random flip-flopping of our main pfsense boxes. I guess that's why you shouldn't have multiple vip's in the same carp group on the same network.