Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC with multiple subnets - why value mismatch (IPv4_subnet)

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 8.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mbayer
      last edited by

      Hello,

      I have a problem that I do not understand, and try to find an answer here.
      I have a Site 2 Site VPN with between a pfSense 2.0 on our side and some 3rd party (Checkpoint) on the other side of the tunnel

      The remote subnet is 10.10.255.0/24
      Locally we have two subnets
      10.10.253.0/24
      10.10.254.0/24
      that are configured as two separate tunnels in phase 2

      The outgoing direction is working from both subnets.
      The problem is that a connection from the other side cannot be established.

      phase 2 is not working, because of a "value mismatch (IPv4_subnet)" when comparing the target ip (10.10.253.11) on our side.

      racoon debug log shows the following entries.

      Jul 3 12:20:56  racoon: [Gateway EXT]: [a.b.c.d] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
      Jul 3 12:20:56 racoon: ERROR: failed to get sainfo.
      Jul 3 12:20:56 racoon: ERROR: failed to get sainfo.
      Jul 3 12:20:56 racoon: DEBUG: cmpid source: '10.10.254.0/24'
      Jul 3 12:20:56 racoon: DEBUG: cmpid target: '10.10.253.11'
      Jul 3 12:20:56 racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
      Jul 3 12:20:56 racoon: DEBUG: evaluating sainfo: loc='10.10.254.0/24', rmt='10.10.255.0/24', peer='ANY', id=2
      Jul 3 12:20:56 racoon: DEBUG: cmpid source: '10.10.253.0/24'
      Jul 3 12:20:56 racoon: DEBUG: cmpid target: '10.10.253.11'
      Jul 3 12:20:56 racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
      Jul 3 12:20:56 racoon: DEBUG: evaluating sainfo: loc='10.10.253.0/24', rmt='10.10.255.0/24', peer='ANY', id=2
      Jul 3 12:20:56 racoon: DEBUG: getsainfo params: loc='10.10.253.11' rmt='10.10.255.75' peer='a.b.c.d' client='a.b.c.d' id=2

      In my understanding this should match, which it obviously doesn't.

      racoon: DEBUG: cmpid source: '10.10.253.0/24'
      racoon: DEBUG: cmpid target: '10.10.253.11'

      I guess, the second comparison with the other subnet is done because the first one didn't match.

      local and remote subnet settings/encrpytion domains have been triple checked in the settings on both sides.
      Here is the relevant content of /var/etc/spd.conf

      spdadd 10.10.253.0/24 10.10.255.0/24 any -P out ipsec esp/tunnel/e.f.g.h-a.b.c.d/unique;
      spdadd 10.10.255.0/24 10.10.253.0/24 any -P in ipsec esp/tunnel/a.b.c.d-e.f.g.h/unique;
      spdadd 10.10.254.0/24 10.10.255.0/24 any -P out ipsec esp/tunnel/e.f.g.h-a.b.c.d//unique;
      spdadd 10.10.255.0/24 10.10.254.0/24 any -P in ipsec esp/tunnel/a.b.c.d-e.f.g.h/unique;

      And the content of /var/etc/racoon.conf

      This file is automatically generated. Do not edit

      path pre_shared_key "/var/etc/psk.txt";

      path certificate  "/var/etc";

      listen
      {
              adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
              isakmp e.f.g.h [500];
              isakmp_natt e.f.g.h [4500];
      }

      remote a.b.c.d
      {
              ph1id 2;
              exchange_mode main;
              my_identifier address e.f.g.h;
              peers_identifier address a.b.c.d;
              ike_frag on;
              generate_policy = off;
              initial_contact = on;
              nat_traversal = off;

      dpd_delay = 10;
              dpd_maxfail = 5;
              support_proxy on;
              proposal_check claim;

      proposal
              {
                      authentication_method pre_shared_key;
                      encryption_algorithm 3des;
                      hash_algorithm md5;
                      dh_group 2;
                      lifetime time 86400 secs;
              }
      }

      sainfo subnet 10.10.253.0/24 any subnet 10.10.255.0/24 any
      {
              remoteid 2;
              encryption_algorithm 3des;
              authentication_algorithm hmac_md5;
              pfs_group 2;
              lifetime time 3600 secs;
              compression_algorithm deflate;
      }

      sainfo subnet 10.10.254.0/24 any subnet 10.10.255.0/24 any
      {
              remoteid 2;
              encryption_algorithm 3des;
              authentication_algorithm hmac_md5;
              pfs_group 2;
              lifetime time 3600 secs;
              compression_algorithm deflate;
      }

      Does anyone have a hint, or an idea why the ip does not match the subnet?
      Is there maybe a configuration option that I am not aware of?
      Thanks for any help.

      Best regards,
      Marko

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        The traffic you're sending matches your phase 2 on the side that log came from, the problem is that P2 doesn't match what the Checkpoint has configured in its P2.

        1 Reply Last reply Reply Quote 0
        • M
          mbayer
          last edited by

          That's what I was thinking.
          But which information is the one I receive from the other side?

          The "cmpid source" or "cmpid target" information?

          Is the information that is configured on the checkpoint outlined in the log on my side?

          1 Reply Last reply Reply Quote 0
          • M
            mbayer
            last edited by

            Seems to be caused by pfs_group setting.
            It should be off.
            When setting it in the GUI to "off" or anything else it always stays at "2" in racoon.conf.
            Is this a known bug? I can't find it anywhere in redmine or the release notes.

            Is it possible to manually change that setting?

            Thanks for any help with that.

            Regards,
            Marko

            1 Reply Last reply Reply Quote 0
            • M
              mbayer
              last edited by

              So now, pfs Group is off. but that was a misunderstanding from me.
              Sorry for that.

              I manually added racoon.conf and removed the pfs_group settings and changed the remote subnet to anonymous in the sainfo

              sainfo subnet 10.10.253.0/24 any anonymous
              {
                      remoteid 2;
                      encryption_algorithm 3des;
                      authentication_algorithm hmac_md5;
                      lifetime time 3600 secs;
                      compression_algorithm deflate;
              }

              That way it works.
              As there does not seem to be an option in GUI, is there a way to persist it?
              And am I opening a security hole? "anonymous" is always a little bit like "everyone".

              Can't I configure on my side, to allow client ip adresses from that configured subnet?

              In the example 10.10.255.75 should match my configured 10.10.255.0/24.

              Thanks in advance for any help.

              Regards,
              Marko

              1 Reply Last reply Reply Quote 0
              • M
                mbayer
                last edited by

                IT is definitely a pfsense issue.
                The Checkpoint side sends subnets, but my pfsense side has it mixed and checks its local side using subnet, but the remote side using single ip address.

                Can anyone help with this?

                Thanks in advance.

                Kind regards
                Marko

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.