IPSEC with multiple subnets - why value mismatch (IPv4_subnet)



  • Hello,

    I have a problem that I do not understand, and try to find an answer here.
    I have a Site 2 Site VPN with between a pfSense 2.0 on our side and some 3rd party (Checkpoint) on the other side of the tunnel

    The remote subnet is 10.10.255.0/24
    Locally we have two subnets
    10.10.253.0/24
    10.10.254.0/24
    that are configured as two separate tunnels in phase 2

    The outgoing direction is working from both subnets.
    The problem is that a connection from the other side cannot be established.

    phase 2 is not working, because of a "value mismatch (IPv4_subnet)" when comparing the target ip (10.10.253.11) on our side.

    racoon debug log shows the following entries.

    Jul 3 12:20:56  racoon: [Gateway EXT]: [a.b.c.d] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Jul 3 12:20:56 racoon: ERROR: failed to get sainfo.
    Jul 3 12:20:56 racoon: ERROR: failed to get sainfo.
    Jul 3 12:20:56 racoon: DEBUG: cmpid source: '10.10.254.0/24'
    Jul 3 12:20:56 racoon: DEBUG: cmpid target: '10.10.253.11'
    Jul 3 12:20:56 racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
    Jul 3 12:20:56 racoon: DEBUG: evaluating sainfo: loc='10.10.254.0/24', rmt='10.10.255.0/24', peer='ANY', id=2
    Jul 3 12:20:56 racoon: DEBUG: cmpid source: '10.10.253.0/24'
    Jul 3 12:20:56 racoon: DEBUG: cmpid target: '10.10.253.11'
    Jul 3 12:20:56 racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
    Jul 3 12:20:56 racoon: DEBUG: evaluating sainfo: loc='10.10.253.0/24', rmt='10.10.255.0/24', peer='ANY', id=2
    Jul 3 12:20:56 racoon: DEBUG: getsainfo params: loc='10.10.253.11' rmt='10.10.255.75' peer='a.b.c.d' client='a.b.c.d' id=2

    In my understanding this should match, which it obviously doesn't.

    racoon: DEBUG: cmpid source: '10.10.253.0/24'
    racoon: DEBUG: cmpid target: '10.10.253.11'

    I guess, the second comparison with the other subnet is done because the first one didn't match.

    local and remote subnet settings/encrpytion domains have been triple checked in the settings on both sides.
    Here is the relevant content of /var/etc/spd.conf

    spdadd 10.10.253.0/24 10.10.255.0/24 any -P out ipsec esp/tunnel/e.f.g.h-a.b.c.d/unique;
    spdadd 10.10.255.0/24 10.10.253.0/24 any -P in ipsec esp/tunnel/a.b.c.d-e.f.g.h/unique;
    spdadd 10.10.254.0/24 10.10.255.0/24 any -P out ipsec esp/tunnel/e.f.g.h-a.b.c.d//unique;
    spdadd 10.10.255.0/24 10.10.254.0/24 any -P in ipsec esp/tunnel/a.b.c.d-e.f.g.h/unique;

    And the content of /var/etc/racoon.conf

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    listen
    {
            adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
            isakmp e.f.g.h [500];
            isakmp_natt e.f.g.h [4500];
    }

    remote a.b.c.d
    {
            ph1id 2;
            exchange_mode main;
            my_identifier address e.f.g.h;
            peers_identifier address a.b.c.d;
            ike_frag on;
            generate_policy = off;
            initial_contact = on;
            nat_traversal = off;

    dpd_delay = 10;
            dpd_maxfail = 5;
            support_proxy on;
            proposal_check claim;

    proposal
            {
                    authentication_method pre_shared_key;
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    dh_group 2;
                    lifetime time 86400 secs;
            }
    }

    sainfo subnet 10.10.253.0/24 any subnet 10.10.255.0/24 any
    {
            remoteid 2;
            encryption_algorithm 3des;
            authentication_algorithm hmac_md5;
            pfs_group 2;
            lifetime time 3600 secs;
            compression_algorithm deflate;
    }

    sainfo subnet 10.10.254.0/24 any subnet 10.10.255.0/24 any
    {
            remoteid 2;
            encryption_algorithm 3des;
            authentication_algorithm hmac_md5;
            pfs_group 2;
            lifetime time 3600 secs;
            compression_algorithm deflate;
    }

    Does anyone have a hint, or an idea why the ip does not match the subnet?
    Is there maybe a configuration option that I am not aware of?
    Thanks for any help.

    Best regards,
    Marko



  • The traffic you're sending matches your phase 2 on the side that log came from, the problem is that P2 doesn't match what the Checkpoint has configured in its P2.



  • That's what I was thinking.
    But which information is the one I receive from the other side?

    The "cmpid source" or "cmpid target" information?

    Is the information that is configured on the checkpoint outlined in the log on my side?



  • Seems to be caused by pfs_group setting.
    It should be off.
    When setting it in the GUI to "off" or anything else it always stays at "2" in racoon.conf.
    Is this a known bug? I can't find it anywhere in redmine or the release notes.

    Is it possible to manually change that setting?

    Thanks for any help with that.

    Regards,
    Marko



  • So now, pfs Group is off. but that was a misunderstanding from me.
    Sorry for that.

    I manually added racoon.conf and removed the pfs_group settings and changed the remote subnet to anonymous in the sainfo

    sainfo subnet 10.10.253.0/24 any anonymous
    {
            remoteid 2;
            encryption_algorithm 3des;
            authentication_algorithm hmac_md5;
            lifetime time 3600 secs;
            compression_algorithm deflate;
    }

    That way it works.
    As there does not seem to be an option in GUI, is there a way to persist it?
    And am I opening a security hole? "anonymous" is always a little bit like "everyone".

    Can't I configure on my side, to allow client ip adresses from that configured subnet?

    In the example 10.10.255.75 should match my configured 10.10.255.0/24.

    Thanks in advance for any help.

    Regards,
    Marko



  • IT is definitely a pfsense issue.
    The Checkpoint side sends subnets, but my pfsense side has it mixed and checks its local side using subnet, but the remote side using single ip address.

    Can anyone help with this?

    Thanks in advance.

    Kind regards
    Marko