Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Tranport mode to OpenSWAN

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Entropy
      last edited by

      Here's what I'm trying to do:
      Encrypt all traffic from pfsense's public IP to the public IP of a machine directly connected to the Internet.  This is using "transport" mode, not "tunnel" mode.  I have no
      desire to expose my internal IP addresses or use a tunnel.  Eventually this will include a few different machines.

      Here is what is going on:
      After various config incarnations phase-1 seems to set up correctly, but pfsense seems to not like any proposals for phase-2. At least that's my guess from the somewhat cryptic messages given by racoon.  I'd like advice on if this seems to be the correct diagnosis and if so how to figure out what is being proposed vs what is desired would be very welcome! :)

      pfsense configuration:
      Remote Gateway: 74.112.32.58
      Authentication: Mutual RSA
      Negotiation: main
      My identifier: My IP Address. (Using ASN.1 fails!)
      Peer identifier: Peer IP Address. (Using ASN.1 fails!  It passes @my.ip.address not my.ip.address)
      Encryption AES, 128
      Hash MD5
      DH key group: 5
      Nat Traversal: Disabled.
      DPD: Disabled.

      Phase2:
      Transport
      ESP
      AES-128
      MD5
      PFS: 5

      OpenSwan configuration:

      #everything in here added for racoon
              ike=aes128-md5-modp1536
              phase2alg=aes128-md5;modp1536
              leftsendcert=always
              rightid="71.251.98.122"

      – end racoon compat section

      left=74.112.32.58
              leftcert=74-112-32-58.crt
              leftid="74.112.32.58"
              right=71.251.98.122
      #      rightid="CN=71.251.98.122"
              auto=start
              failureshunt=passthrough
              type=transport

      pfSense IPSEC Log:
      ---pfsense side, log entries--
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: compute IV for phase2
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: phase1 last IV:
      ..
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: INFO: respond new phase 2 negotiation: 71.251.98.122[500]<=>74.112.32.58[500]
      ..snip..
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: getsainfo params: loc='71.251.98.122' rmt='74.112.32.58' peer='74.112.32.58' client='74.112.32.58' id=2
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: evaluating sainfo: loc='71.251.98.122', rmt='74.112.32.58', peer='ANY', id=2
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: check and compare ids : values matched (IPv4_address)
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid target: '71.251.98.122'
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid source: '71.251.98.122'
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: check and compare ids : values matched (IPv4_address)
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid target: '74.112.32.58'
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid source: '74.112.32.58'
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: selected sainfo: loc='71.251.98.122', rmt='74.112.32.58', peer='ANY', id=2
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get a destination address of SP index from phase1 address due to no ID payloads found OR because ID type is not address.
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get a source address of SP index from Phase 1addresses due to no ID payloads foundOR because ID type is not address.
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get src address from ID payload 74.112.32.58[500] prefixlen=32 ul_proto=0
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get dst address from ID payload 71.251.98.122[500] prefixlen=32 ul_proto=0
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db :0x28549148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db: 0x28549148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: 0xbfbfe390 masked with /24: 74.112.32.0[500]
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: 0x28549148 masked with /24: 192.168.142.0[0]
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db :0x28549288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db: 0x28549288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: ERROR: no policy found: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: ERROR: failed to get proposal for responder.
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: [74.112.32.58] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
      Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: IV freed
      *** Note: 74.112.32.58/32 <-> 71.251.98.122/32 is what is supposed to be encrypted.  It says it can't find a "policy", does this mean it's
      *** not matching the IPs, or encryption algs?  Or potentially both?

      –openswan side, log entries--
      Aug  7 16:43:35 eclipse ipsec__plutorun: 002 added connection description "eclipse-sthome"
      Aug  7 16:43:35 eclipse ipsec__plutorun: 104 "eclipse-sthome" #2: STATE_MAIN_I1: initiate
      Aug  7 16:43:35 eclipse pluto[14738]: added connection description "eclipse-sthome"
      Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: initiating Main Mode
      Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: received Vendor ID payload [Dead Peer Detection]
      Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
      Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: STATE_MAIN_I2: sent MI2, expecting MR2
      Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: I am sending my cert
      Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: I am sending a certificate request
      Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
      Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: STATE_MAIN_I3: sent MI3, expecting MR3
      Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: Main mode peer ID is ID_IPV4_ADDR: '71.251.98.122'
      Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: no crl from issuer "" found (strict=no)
      Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: Warning: gntoid() failed to initaddr(): (null)
      Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
      Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_md5 group=modp1536}
      Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #4: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#2 msgid:e2544149 proposal=AES(12)_128-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
      Aug  7 16:44:46 eclipse pluto[14738]: "eclipse-sthome" #4: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
      (This repeats over and over and over again.  It seems like racoon/pfsense isn't
      responding to the phase-2 proposal.)

      –--If I remove the phase2alg statement from openswan, I start getting in pfsense:
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: get src address from ID payload 74.112.32.58[500] prefixlen=32 ul_proto=0
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: get dst address from ID payload 71.251.98.122[500] prefixlen=32 ul_proto=0
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db: 0x28548148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
      Aug 7 20:48:21 racoon: DEBUG: 0xbfbfe390 masked with /24: 74.112.32.0[500]
      Aug 7 20:48:21 racoon: DEBUG: 0x28548148 masked with /24: 192.168.142.0[0]
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db: 0x28548288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
      Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: ERROR: no policy found: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
      Aug 7 20:48:21 racoon: ERROR: failed to get proposal for responder.
      Aug 7 20:48:21 racoon: [STHOME <-> eclipse.L93.com]: [74.112.32.58] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

      *** This is pretty similar stuff, however why is it "Unknown gateway/dynamic"?!  It's a static IP, there's only 1 IP configured EVER and it's always the same in the log files.
      Nothing is changing.  Is this some sort of bug?

      Any advice appreciated.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.