IPSEC Tranport mode to OpenSWAN



  • Here's what I'm trying to do:
    Encrypt all traffic from pfsense's public IP to the public IP of a machine directly connected to the Internet.  This is using "transport" mode, not "tunnel" mode.  I have no
    desire to expose my internal IP addresses or use a tunnel.  Eventually this will include a few different machines.

    Here is what is going on:
    After various config incarnations phase-1 seems to set up correctly, but pfsense seems to not like any proposals for phase-2. At least that's my guess from the somewhat cryptic messages given by racoon.  I'd like advice on if this seems to be the correct diagnosis and if so how to figure out what is being proposed vs what is desired would be very welcome! :)

    pfsense configuration:
    Remote Gateway: 74.112.32.58
    Authentication: Mutual RSA
    Negotiation: main
    My identifier: My IP Address. (Using ASN.1 fails!)
    Peer identifier: Peer IP Address. (Using ASN.1 fails!  It passes @my.ip.address not my.ip.address)
    Encryption AES, 128
    Hash MD5
    DH key group: 5
    Nat Traversal: Disabled.
    DPD: Disabled.

    Phase2:
    Transport
    ESP
    AES-128
    MD5
    PFS: 5

    OpenSwan configuration:

    #everything in here added for racoon
            ike=aes128-md5-modp1536
            phase2alg=aes128-md5;modp1536
            leftsendcert=always
            rightid="71.251.98.122"

    – end racoon compat section

    left=74.112.32.58
            leftcert=74-112-32-58.crt
            leftid="74.112.32.58"
            right=71.251.98.122
    #      rightid="CN=71.251.98.122"
            auto=start
            failureshunt=passthrough
            type=transport

    pfSense IPSEC Log:
    ---pfsense side, log entries--
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: compute IV for phase2
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: phase1 last IV:
    ..
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: INFO: respond new phase 2 negotiation: 71.251.98.122[500]<=>74.112.32.58[500]
    ..snip..
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: getsainfo params: loc='71.251.98.122' rmt='74.112.32.58' peer='74.112.32.58' client='74.112.32.58' id=2
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: evaluating sainfo: loc='71.251.98.122', rmt='74.112.32.58', peer='ANY', id=2
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: check and compare ids : values matched (IPv4_address)
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid target: '71.251.98.122'
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid source: '71.251.98.122'
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: check and compare ids : values matched (IPv4_address)
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid target: '74.112.32.58'
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid source: '74.112.32.58'
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: selected sainfo: loc='71.251.98.122', rmt='74.112.32.58', peer='ANY', id=2
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get a destination address of SP index from phase1 address due to no ID payloads found OR because ID type is not address.
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get a source address of SP index from Phase 1addresses due to no ID payloads foundOR because ID type is not address.
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get src address from ID payload 74.112.32.58[500] prefixlen=32 ul_proto=0
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get dst address from ID payload 71.251.98.122[500] prefixlen=32 ul_proto=0
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db :0x28549148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db: 0x28549148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: 0xbfbfe390 masked with /24: 74.112.32.0[500]
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: 0x28549148 masked with /24: 192.168.142.0[0]
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db :0x28549288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db: 0x28549288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: ERROR: no policy found: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: ERROR: failed to get proposal for responder.
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: [74.112.32.58] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: IV freed
    *** Note: 74.112.32.58/32 <-> 71.251.98.122/32 is what is supposed to be encrypted.  It says it can't find a "policy", does this mean it's
    *** not matching the IPs, or encryption algs?  Or potentially both?

    –openswan side, log entries--
    Aug  7 16:43:35 eclipse ipsec__plutorun: 002 added connection description "eclipse-sthome"
    Aug  7 16:43:35 eclipse ipsec__plutorun: 104 "eclipse-sthome" #2: STATE_MAIN_I1: initiate
    Aug  7 16:43:35 eclipse pluto[14738]: added connection description "eclipse-sthome"
    Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: initiating Main Mode
    Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: received Vendor ID payload [Dead Peer Detection]
    Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: STATE_MAIN_I2: sent MI2, expecting MR2
    Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: I am sending my cert
    Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: I am sending a certificate request
    Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    Aug  7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: STATE_MAIN_I3: sent MI3, expecting MR3
    Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: Main mode peer ID is ID_IPV4_ADDR: '71.251.98.122'
    Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: no crl from issuer "" found (strict=no)
    Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: Warning: gntoid() failed to initaddr(): (null)
    Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
    Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_md5 group=modp1536}
    Aug  7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #4: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#2 msgid:e2544149 proposal=AES(12)_128-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
    Aug  7 16:44:46 eclipse pluto[14738]: "eclipse-sthome" #4: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    (This repeats over and over and over again.  It seems like racoon/pfsense isn't
    responding to the phase-2 proposal.)

    –--If I remove the phase2alg statement from openswan, I start getting in pfsense:
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: get src address from ID payload 74.112.32.58[500] prefixlen=32 ul_proto=0
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: get dst address from ID payload 71.251.98.122[500] prefixlen=32 ul_proto=0
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db: 0x28548148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
    Aug 7 20:48:21 racoon: DEBUG: 0xbfbfe390 masked with /24: 74.112.32.0[500]
    Aug 7 20:48:21 racoon: DEBUG: 0x28548148 masked with /24: 192.168.142.0[0]
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db: 0x28548288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
    Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: ERROR: no policy found: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
    Aug 7 20:48:21 racoon: ERROR: failed to get proposal for responder.
    Aug 7 20:48:21 racoon: [STHOME <-> eclipse.L93.com]: [74.112.32.58] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

    *** This is pretty similar stuff, however why is it "Unknown gateway/dynamic"?!  It's a static IP, there's only 1 IP configured EVER and it's always the same in the log files.
    Nothing is changing.  Is this some sort of bug?

    Any advice appreciated.


Log in to reply