IPSEC Tranport mode to OpenSWAN
-
Here's what I'm trying to do:
Encrypt all traffic from pfsense's public IP to the public IP of a machine directly connected to the Internet. This is using "transport" mode, not "tunnel" mode. I have no
desire to expose my internal IP addresses or use a tunnel. Eventually this will include a few different machines.Here is what is going on:
After various config incarnations phase-1 seems to set up correctly, but pfsense seems to not like any proposals for phase-2. At least that's my guess from the somewhat cryptic messages given by racoon. I'd like advice on if this seems to be the correct diagnosis and if so how to figure out what is being proposed vs what is desired would be very welcome! :)pfsense configuration:
Remote Gateway: 74.112.32.58
Authentication: Mutual RSA
Negotiation: main
My identifier: My IP Address. (Using ASN.1 fails!)
Peer identifier: Peer IP Address. (Using ASN.1 fails! It passes @my.ip.address not my.ip.address)
Encryption AES, 128
Hash MD5
DH key group: 5
Nat Traversal: Disabled.
DPD: Disabled.Phase2:
Transport
ESP
AES-128
MD5
PFS: 5OpenSwan configuration:
#everything in here added for racoon
ike=aes128-md5-modp1536
phase2alg=aes128-md5;modp1536
leftsendcert=always
rightid="71.251.98.122"– end racoon compat section
left=74.112.32.58
leftcert=74-112-32-58.crt
leftid="74.112.32.58"
right=71.251.98.122
# rightid="CN=71.251.98.122"
auto=start
failureshunt=passthrough
type=transportpfSense IPSEC Log:
---pfsense side, log entries--
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: compute IV for phase2
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: phase1 last IV:
..
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: INFO: respond new phase 2 negotiation: 71.251.98.122[500]<=>74.112.32.58[500]
..snip..
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: getsainfo params: loc='71.251.98.122' rmt='74.112.32.58' peer='74.112.32.58' client='74.112.32.58' id=2
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: evaluating sainfo: loc='71.251.98.122', rmt='74.112.32.58', peer='ANY', id=2
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: check and compare ids : values matched (IPv4_address)
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid target: '71.251.98.122'
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid source: '71.251.98.122'
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: check and compare ids : values matched (IPv4_address)
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid target: '74.112.32.58'
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: cmpid source: '74.112.32.58'
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: selected sainfo: loc='71.251.98.122', rmt='74.112.32.58', peer='ANY', id=2
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get a destination address of SP index from phase1 address due to no ID payloads found OR because ID type is not address.
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get a source address of SP index from Phase 1addresses due to no ID payloads foundOR because ID type is not address.
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get src address from ID payload 74.112.32.58[500] prefixlen=32 ul_proto=0
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: get dst address from ID payload 71.251.98.122[500] prefixlen=32 ul_proto=0
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db :0x28549148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db: 0x28549148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: 0xbfbfe390 masked with /24: 74.112.32.0[500]
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: 0x28549148 masked with /24: 192.168.142.0[0]
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db :0x28549288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: db: 0x28549288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: ERROR: no policy found: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: ERROR: failed to get proposal for responder.
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: [74.112.32.58] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Aug 7 20:49:41 racoon: 2013-08-07 20:49:41: DEBUG: IV freed
*** Note: 74.112.32.58/32 <-> 71.251.98.122/32 is what is supposed to be encrypted. It says it can't find a "policy", does this mean it's
*** not matching the IPs, or encryption algs? Or potentially both?–openswan side, log entries--
Aug 7 16:43:35 eclipse ipsec__plutorun: 002 added connection description "eclipse-sthome"
Aug 7 16:43:35 eclipse ipsec__plutorun: 104 "eclipse-sthome" #2: STATE_MAIN_I1: initiate
Aug 7 16:43:35 eclipse pluto[14738]: added connection description "eclipse-sthome"
Aug 7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: initiating Main Mode
Aug 7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: received Vendor ID payload [Dead Peer Detection]
Aug 7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: I am sending my cert
Aug 7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: I am sending a certificate request
Aug 7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 7 16:43:35 eclipse pluto[14738]: "eclipse-sthome" #2: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: Main mode peer ID is ID_IPV4_ADDR: '71.251.98.122'
Aug 7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: no crl from issuer "" found (strict=no)
Aug 7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: Warning: gntoid() failed to initaddr(): (null)
Aug 7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_md5 group=modp1536}
Aug 7 16:43:36 eclipse pluto[14738]: "eclipse-sthome" #4: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#2 msgid:e2544149 proposal=AES(12)_128-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 7 16:44:46 eclipse pluto[14738]: "eclipse-sthome" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
(This repeats over and over and over again. It seems like racoon/pfsense isn't
responding to the phase-2 proposal.)–--If I remove the phase2alg statement from openswan, I start getting in pfsense:
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: get src address from ID payload 74.112.32.58[500] prefixlen=32 ul_proto=0
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: get dst address from ID payload 71.251.98.122[500] prefixlen=32 ul_proto=0
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db: 0x28548148: 192.168.142.0/24[0] 192.168.142.1/32[0] proto=any dir=in
Aug 7 20:48:21 racoon: DEBUG: 0xbfbfe390 masked with /24: 74.112.32.0[500]
Aug 7 20:48:21 racoon: DEBUG: 0x28548148 masked with /24: 192.168.142.0[0]
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe390: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: DEBUG: db: 0x28548288: 192.168.142.1/32[0] 192.168.142.0/24[0] proto=any dir=out
Aug 7 20:48:21 racoon: [Unknown Gateway/Dynamic]: ERROR: no policy found: 74.112.32.58/32[500] 71.251.98.122/32[500] proto=any dir=in
Aug 7 20:48:21 racoon: ERROR: failed to get proposal for responder.
Aug 7 20:48:21 racoon: [STHOME <-> eclipse.L93.com]: [74.112.32.58] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).*** This is pretty similar stuff, however why is it "Unknown gateway/dynamic"?! It's a static IP, there's only 1 IP configured EVER and it's always the same in the log files.
Nothing is changing. Is this some sort of bug?Any advice appreciated.