Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to site (pfsense-openbsd) fail after 2.1 upgrade

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      capitangiaco
      last edited by

      Hi all

      I had many ipsec tunnels from a Pfsense box (at master site) versus cisco routers and openbsd boxes.
      After 2.1 upgrade the tunnels to cisco routers continue to work, but tunnels to openbsd boxes (isakmpd) died

      OpenBSD logs:
      102822.444871 Default transport_send_messages: giving up on exchange peer-192.168.240.251-local-192.168.240.2, no response from peer 192.168.240.251:500
      110526.978639 Default ike_phase_1_initiator_send_SA: differing group descriptions in a proposal
      110526.978666 Default exchange_run: doi->initiator (0x819ac300) failed

      Pfsense Logs:
      Oct 21 10:38:25 racoon: [PM wifi]: [192.168.240.2] ERROR: failed to get valid proposal.
      Oct 21 10:38:25 racoon: [PM wifi]: [192.168.240.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
      Oct 21 10:38:25 racoon: [PM wifi]: [192.168.240.2] ERROR: phase1 negotiation failed.
      Oct 21 10:38:34 racoon: [PM wifi]: INFO: respond new phase 1 negotiation: 192.168.240.251[500]<=>192.168.240.2[500]
      Oct 21 10:38:34 racoon: INFO: begin Aggressive mode.
      Oct 21 10:38:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Oct 21 10:38:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Oct 21 10:38:34 racoon: INFO: received Vendor ID: RFC 3947
      Oct 21 10:38:34 racoon: INFO: received Vendor ID: DPD
      Oct 21 10:38:34 racoon: ERROR: no suitable proposal found.

      need help on this :)
      thanks

      Giacomo

      1 Reply Last reply Reply Quote 0
      • C
        capitangiaco
        last edited by

        same problem with openbsd 5.3

        Giacomo

        1 Reply Last reply Reply Quote 0
        • N
          nothing
          last edited by

          I guess my crystal ball is broken and I'm unable to see your configuration :)
          Screenshots and config samples please :)

          1 Reply Last reply Reply Quote 0
          • C
            capitangiaco
            last edited by

            @nothing:

            I guess my crystal ball is broken and I'm unable to see your configuration :)
            Screenshots and config samples please :)

            hi, do you have working ipsec tunnels between pfsense 2.1 and openbsd ?
            As already said same tunnels to openbsd boxes worked fine with pfsense 2.0, while ipsec tunnels to cisco routers continue to work

            openbsd sample:
            ike active esp from $local_network to $remote_network local $local_peer_wifi peer $remote_peer_wifi main auth hmac-sha1 enc blowfish group modp1024 quick auth hmac-sha1 enc blowfish group modp1024 psk $key
            (also tried to add life(time) for the two phases)

            pfsense side is simpler, just putting right data in fields, using IPs as identifiers

            Giacomo

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.