Site to site (pfsense-openbsd) fail after 2.1 upgrade
-
Hi all
I had many ipsec tunnels from a Pfsense box (at master site) versus cisco routers and openbsd boxes.
After 2.1 upgrade the tunnels to cisco routers continue to work, but tunnels to openbsd boxes (isakmpd) diedOpenBSD logs:
102822.444871 Default transport_send_messages: giving up on exchange peer-192.168.240.251-local-192.168.240.2, no response from peer 192.168.240.251:500
110526.978639 Default ike_phase_1_initiator_send_SA: differing group descriptions in a proposal
110526.978666 Default exchange_run: doi->initiator (0x819ac300) failedPfsense Logs:
Oct 21 10:38:25 racoon: [PM wifi]: [192.168.240.2] ERROR: failed to get valid proposal.
Oct 21 10:38:25 racoon: [PM wifi]: [192.168.240.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Oct 21 10:38:25 racoon: [PM wifi]: [192.168.240.2] ERROR: phase1 negotiation failed.
Oct 21 10:38:34 racoon: [PM wifi]: INFO: respond new phase 1 negotiation: 192.168.240.251[500]<=>192.168.240.2[500]
Oct 21 10:38:34 racoon: INFO: begin Aggressive mode.
Oct 21 10:38:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Oct 21 10:38:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Oct 21 10:38:34 racoon: INFO: received Vendor ID: RFC 3947
Oct 21 10:38:34 racoon: INFO: received Vendor ID: DPD
Oct 21 10:38:34 racoon: ERROR: no suitable proposal found.need help on this :)
thanksGiacomo
-
same problem with openbsd 5.3
Giacomo
-
I guess my crystal ball is broken and I'm unable to see your configuration :)
Screenshots and config samples please :) -
I guess my crystal ball is broken and I'm unable to see your configuration :)
Screenshots and config samples please :)hi, do you have working ipsec tunnels between pfsense 2.1 and openbsd ?
As already said same tunnels to openbsd boxes worked fine with pfsense 2.0, while ipsec tunnels to cisco routers continue to workopenbsd sample:
ike active esp from $local_network to $remote_network local $local_peer_wifi peer $remote_peer_wifi main auth hmac-sha1 enc blowfish group modp1024 quick auth hmac-sha1 enc blowfish group modp1024 psk $key
(also tried to add life(time) for the two phases)pfsense side is simpler, just putting right data in fields, using IPs as identifiers
Giacomo