Site to site (pfsense-openbsd) fail after 2.1 upgrade



  • Hi all

    I had many ipsec tunnels from a Pfsense box (at master site) versus cisco routers and openbsd boxes.
    After 2.1 upgrade the tunnels to cisco routers continue to work, but tunnels to openbsd boxes (isakmpd) died

    OpenBSD logs:
    102822.444871 Default transport_send_messages: giving up on exchange peer-192.168.240.251-local-192.168.240.2, no response from peer 192.168.240.251:500
    110526.978639 Default ike_phase_1_initiator_send_SA: differing group descriptions in a proposal
    110526.978666 Default exchange_run: doi->initiator (0x819ac300) failed

    Pfsense Logs:
    Oct 21 10:38:25 racoon: [PM wifi]: [192.168.240.2] ERROR: failed to get valid proposal.
    Oct 21 10:38:25 racoon: [PM wifi]: [192.168.240.2] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
    Oct 21 10:38:25 racoon: [PM wifi]: [192.168.240.2] ERROR: phase1 negotiation failed.
    Oct 21 10:38:34 racoon: [PM wifi]: INFO: respond new phase 1 negotiation: 192.168.240.251[500]<=>192.168.240.2[500]
    Oct 21 10:38:34 racoon: INFO: begin Aggressive mode.
    Oct 21 10:38:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Oct 21 10:38:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Oct 21 10:38:34 racoon: INFO: received Vendor ID: RFC 3947
    Oct 21 10:38:34 racoon: INFO: received Vendor ID: DPD
    Oct 21 10:38:34 racoon: ERROR: no suitable proposal found.

    need help on this :)
    thanks

    Giacomo



  • same problem with openbsd 5.3

    Giacomo



  • I guess my crystal ball is broken and I'm unable to see your configuration :)
    Screenshots and config samples please :)



  • @nothing:

    I guess my crystal ball is broken and I'm unable to see your configuration :)
    Screenshots and config samples please :)

    hi, do you have working ipsec tunnels between pfsense 2.1 and openbsd ?
    As already said same tunnels to openbsd boxes worked fine with pfsense 2.0, while ipsec tunnels to cisco routers continue to work

    openbsd sample:
    ike active esp from $local_network to $remote_network local $local_peer_wifi peer $remote_peer_wifi main auth hmac-sha1 enc blowfish group modp1024 quick auth hmac-sha1 enc blowfish group modp1024 psk $key
    (also tried to add life(time) for the two phases)

    pfsense side is simpler, just putting right data in fields, using IPs as identifiers

    Giacomo


Log in to reply