IPSec UI Bug

joshmarquis

Good Afternoon,

I am currently having an issue with the creation of a VPN, which is failing during phase 2.

In the UI, the PFS key group is set to 2.  However, in the racoon.conf file it is 'pfs_group 5;'

For example:
–-
sainfo address LOCAL IP ADDRESS any address REMOTE IP ADDRESS any
{
        remoteid 3;
        encryption_algorithm aes 128;
        authentication_algorithm hmac_sha1;
        pfs_group 5;
        lifetime time 3600 secs;
        compression_algorithm deflate;
}

In the logs I get the following errors with debug mode turned on:

[VPN NAME]: [Remote IP Address] ERROR: error message: 'H '.
[VPN NAME]: [Remote IP Address] ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.
[VPN NAME]: [Remote IP Address] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
[VPN NAME]: [Remote IP Address] ERROR: no proposal chosen [Check Phase 2 settings, algorithm].
Nov 14 13:36:10 racoon: ERROR: no suitable policy found.
Nov 14 13:36:10 racoon: ERROR: not matched
Nov 14 13:36:10 racoon: ERROR: pfs group mismatched: my:5 peer:2

If I stop the racoon service and manually edit the racoon.conf file to be 'pfs_group 2;' and start the service from the command line the VPN connects.  If I start the service via the UI it overwrites the file with '5' and won't connect.  No matter what value I choose, including 'off', for 'PFS key group' under phase 2 it always has 'pfs_group 5;' in the config file.

Forgot to add: I'm currently running:
–-
2.1-RELEASE (amd64)
built on Mon Sep 16 18:13:41 PDT 2013
FreeBSD pfsense-th.th.local 8.3-RELEASE-p11 FreeBSD 8.3-RELEASE-p11 #0: Mon Sep 16 18:10:22 PDT 2013 root@sentinel.hacom.net:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64

fsr

I detected a similar problem. While trying to configure an IPSec VPN to a Cisco RV110W router, the log shows "racoon: ERROR: pfs group mismatched: my:2 peer:0" (even when the Cisco was configured with pfs 2). Connection seems to work, even with this error constantly been loggued. So, i configure both the cisco and the pfsense (2.1) to use no pfs, but the error is still there, so i read the /var/etc/ipsec/racoon.conf, and find the following:

sainfo subnet xxxxxxxx any subnet yyyyyyyy any
{
remoteid 4;
encryption_algorithm aes 256, aes 192, aes 128, blowfish 256, blowfish 248, blowfish 240, blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200, blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160, blowfish 152, blowfish 144, blowfish 136, blowfish 128, 3des, cast128;
authentication_algorithm hmac_md5,hmac_sha1,hmac_sha256,hmac_sha384,hmac_sha512;
pfs_group 2;
lifetime time 28800 secs;
compression_algorithm deflate;
}

I use pfs group 2 in other IPSec connections, maybe there's a bug that uses this value from another connection instead of it's own?

I'm using:

Version 2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11

You are on the latest version.
Platform nanobsd (2g)

jimp

Check your settings on the Mobile IPsec tab - do you have PFS enabled on there? If so, is it set to the value you're finding on the other P2's unexpectedly?

joshmarquis

Unchecking that does change the output.  Unfortunately, it now appears to be defaulting to the 1st VPN for all subsequent entries.