Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec UI Bug

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joshmarquis
      last edited by

      Good Afternoon,

      I am currently having an issue with the creation of a VPN, which is failing during phase 2.

      In the UI, the PFS key group is set to 2.  However, in the racoon.conf file it is 'pfs_group 5;'

      For example:
      –-
      sainfo address LOCAL IP ADDRESS any address REMOTE IP ADDRESS any
      {
              remoteid 3;
              encryption_algorithm aes 128;
              authentication_algorithm hmac_sha1;
              pfs_group 5;
              lifetime time 3600 secs;
              compression_algorithm deflate;
      }

      In the logs I get the following errors with debug mode turned on:

      [VPN NAME]: [Remote IP Address] ERROR: error message: 'H '.
      [VPN NAME]: [Remote IP Address] ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.
      [VPN NAME]: [Remote IP Address] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
      [VPN NAME]: [Remote IP Address] ERROR: no proposal chosen [Check Phase 2 settings, algorithm].
      Nov 14 13:36:10 racoon: ERROR: no suitable policy found.
      Nov 14 13:36:10 racoon: ERROR: not matched
      Nov 14 13:36:10 racoon: ERROR: pfs group mismatched: my:5 peer:2

      If I stop the racoon service and manually edit the racoon.conf file to be 'pfs_group 2;' and start the service from the command line the VPN connects.  If I start the service via the UI it overwrites the file with '5' and won't connect.  No matter what value I choose, including 'off', for 'PFS key group' under phase 2 it always has 'pfs_group 5;' in the config file.

      Forgot to add: I'm currently running:
      –-
      2.1-RELEASE (amd64)
      built on Mon Sep 16 18:13:41 PDT 2013
      FreeBSD pfsense-th.th.local 8.3-RELEASE-p11 FreeBSD 8.3-RELEASE-p11 #0: Mon Sep 16 18:10:22 PDT 2013 root@sentinel.hacom.net:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64

      1 Reply Last reply Reply Quote 0
      • F
        fsr
        last edited by

        I detected a similar problem. While trying to configure an IPSec VPN to a Cisco RV110W router, the log shows "racoon: ERROR: pfs group mismatched: my:2 peer:0" (even when the Cisco was configured with pfs 2). Connection seems to work, even with this error constantly been loggued. So, i configure both the cisco and the pfsense (2.1) to use no pfs, but the error is still there, so i read the /var/etc/ipsec/racoon.conf, and find the following:

        sainfo subnet xxxxxxxx any subnet yyyyyyyy any
        {
        remoteid 4;
        encryption_algorithm aes 256, aes 192, aes 128, blowfish 256, blowfish 248, blowfish 240, blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200, blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160, blowfish 152, blowfish 144, blowfish 136, blowfish 128, 3des, cast128;
        authentication_algorithm hmac_md5,hmac_sha1,hmac_sha256,hmac_sha384,hmac_sha512;
        pfs_group 2;
        lifetime time 28800 secs;
        compression_algorithm deflate;
        }

        I use pfs group 2 in other IPSec connections, maybe there's a bug that uses this value from another connection instead of it's own?

        I'm using:

        Version 2.1-RELEASE (i386)
        built on Wed Sep 11 18:16:22 EDT 2013
        FreeBSD 8.3-RELEASE-p11

        You are on the latest version.
        Platform nanobsd (2g)

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Check your settings on the Mobile IPsec tab - do you have PFS enabled on there? If so, is it set to the value you're finding on the other P2's unexpectedly?

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • J
            joshmarquis
            last edited by

            Unchecking that does change the output.  Unfortunately, it now appears to be defaulting to the 1st VPN for all subsequent entries.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.