IPSEC tunnel wont run

ett_tingest

Hello everyone!
have been spending most of this day on google trying to find a sollution to my IPSEC problem.

I have 2 pfsenses with version:

2.1-RELEASE (i386)
built on Wed Sep 11 18:16:44 EDT 2013
FreeBSD pfsense.localdomain 8.3-RELEASE-p11 FreeBSD 8.3-RELEASE-p11 #0: Wed Sep 11 19:13:36 EDT 2013 root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386

and is trying to get a IPSEC tunnel with PSK up and running between to sites.

This is my setup:

Site 1:

WAN IP: someoffice.dyndns.org
LAN IP: 192.168.15.2 /24

Phase 1 config:
Internet Protocol: IPv4
Interface: WAN
remote gateway: somestorage.dyndns.org

Authentication Method: Mutual PSK
Negotiation mode: main
My identifier: Distinguished name: someoffice.dyndns.org
Peer identifier: somestorage.dyndns.org
Pre-shared Key: sameonbothsides (set with 8 chars, 4small letter and 4 numbers in a mix)
Policy Generation: Default
Proposal Checking: Default

Encryption algorithm: 3DES (same set on both sides)
Hash algorithm: SHA1 (same set on both sides)

DH key group: 2(1024 bit)
Lifetime: 28800 seconds

NAT Traversal: Disable (same on both sides)
Dead peer Detection: Enabled
10 sec
5 retries

Phase2 config:
Mode: Tunnel IPv4
Local Network: LAN Subnet
Remote Network: Network - 192.168.30.0 /24

Protocol: ESP
Encryption algorithm: AES 128 bits
Hash algorithm: SHA1
PFS key group: 2 (1024 bit)
Lifetime: 3600 seconds

Site 2:
WAN IP: somestorage.dyndns.org
LAN IP: 192.168.30.1 /24

Phase 1 config:
Internet Protocol: IPv4
Interface: WAN
remote gateway: someoffice.dyndns.org

Authentication Method: Mutual PSK
Negotiation mode: main
My identifier: Distinguished name: somestorage.dyndns.org
Peer identifier: someoffice.dyndns.org
Pre-shared Key: sameonbothsides (set with 8 chars, 4small letter and 4 numbers in a mix)
Policy Generation: Default
Proposal Checking: Default

Encryption algorithm: 3DES (same set on both sides)
Hash algorithm: SHA1 (same set on both sides)

DH key group: 2(1024 bit)
Lifetime: 28800 seconds

NAT Traversal: Disable (same on both sides)
Dead peer Detection: Enabled
10 sec
5 retries

Phase2 config:
Mode: Tunnel IPv4
Local Network: LAN Subnet
Remote Network: Network - 192.168.15.0 /24

Protocol: ESP
Encryption algorithm: AES 128 bits
Hash algorithm: SHA1
PFS key group: 2 (1024 bit)
Lifetime: 3600 seconds

So up there is the configuration I´ve done and now to my problem:

I get this error from site 1(someoffice.dyndns.org):

racoon: [someoffice]: [external IP] ERROR: couldn´t find the pskey for "external IP"
racoon: [someoffice]: [external IP] ERROR: failed to process ph1 packet (side: 0,status 6).
racoon: [someoffice]: [external IP] ERROR: phase1 negotiation failed.

I get this error from site2(somestorage.dyndns.org):
racoon: [somestorage]: [external IP]: ERROR: couldn´t find the pskey for "external IP"
racoon: [somestorage]: [external IP]: ERROR: failed to process ph1 packet (side: 1, status 4).
racoon: [somestorage]: [external IP]: ERROR: phase1 negotiation failed.

Have I missed something in my config?

Firewall rules I´ve setup allows any source on any port to WAN address on destination port 500 and ESP is allowed from any source to any destination on any port.

Those rules I´ve setup on both sites.

I am very new to IPSEC and would therefore appreciate help and info which helps me understand what I have done wrong.

Best regards/
Peter Carlstedt

ett_tingest

Update I saw another post about 2.1 having a broken IPSEC so I went and updated both pfsense to 2.1.3 but that didnt help, still getting the same errors.

I would need to get this VPN up and running asap, it there still problems with IPSEC in the latest stable release? Should I then instead set up the VPN through site to site OpenVPN?

dotdash

IPSec is not broken on any of the stable releases. I would try the latest release (currently 2.1.3). I have not tried your configuration with both sides dynamic, but have run with one dynamic side as far back as 2.0.1.
It looks correct, use DN as the identifier and put in the DNS name. You may want to test using the current IP's instead of the dyndns name to see if that works. It looks like it's not matching the dns name to the IP. Have you ping'd the name to verify it matches the IP?
You also might want to try aggressive instead of main and try matching the p1 and p2- i.e. use aes 128 for both.

ett_tingest

@dotdash:

IPSec is not broken on any of the stable releases. I would try the latest release (currently 2.1.3). I have not tried your configuration with both sides dynamic, but have run with one dynamic side as far back as 2.0.1.
It looks correct, use DN as the identifier and put in the DNS name. You may want to test using the current IP's instead of the dyndns name to see if that works. It looks like it's not matching the dns name to the IP. Have you ping'd the name to verify it matches the IP?
You also might want to try aggressive instead of main and try matching the p1 and p2- i.e. use aes 128 for both.

Hello and thanks for the answer it helped ALOT!
But I need to understand why this works.

If I let the P1 remain as 3DES and change into aggressive mode on both sides, it still wont work. But if i change P1 into AES 128 bits and have aggressive mode it does work. But If i change P1 into AES 128 and run in main mode it wont work. Could someone please make me understand why? Is there any releation between aggressive mode and AES 128 bits P1 Encryption Algorithm?

dotdash

RE: Main vs aggressive, it should work either way, as long as both sides are set the same. You will see errors on the negotiation if there is a mismatch. As far as setting a different encryption for phase 1 and 2, it should work, again, as long as both sides are the same, but I've never had to set up a tunnel that way. I don't actually see why you'd want to.

Guest

On my (retired, now openVPN) IPsec tunnels I had:

My identifier: My IP address
Peer identifier: Peer IP address

…and some higher encryption as the main difference to your setup for phase 1, on first glance