IPSEC tunnel wont run



  • Hello everyone!
    have been spending most of this day on google trying to find a sollution to my IPSEC problem.

    I have 2 pfsenses with version:

    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:44 EDT 2013
    FreeBSD pfsense.localdomain 8.3-RELEASE-p11 FreeBSD 8.3-RELEASE-p11 #0: Wed Sep 11 19:13:36 EDT 2013 root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386

    and is trying to get a IPSEC tunnel with PSK up and running between to sites.

    This is my setup:

    Site 1:

    WAN IP: someoffice.dyndns.org
    LAN IP: 192.168.15.2 /24

    Phase 1 config:
    Internet Protocol: IPv4
    Interface: WAN
    remote gateway: somestorage.dyndns.org

    Authentication Method: Mutual PSK
    Negotiation mode: main
    My identifier: Distinguished name: someoffice.dyndns.org
    Peer identifier: somestorage.dyndns.org
    Pre-shared Key: sameonbothsides (set with 8 chars, 4small letter and 4 numbers in a mix)
    Policy Generation: Default
    Proposal Checking: Default

    Encryption algorithm: 3DES (same set on both sides)
    Hash algorithm: SHA1 (same set on both sides)

    DH key group: 2(1024 bit)
    Lifetime: 28800 seconds

    NAT Traversal: Disable (same on both sides)
    Dead peer Detection: Enabled
    10 sec
    5 retries

    Phase2 config:
    Mode: Tunnel IPv4
    Local Network: LAN Subnet
    Remote Network: Network - 192.168.30.0 /24

    Protocol: ESP
    Encryption algorithm: AES 128 bits
    Hash algorithm: SHA1
    PFS key group: 2 (1024 bit)
    Lifetime: 3600 seconds

    Site 2:
    WAN IP: somestorage.dyndns.org
    LAN IP: 192.168.30.1 /24

    Phase 1 config:
    Internet Protocol: IPv4
    Interface: WAN
    remote gateway: someoffice.dyndns.org

    Authentication Method: Mutual PSK
    Negotiation mode: main
    My identifier: Distinguished name: somestorage.dyndns.org
    Peer identifier: someoffice.dyndns.org
    Pre-shared Key: sameonbothsides (set with 8 chars, 4small letter and 4 numbers in a mix)
    Policy Generation: Default
    Proposal Checking: Default

    Encryption algorithm: 3DES (same set on both sides)
    Hash algorithm: SHA1 (same set on both sides)

    DH key group: 2(1024 bit)
    Lifetime: 28800 seconds

    NAT Traversal: Disable (same on both sides)
    Dead peer Detection: Enabled
    10 sec
    5 retries

    Phase2 config:
    Mode: Tunnel IPv4
    Local Network: LAN Subnet
    Remote Network: Network - 192.168.15.0 /24

    Protocol: ESP
    Encryption algorithm: AES 128 bits
    Hash algorithm: SHA1
    PFS key group: 2 (1024 bit)
    Lifetime: 3600 seconds

    So up there is the configuration I´ve done and now to my problem:

    I get this error from site 1(someoffice.dyndns.org):

    racoon: [someoffice]: [external IP] ERROR: couldn´t find the pskey for "external IP"
    racoon: [someoffice]: [external IP] ERROR: failed to process ph1 packet (side: 0,status 6).
    racoon: [someoffice]: [external IP] ERROR: phase1 negotiation failed.

    I get this error from site2(somestorage.dyndns.org):
    racoon: [somestorage]: [external IP]: ERROR: couldn´t find the pskey for "external IP"
    racoon: [somestorage]: [external IP]: ERROR: failed to process ph1 packet (side: 1, status 4).
    racoon: [somestorage]: [external IP]: ERROR: phase1 negotiation failed.

    Have I missed something in my config?

    Firewall rules I´ve setup allows any source on any port to WAN address on destination port 500 and ESP is allowed from any source to any destination on any port.

    Those rules I´ve setup on both sites.

    I am very new to IPSEC and would therefore appreciate help and info which helps me understand what I have done wrong.

    Best regards/
    Peter Carlstedt



  • Update I saw another post about 2.1 having a broken IPSEC so I went and updated both pfsense to 2.1.3 but that didnt help, still getting the same errors.

    I would need to get this VPN up and running asap, it there still problems with IPSEC in the latest stable release? Should I then instead set up the VPN through site to site OpenVPN?



  • IPSec is not broken on any of the stable releases. I would try the latest release (currently 2.1.3). I have not tried your configuration with both sides dynamic, but have run with one dynamic side as far back as 2.0.1.
    It looks correct, use DN as the identifier and put in the DNS name. You may want to test using the current IP's instead of the dyndns name to see if that works. It looks like it's not matching the dns name to the IP. Have you ping'd the name to verify it matches the IP?
    You also might want to try aggressive instead of main and try matching the p1 and p2- i.e. use aes 128 for both.



  • @dotdash:

    IPSec is not broken on any of the stable releases. I would try the latest release (currently 2.1.3). I have not tried your configuration with both sides dynamic, but have run with one dynamic side as far back as 2.0.1.
    It looks correct, use DN as the identifier and put in the DNS name. You may want to test using the current IP's instead of the dyndns name to see if that works. It looks like it's not matching the dns name to the IP. Have you ping'd the name to verify it matches the IP?
    You also might want to try aggressive instead of main and try matching the p1 and p2- i.e. use aes 128 for both.

    Hello and thanks for the answer it helped ALOT!
    But I need to understand why this works.

    If I let the P1 remain as 3DES and change into aggressive mode on both sides, it still wont work. But if i change P1 into AES 128 bits and have aggressive mode it does work. But If i change P1 into AES 128 and run in main mode it wont work. Could someone please make me understand why? Is there any releation between aggressive mode and AES 128 bits P1 Encryption Algorithm?



  • RE: Main vs aggressive, it should work either way, as long as both sides are set the same. You will see errors on the negotiation if there is a mismatch. As far as setting a different encryption for phase 1 and 2, it should work, again, as long as both sides are the same, but I've never had to set up a tunnel that way. I don't actually see why you'd want to.



  • On my (retired, now openVPN) IPsec tunnels I had:

    My identifier: My IP address
    Peer identifier: Peer IP address

    …and some higher encryption as the main difference to your setup for phase 1, on first glance


Log in to reply