Failed to get sainfo

mbrossar

I'm trying to establish a client IPSec tunnel from an Android tablet to a pfSense using Mutual RSA + XAuth.  My certs are in place and it appears I'm completing phase 1.  It looks like phase 2 is failing with "failed to get sainfo" which I understand to be a mismatched subnet size.  My subnet on my pfSense is a /24 (both under mobile clients - Virtual Address Pool and Phase 2 - Local Network [Actually set to LAN Subnet, which is a /24]), but I don't see anywhere to set subnets on the client.  I'm using an original Samsung Note 10.1 running 4.1.2 and the native VPN.  Only basic VPN configurations are supported.  i.e. I can set…

• Type: IPSec Xauth RSA

• Server Address: pfSense WAN address (e.g. hh.hh.hh.hh)

• IPSec user certificate: User p12 cert defined on my pfSense Cert Manager and assigned to the same user I provide Xauth credentials for

• IPSec CA certificate: CA defined on my pfSense under the Cert Manager and selected on my IPSec phase 1 under My Certificate Authority

• IPSec Server Certificate: Server p12 cert defined on my pfSense under the Cert Manager and selected on my IPSec phase 1 My Certificate

Is this even possible with the old default VPN client?

Jul 18 09:27:59 racoon: INFO: begin Identity Protection mode.
Jul 18 09:27:59 racoon: INFO: received Vendor ID: RFC 3947
Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jul 18 09:27:59 racoon: INFO: received Vendor ID: CISCO-UNITY
Jul 18 09:27:59 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jul 18 09:27:59 racoon: INFO: received Vendor ID: DPD
Jul 18 09:27:59 racoon: INFO: Adding xauth VID payload.
Jul 18 09:27:59 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=user cert
Jul 18 09:27:59 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ca cert
Jul 18 09:27:59 racoon: INFO: Sending Xauth request
Jul 18 09:27:59 racoon: [Self]: INFO: ISAKMP-SA established hh.hh.hh.hh[500]-cc.cc.cc.cc[32454] spi:1f5b738a16521a8b:16e3b1dc041d1ca9
Jul 18 09:28:00 racoon: [[i]cc.cc.cc.cc] INFO: received INITIAL-CONTACT
Jul 18 09:28:00 racoon: INFO: Using port 0
Jul 18 09:28:00 racoon: user 'ipsec-user' authenticated
Jul 18 09:28:00 racoon: INFO: login succeeded for user "ipsec-user"
Jul 18 09:28:01 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
Jul 18 09:28:01 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:01 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:01 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jul 18 09:28:04 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
Jul 18 09:28:04 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:04 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:04 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jul 18 09:28:08 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
Jul 18 09:28:08 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:08 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:08 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jul 18 09:28:11 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
Jul 18 09:28:11 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:11 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:11 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jul 18 09:28:11 racoon: [[i]cc.cc.cc.cc] INFO: DPD: remote (ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909) seems to be dead.
Jul 18 09:28:11 racoon: INFO: purging ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909.
Jul 18 09:28:11 racoon: INFO: purged ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909.
Jul 18 09:28:11 racoon: [Self]: INFO: ISAKMP-SA deleted hh.hh.hh.hh[500]-cc.cc.cc.cc[32454] spi:df6b86818e84e70d:ae5b088c33b3d909
Jul 18 09:28:14 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
Jul 18 09:28:14 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:14 racoon: ERROR: failed to get sainfo.

mbrossar

Digging a bit deeper, I realize that the LAN Subnet is actually defined (via a setup wizard) as _xxx.xxx.xxx._1/24.  I am hesitant to change this to a more traditional _xxx.xxx.xxx._0/24 because I'm afraid it'll change the static IP on my LAN interface.  So, instead, I went to my phase 2 network definition and changed it from 'LAN Subnet' to 'Network' and entered _xxx.xxx.xxx._0/24.  The first three octets are the same on my LAN Interface definition and my  Phase 2 Network definition.  The only difference is the last octet being a 1 in my LAN Interface definition and a 0 in my Phase 2 Network definition.

That gets rid of the 'failed to get sainfo', but it just hangs and times out.

Jul 18 09:55:08 racoon: [Self]: INFO: respond new phase 1 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[37874]
Jul 18 09:55:08 racoon: INFO: begin Identity Protection mode.
Jul 18 09:55:08 racoon: INFO: received Vendor ID: RFC 3947
Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jul 18 09:55:09 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jul 18 09:55:09 racoon: INFO: received Vendor ID: CISCO-UNITY
Jul 18 09:55:09 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jul 18 09:55:09 racoon: INFO: received Vendor ID: DPD
Jul 18 09:55:09 racoon: INFO: Adding xauth VID payload.
Jul 18 09:55:09 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ipsec-user
Jul 18 09:55:09 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ca cert
Jul 18 09:55:09 racoon: INFO: Sending Xauth request
Jul 18 09:55:09 racoon: [Self]: INFO: ISAKMP-SA established hh.hh.hh.hh[500]-cc.cc.cc.cc[37874] spi:17a50f0d181e213c:843fd7b189e655bc
Jul 18 09:55:12 racoon: NOTIFY: the packet is retransmitted by cc.cc.cc.cc[37874] (1).
Jul 18 09:55:12 racoon: [[i]cc.cc.cc.cc] INFO: received INITIAL-CONTACT
Jul 18 09:56:35 racoon: [[i]cc.cc.cc.cc] INFO: DPD: remote (ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc) seems to be dead.
Jul 18 09:56:35 racoon: INFO: purging ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc.
Jul 18 09:56:35 racoon: INFO: purged ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc.
Jul 18 09:56:35 racoon: [Self]: INFO: ISAKMP-SA deleted hh.hh.hh.hh[500]-cc.cc.cc.cc[37874] spi:17a50f0d181e213c:843fd7b189e655bc

mbrossar

I'm wondering if this is a bug.  My phase 2 configuration works when phase 1 is PSK+XAuth.  The same phase 2 definition does not work when I change phase 1 to RSA+XAuth.  I can see phase 1 complete successfully and my user authenticates, but phase 2 fails with…

Jul 23 22:00:35 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[4500]<=>cc.cc.cc.cc[33593]
Jul 23 22:00:35 racoon: ERROR: failed to get sainfo.
Jul 23 22:00:35 racoon: ERROR: failed to get sainfo.
Jul 23 22:00:35 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

If the phase 2 works with a psk phase 1, shouldn't it also work with an rsa phase 1?