Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Failed to get sainfo

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mbrossar
      last edited by

      I'm trying to establish a client IPSec tunnel from an Android tablet to a pfSense using Mutual RSA + XAuth.  My certs are in place and it appears I'm completing phase 1.  It looks like phase 2 is failing with "failed to get sainfo" which I understand to be a mismatched subnet size.  My subnet on my pfSense is a /24 (both under mobile clients - Virtual Address Pool and Phase 2 - Local Network [Actually set to LAN Subnet, which is a /24]), but I don't see anywhere to set subnets on the client.  I'm using an original Samsung Note 10.1 running 4.1.2 and the native VPN.  Only basic VPN configurations are supported.  i.e. I can set…

      • Type: IPSec Xauth RSA

      • Server Address: pfSense WAN address (e.g. hh.hh.hh.hh)

      • IPSec user certificate: User p12 cert defined on my pfSense Cert Manager and assigned to the same user I provide Xauth credentials for

      • IPSec CA certificate: CA defined on my pfSense under the Cert Manager and selected on my IPSec phase 1 under My Certificate Authority

      • IPSec Server Certificate: Server p12 cert defined on my pfSense under the Cert Manager and selected on my IPSec phase 1 My Certificate

      Is this even possible with the old default VPN client?

      Jul 18 09:27:59 racoon: INFO: begin Identity Protection mode.
      Jul 18 09:27:59 racoon: INFO: received Vendor ID: RFC 3947
      Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Jul 18 09:27:59 racoon: INFO: received Vendor ID: CISCO-UNITY
      Jul 18 09:27:59 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Jul 18 09:27:59 racoon: INFO: received Vendor ID: DPD
      Jul 18 09:27:59 racoon: INFO: Adding xauth VID payload.
      Jul 18 09:27:59 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=user cert
      Jul 18 09:27:59 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ca cert
      Jul 18 09:27:59 racoon: INFO: Sending Xauth request
      Jul 18 09:27:59 racoon: [Self]: INFO: ISAKMP-SA established hh.hh.hh.hh[500]-cc.cc.cc.cc[32454] spi:1f5b738a16521a8b:16e3b1dc041d1ca9
      Jul 18 09:28:00 racoon: [[i]cc.cc.cc.cc] INFO: received INITIAL-CONTACT
      Jul 18 09:28:00 racoon: INFO: Using port 0
      Jul 18 09:28:00 racoon: user 'ipsec-user' authenticated
      Jul 18 09:28:00 racoon: INFO: login succeeded for user "ipsec-user"
      Jul 18 09:28:01 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
      Jul 18 09:28:01 racoon: ERROR: failed to get sainfo.
      Jul 18 09:28:01 racoon: ERROR: failed to get sainfo.
      Jul 18 09:28:01 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
      Jul 18 09:28:04 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
      Jul 18 09:28:04 racoon: ERROR: failed to get sainfo.
      Jul 18 09:28:04 racoon: ERROR: failed to get sainfo.
      Jul 18 09:28:04 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
      Jul 18 09:28:08 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
      Jul 18 09:28:08 racoon: ERROR: failed to get sainfo.
      Jul 18 09:28:08 racoon: ERROR: failed to get sainfo.
      Jul 18 09:28:08 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
      Jul 18 09:28:11 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
      Jul 18 09:28:11 racoon: ERROR: failed to get sainfo.
      Jul 18 09:28:11 racoon: ERROR: failed to get sainfo.
      Jul 18 09:28:11 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
      Jul 18 09:28:11 racoon: [[i]cc.cc.cc.cc] INFO: DPD: remote (ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909) seems to be dead.
      Jul 18 09:28:11 racoon: INFO: purging ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909.
      Jul 18 09:28:11 racoon: INFO: purged ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909.
      Jul 18 09:28:11 racoon: [Self]: INFO: ISAKMP-SA deleted hh.hh.hh.hh[500]-cc.cc.cc.cc[32454] spi:df6b86818e84e70d:ae5b088c33b3d909
      Jul 18 09:28:14 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
      Jul 18 09:28:14 racoon: ERROR: failed to get sainfo.
      Jul 18 09:28:14 racoon: ERROR: failed to get sainfo.

      1 Reply Last reply Reply Quote 0
      • M
        mbrossar
        last edited by

        Digging a bit deeper, I realize that the LAN Subnet is actually defined (via a setup wizard) as _xxx.xxx.xxx._1/24.  I am hesitant to change this to a more traditional _xxx.xxx.xxx._0/24 because I'm afraid it'll change the static IP on my LAN interface.  So, instead, I went to my phase 2 network definition and changed it from 'LAN Subnet' to 'Network' and entered _xxx.xxx.xxx._0/24.  The first three octets are the same on my LAN Interface definition and my  Phase 2 Network definition.  The only difference is the last octet being a 1 in my LAN Interface definition and a 0 in my Phase 2 Network definition.

        That gets rid of the 'failed to get sainfo', but it just hangs and times out.

        Jul 18 09:55:08 racoon: [Self]: INFO: respond new phase 1 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[37874]
        Jul 18 09:55:08 racoon: INFO: begin Identity Protection mode.
        Jul 18 09:55:08 racoon: INFO: received Vendor ID: RFC 3947
        Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
        Jul 18 09:55:09 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
        Jul 18 09:55:09 racoon: INFO: received Vendor ID: CISCO-UNITY
        Jul 18 09:55:09 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
        Jul 18 09:55:09 racoon: INFO: received Vendor ID: DPD
        Jul 18 09:55:09 racoon: INFO: Adding xauth VID payload.
        Jul 18 09:55:09 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ipsec-user
        Jul 18 09:55:09 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ca cert
        Jul 18 09:55:09 racoon: INFO: Sending Xauth request
        Jul 18 09:55:09 racoon: [Self]: INFO: ISAKMP-SA established hh.hh.hh.hh[500]-cc.cc.cc.cc[37874] spi:17a50f0d181e213c:843fd7b189e655bc
        Jul 18 09:55:12 racoon: NOTIFY: the packet is retransmitted by cc.cc.cc.cc[37874] (1).
        Jul 18 09:55:12 racoon: [[i]cc.cc.cc.cc] INFO: received INITIAL-CONTACT
        Jul 18 09:56:35 racoon: [[i]cc.cc.cc.cc] INFO: DPD: remote (ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc) seems to be dead.
        Jul 18 09:56:35 racoon: INFO: purging ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc.
        Jul 18 09:56:35 racoon: INFO: purged ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc.
        Jul 18 09:56:35 racoon: [Self]: INFO: ISAKMP-SA deleted hh.hh.hh.hh[500]-cc.cc.cc.cc[37874] spi:17a50f0d181e213c:843fd7b189e655bc

        1 Reply Last reply Reply Quote 0
        • M
          mbrossar
          last edited by

          I'm wondering if this is a bug.  My phase 2 configuration works when phase 1 is PSK+XAuth.  The same phase 2 definition does not work when I change phase 1 to RSA+XAuth.  I can see phase 1 complete successfully and my user authenticates, but phase 2 fails with…

          Jul 23 22:00:35 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[4500]<=>cc.cc.cc.cc[33593]
          Jul 23 22:00:35 racoon: ERROR: failed to get sainfo.
          Jul 23 22:00:35 racoon: ERROR: failed to get sainfo.
          Jul 23 22:00:35 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

          If the phase 2 works with a psk phase 1, shouldn't it also work with an rsa phase 1?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.