Failed to get sainfo



  • I'm trying to establish a client IPSec tunnel from an Android tablet to a pfSense using Mutual RSA + XAuth.  My certs are in place and it appears I'm completing phase 1.  It looks like phase 2 is failing with "failed to get sainfo" which I understand to be a mismatched subnet size.  My subnet on my pfSense is a /24 (both under mobile clients - Virtual Address Pool and Phase 2 - Local Network [Actually set to LAN Subnet, which is a /24]), but I don't see anywhere to set subnets on the client.  I'm using an original Samsung Note 10.1 running 4.1.2 and the native VPN.  Only basic VPN configurations are supported.  i.e. I can set…

    • Type: IPSec Xauth RSA

    • Server Address: pfSense WAN address (e.g. hh.hh.hh.hh)

    • IPSec user certificate: User p12 cert defined on my pfSense Cert Manager and assigned to the same user I provide Xauth credentials for

    • IPSec CA certificate: CA defined on my pfSense under the Cert Manager and selected on my IPSec phase 1 under My Certificate Authority

    • IPSec Server Certificate: Server p12 cert defined on my pfSense under the Cert Manager and selected on my IPSec phase 1 My Certificate

    Is this even possible with the old default VPN client?

    Jul 18 09:27:59 racoon: INFO: begin Identity Protection mode.
    Jul 18 09:27:59 racoon: INFO: received Vendor ID: RFC 3947
    Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jul 18 09:27:59 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jul 18 09:27:59 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Jul 18 09:27:59 racoon: INFO: received Vendor ID: DPD
    Jul 18 09:27:59 racoon: INFO: Adding xauth VID payload.
    Jul 18 09:27:59 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=user cert
    Jul 18 09:27:59 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ca cert
    Jul 18 09:27:59 racoon: INFO: Sending Xauth request
    Jul 18 09:27:59 racoon: [Self]: INFO: ISAKMP-SA established hh.hh.hh.hh[500]-cc.cc.cc.cc[32454] spi:1f5b738a16521a8b:16e3b1dc041d1ca9
    Jul 18 09:28:00 racoon: [[i]cc.cc.cc.cc] INFO: received INITIAL-CONTACT
    Jul 18 09:28:00 racoon: INFO: Using port 0
    Jul 18 09:28:00 racoon: user 'ipsec-user' authenticated
    Jul 18 09:28:00 racoon: INFO: login succeeded for user "ipsec-user"
    Jul 18 09:28:01 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
    Jul 18 09:28:01 racoon: ERROR: failed to get sainfo.
    Jul 18 09:28:01 racoon: ERROR: failed to get sainfo.
    Jul 18 09:28:01 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Jul 18 09:28:04 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
    Jul 18 09:28:04 racoon: ERROR: failed to get sainfo.
    Jul 18 09:28:04 racoon: ERROR: failed to get sainfo.
    Jul 18 09:28:04 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Jul 18 09:28:08 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
    Jul 18 09:28:08 racoon: ERROR: failed to get sainfo.
    Jul 18 09:28:08 racoon: ERROR: failed to get sainfo.
    Jul 18 09:28:08 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Jul 18 09:28:11 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
    Jul 18 09:28:11 racoon: ERROR: failed to get sainfo.
    Jul 18 09:28:11 racoon: ERROR: failed to get sainfo.
    Jul 18 09:28:11 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Jul 18 09:28:11 racoon: [[i]cc.cc.cc.cc] INFO: DPD: remote (ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909) seems to be dead.
    Jul 18 09:28:11 racoon: INFO: purging ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909.
    Jul 18 09:28:11 racoon: INFO: purged ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909.
    Jul 18 09:28:11 racoon: [Self]: INFO: ISAKMP-SA deleted hh.hh.hh.hh[500]-cc.cc.cc.cc[32454] spi:df6b86818e84e70d:ae5b088c33b3d909
    Jul 18 09:28:14 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
    Jul 18 09:28:14 racoon: ERROR: failed to get sainfo.
    Jul 18 09:28:14 racoon: ERROR: failed to get sainfo.



  • Digging a bit deeper, I realize that the LAN Subnet is actually defined (via a setup wizard) as _xxx.xxx.xxx._1/24.  I am hesitant to change this to a more traditional _xxx.xxx.xxx._0/24 because I'm afraid it'll change the static IP on my LAN interface.  So, instead, I went to my phase 2 network definition and changed it from 'LAN Subnet' to 'Network' and entered _xxx.xxx.xxx._0/24.  The first three octets are the same on my LAN Interface definition and my  Phase 2 Network definition.  The only difference is the last octet being a 1 in my LAN Interface definition and a 0 in my Phase 2 Network definition.

    That gets rid of the 'failed to get sainfo', but it just hangs and times out.

    Jul 18 09:55:08 racoon: [Self]: INFO: respond new phase 1 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[37874]
    Jul 18 09:55:08 racoon: INFO: begin Identity Protection mode.
    Jul 18 09:55:08 racoon: INFO: received Vendor ID: RFC 3947
    Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Jul 18 09:55:09 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jul 18 09:55:09 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jul 18 09:55:09 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Jul 18 09:55:09 racoon: INFO: received Vendor ID: DPD
    Jul 18 09:55:09 racoon: INFO: Adding xauth VID payload.
    Jul 18 09:55:09 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ipsec-user
    Jul 18 09:55:09 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ca cert
    Jul 18 09:55:09 racoon: INFO: Sending Xauth request
    Jul 18 09:55:09 racoon: [Self]: INFO: ISAKMP-SA established hh.hh.hh.hh[500]-cc.cc.cc.cc[37874] spi:17a50f0d181e213c:843fd7b189e655bc
    Jul 18 09:55:12 racoon: NOTIFY: the packet is retransmitted by cc.cc.cc.cc[37874] (1).
    Jul 18 09:55:12 racoon: [[i]cc.cc.cc.cc] INFO: received INITIAL-CONTACT
    Jul 18 09:56:35 racoon: [[i]cc.cc.cc.cc] INFO: DPD: remote (ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc) seems to be dead.
    Jul 18 09:56:35 racoon: INFO: purging ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc.
    Jul 18 09:56:35 racoon: INFO: purged ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc.
    Jul 18 09:56:35 racoon: [Self]: INFO: ISAKMP-SA deleted hh.hh.hh.hh[500]-cc.cc.cc.cc[37874] spi:17a50f0d181e213c:843fd7b189e655bc



  • I'm wondering if this is a bug.  My phase 2 configuration works when phase 1 is PSK+XAuth.  The same phase 2 definition does not work when I change phase 1 to RSA+XAuth.  I can see phase 1 complete successfully and my user authenticates, but phase 2 fails with…

    Jul 23 22:00:35 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[4500]<=>cc.cc.cc.cc[33593]
    Jul 23 22:00:35 racoon: ERROR: failed to get sainfo.
    Jul 23 22:00:35 racoon: ERROR: failed to get sainfo.
    Jul 23 22:00:35 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

    If the phase 2 works with a psk phase 1, shouldn't it also work with an rsa phase 1?