Failed to get sainfo
-
I'm trying to establish a client IPSec tunnel from an Android tablet to a pfSense using Mutual RSA + XAuth. My certs are in place and it appears I'm completing phase 1. It looks like phase 2 is failing with "failed to get sainfo" which I understand to be a mismatched subnet size. My subnet on my pfSense is a /24 (both under mobile clients - Virtual Address Pool and Phase 2 - Local Network [Actually set to LAN Subnet, which is a /24]), but I don't see anywhere to set subnets on the client. I'm using an original Samsung Note 10.1 running 4.1.2 and the native VPN. Only basic VPN configurations are supported. i.e. I can set…
-
Type: IPSec Xauth RSA
-
Server Address: pfSense WAN address (e.g. hh.hh.hh.hh)
-
IPSec user certificate: User p12 cert defined on my pfSense Cert Manager and assigned to the same user I provide Xauth credentials for
-
IPSec CA certificate: CA defined on my pfSense under the Cert Manager and selected on my IPSec phase 1 under My Certificate Authority
-
IPSec Server Certificate: Server p12 cert defined on my pfSense under the Cert Manager and selected on my IPSec phase 1 My Certificate
Is this even possible with the old default VPN client?
Jul 18 09:27:59 racoon: INFO: begin Identity Protection mode.
Jul 18 09:27:59 racoon: INFO: received Vendor ID: RFC 3947
Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jul 18 09:27:59 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jul 18 09:27:59 racoon: INFO: received Vendor ID: CISCO-UNITY
Jul 18 09:27:59 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jul 18 09:27:59 racoon: INFO: received Vendor ID: DPD
Jul 18 09:27:59 racoon: INFO: Adding xauth VID payload.
Jul 18 09:27:59 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=user cert
Jul 18 09:27:59 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ca cert
Jul 18 09:27:59 racoon: INFO: Sending Xauth request
Jul 18 09:27:59 racoon: [Self]: INFO: ISAKMP-SA established hh.hh.hh.hh[500]-cc.cc.cc.cc[32454] spi:1f5b738a16521a8b:16e3b1dc041d1ca9
Jul 18 09:28:00 racoon: [[i]cc.cc.cc.cc] INFO: received INITIAL-CONTACT
Jul 18 09:28:00 racoon: INFO: Using port 0
Jul 18 09:28:00 racoon: user 'ipsec-user' authenticated
Jul 18 09:28:00 racoon: INFO: login succeeded for user "ipsec-user"
Jul 18 09:28:01 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
Jul 18 09:28:01 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:01 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:01 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jul 18 09:28:04 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
Jul 18 09:28:04 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:04 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:04 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jul 18 09:28:08 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
Jul 18 09:28:08 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:08 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:08 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jul 18 09:28:11 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
Jul 18 09:28:11 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:11 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:11 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jul 18 09:28:11 racoon: [[i]cc.cc.cc.cc] INFO: DPD: remote (ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909) seems to be dead.
Jul 18 09:28:11 racoon: INFO: purging ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909.
Jul 18 09:28:11 racoon: INFO: purged ISAKMP-SA spi=df6b86818e84e70d:ae5b088c33b3d909.
Jul 18 09:28:11 racoon: [Self]: INFO: ISAKMP-SA deleted hh.hh.hh.hh[500]-cc.cc.cc.cc[32454] spi:df6b86818e84e70d:ae5b088c33b3d909
Jul 18 09:28:14 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[32454]
Jul 18 09:28:14 racoon: ERROR: failed to get sainfo.
Jul 18 09:28:14 racoon: ERROR: failed to get sainfo. -
-
Digging a bit deeper, I realize that the LAN Subnet is actually defined (via a setup wizard) as _xxx.xxx.xxx._1/24. I am hesitant to change this to a more traditional _xxx.xxx.xxx._0/24 because I'm afraid it'll change the static IP on my LAN interface. So, instead, I went to my phase 2 network definition and changed it from 'LAN Subnet' to 'Network' and entered _xxx.xxx.xxx._0/24. The first three octets are the same on my LAN Interface definition and my Phase 2 Network definition. The only difference is the last octet being a 1 in my LAN Interface definition and a 0 in my Phase 2 Network definition.
That gets rid of the 'failed to get sainfo', but it just hangs and times out.
Jul 18 09:55:08 racoon: [Self]: INFO: respond new phase 1 negotiation: hh.hh.hh.hh[500]<=>cc.cc.cc.cc[37874]
Jul 18 09:55:08 racoon: INFO: begin Identity Protection mode.
Jul 18 09:55:08 racoon: INFO: received Vendor ID: RFC 3947
Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jul 18 09:55:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jul 18 09:55:09 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jul 18 09:55:09 racoon: INFO: received Vendor ID: CISCO-UNITY
Jul 18 09:55:09 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jul 18 09:55:09 racoon: INFO: received Vendor ID: DPD
Jul 18 09:55:09 racoon: INFO: Adding xauth VID payload.
Jul 18 09:55:09 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ipsec-user
Jul 18 09:55:09 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=/ST=/L=/O=/emailAddress=/CN=ca cert
Jul 18 09:55:09 racoon: INFO: Sending Xauth request
Jul 18 09:55:09 racoon: [Self]: INFO: ISAKMP-SA established hh.hh.hh.hh[500]-cc.cc.cc.cc[37874] spi:17a50f0d181e213c:843fd7b189e655bc
Jul 18 09:55:12 racoon: NOTIFY: the packet is retransmitted by cc.cc.cc.cc[37874] (1).
Jul 18 09:55:12 racoon: [[i]cc.cc.cc.cc] INFO: received INITIAL-CONTACT
Jul 18 09:56:35 racoon: [[i]cc.cc.cc.cc] INFO: DPD: remote (ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc) seems to be dead.
Jul 18 09:56:35 racoon: INFO: purging ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc.
Jul 18 09:56:35 racoon: INFO: purged ISAKMP-SA spi=17a50f0d181e213c:843fd7b189e655bc.
Jul 18 09:56:35 racoon: [Self]: INFO: ISAKMP-SA deleted hh.hh.hh.hh[500]-cc.cc.cc.cc[37874] spi:17a50f0d181e213c:843fd7b189e655bc -
I'm wondering if this is a bug. My phase 2 configuration works when phase 1 is PSK+XAuth. The same phase 2 definition does not work when I change phase 1 to RSA+XAuth. I can see phase 1 complete successfully and my user authenticates, but phase 2 fails with…
Jul 23 22:00:35 racoon: [Self]: INFO: respond new phase 2 negotiation: hh.hh.hh.hh[4500]<=>cc.cc.cc.cc[33593]
Jul 23 22:00:35 racoon: ERROR: failed to get sainfo.
Jul 23 22:00:35 racoon: ERROR: failed to get sainfo.
Jul 23 22:00:35 racoon: [[i]cc.cc.cc.cc] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).If the phase 2 works with a psk phase 1, shouldn't it also work with an rsa phase 1?