IPSec Tunnel no IKE config found for …



  • I am using 2.2-ALPHA (amd64)
    built on Thu Jul 24 16:28:50 CDT 2014

    and am trying to establish an IP sec tunnel to a Cisco ios router.

    Under IPSec I have setup the tunnel parameters, it is an ikev1 tunnel with psk and matches on the ip addresses.

    The tunnel never comes up, and the logs show the following errors.

    charon: 14[IKE] no IKE config found for x.y.z.n…a.b.c.d, sending NO_PROPOSAL_CHOSEN

    When I SSH in, and look inside of /var/etc/ipsec/ipsec.conf, it is nearly empty, only containing the line "# This file is automatically generated. Do not edit"

    The ipsecs.secrets contains the psk that I entered though.

    Is it possible that the web configurator is not populating the ipsec.conf file?

    Let me know what could cause this,

    -Karl



  • I wasn't setting the phase 2 properties. I now set these, and am able to connect to up to 3 subnets. Unfortunately, I need to connect to 4 subnets. I am able to rearrange them and consistently only the top 3 work. Is there a way to increase the number of subnets to 4?



  • Correction, it is actually only using the last phase 2 entered.



  • It looks like you may not be able to do multiple subnets in ike v1 without the strongswan unity plugin

    https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

    See the left|rightsubnet section, and reference to cisco unity.

    Would this be difficult to add?



  • Looks like it needs this patch as well

    https://wiki.strongswan.org/issues/597

    Let me know if it is possible to get the unity plugin in pfsense, specifically with the above patch.



  • I'm not sure about the unity plug-in, but the issue of only using one (the first) phase 2 entry is addressed here: https://redmine.pfsense.org/issues/3769

    Judging by the dates, it should be in the snapshots as of this morning.  If it fixes the issue for you, you could confirm that in the bug report.



  • Sadly this fix was already in the snapshot that I tried. I think I need the unity plugin in order to support multiple subnets in the multiple SA's.

    Let me know if there is any work to include unity + the listed patch.

    -Karl



  • Tried changing the tunnel to ikev2 today to specifically support multiple subnets, and would still only connect to the most recent phase two / SA.

    Let me know if you can rebuild the included ipsec with unity + the patch,

    Thanks,

    -Karl



  • Any hope of building strong swan with the unity plugin? I see that the needed bug fix to strongswan has now been applied to master https://wiki.strongswan.org/issues/597

    Let me know if this is possible,

    -Karl



  • Try the latest snapshots this should have already been fixed with no limit on phase2 entries even for IKEv1.



  • Just checked the latest snapshots, and while the ipsec.conf file looks clean, I Am still unable to bring up anything other than the first Phase 2 entry in my ikeV1 IPSec profile. According to strong swan this really needs the unity plugin in order to support multiple subnets on an ikeV1 profile.

    Could you please add the Unity plugin to strong swan?



  • It is not true anyway karl23.

    If you check your SPD db on status->ipsec you will see that the SPD policies are there and they are ok.

    You are saying that the other end is not recieving the phase2 in their negotiation of mobile client?



  • I must not be communicating something.

    I have an IkeV1 site:site tunnel which needs to connect to 4 different subnets on the other end. My config is below.

    Whenever I try to bring this config up, I am only able to contact the first subnet in the rightsubnet list.

    The problem is stated in the strongswan documentation here (https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection) scroll down to the rightsubnet description

    "IKEv2 supports multiple subnets separated by commas, IKEv1 only interprets the first subnet of such a definition,
    unless the Cisco Unity extension plugin is enabled (available since 5.0.1)."

    Hence my request for the cisco unity plugin to be installed.

    I have my config below. Please take a look and let me know if I am missing something, or if it is possible to add the cisco unity plugin.

    conn con1
            aggressive = no
            fragmentation = yes
            keyexchange = ikev1
            reauth = yes
            rekey = yes
            reqid = 1
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = x.x.x.x
            right = y.y.y.y
            leftid = x.x.x.x
            ikelifetime = 86400s
            lifetime = 28800s
            rightsubnet = 10.43.12.0/24,10.43.22.0/24,10.43.32.0/24,10.43.42.0/24
            leftsubnet = 192.168.1.0/24
            ike = 3des-sha1-modp1024!
            esp = 3des-sha1,3des-sha1!
            leftauth = psk
            rightauth = psk
            rightid = y.y.y.y



  • Any update on getting a build with the unity plugin? Are you just using the package release instead of building from source? I've tried building this on a separate freebsd box and copying all the binaries over, but could not get the pfsense box to recognize the new binaries. Let me know how to proceed,

    Thanks,

    -Karl



  • I have the exact same problem.



  • Unity plugin has been enabled please test with latest snapshot.



  • @ermal:

    Unity plugin has been enabled please test with latest snapshot.

    Unity still does not show up as a plugin:

    [2.2-BETA][root@pfsense.localdomain]/var/etc/ipsec: uname -a
    FreeBSD pfsense.localdomain 10.1-RC3 FreeBSD 10.1-RC3 #40 927f39f(releng/10.1)-dirty: Sun Oct 26 06:27:12 CDT 2014     root@pf22-amd64-snap:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.10  amd64
    [2.2-BETA][root@pfsense.localdomain]/var/etc/ipsec: ipsec statusall | grep -i unity
    [2.2-BETA][root@pfsense.localdomain]/var/etc/ipsec:
    
    

    It does show as a module in the strongswan unit tests here http://www.strongswan.org/uml/testresults/ikev1/rw-cert-unity/moon.daemon.log:

    Oct 19 09:10:39 moon charon: 00[LIB] loaded plugins: charon test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default attr unity

    There are some unity-related patches in 5.2.1 (just released), and also some changes that may address IKEv1 re-keying issues I've seen (but haven't posted here yet, sorry; your ipsec plate seems full at the moment).



  • Unity plugin is now included, the plugin was missing.

    Strongswan is on 5.2.1 version.



  • @ermal:

    Unity plugin is now included, the plugin was missing.

    Strongswan is on 5.2.1 version.

    Good news is yes, unity plugin is now included, and we're on 5.2.1

    Bad news is that it was built without support for IKEv1 (similar to this: https://forum.pfsense.org/index.php?topic=78431.0)  Can you fix that before the next snapshot?

    Oct 30 09:11:05 pfsense charon: 07[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ]
    Oct 30 09:11:05 pfsense charon: 07[NET] sending packet: from 24.74.47xx.xx[500] to 173.15.yy.yy[500] (36 bytes)
    Oct 30 09:11:05 pfsense charon: 07[NET] received unsupported IKE version 1.0 from 173.15.yy.yy, sending INVALID_MAJOR_VERSION
    [2.2-BETA][root@pfsense.localdomain]/var/log: uname -a
    FreeBSD pfsense.localdomain 10.1-RC3 FreeBSD 10.1-RC3 #47 72c1d40(releng/10.1)-dirty: Wed Oct 29 23:32:18 CDT 2014    root@pf22-amd64-snap:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.10  amd64



  • Its rebuilding sorry about the occurence.



  • Has the rebuild shown up in the latest snapshot yet?



  • Yes, since at least 31-Oct, but I have not been in a position to test it.


Log in to reply