IPSEC tunnels display "connection established" but can not ping peer internal IP



  • I have pfSense 2.2-ALPHA (amd64) built on Mon Aug 18 22:46:22 CDT 2014 with 3 tunnel ipsec VPN (between pfsense and draytek vigor router 2910). It runs perfectly till I upgrade the later snapshot. All IPSEC tunnels display "connection established" but I can not ping peer internal IP hosts.
    I've almost upgraded it with every daily build but no one works (include the latest 2.2-BETA built on Tue Sep 23 13:29:41 CDT 2014). I try to find way to fix this problem by a patch or suggestion on the pfsense 2.2 forum but there's no way.
    I would greatly appreciated for any help!



  • You have to describe more of what is not working since this does not provide enough information.



  • My topology is IPSEC Site to Site VPN:

    Pfsense 2.2: WAN: PPPoE, dynamic bublic ip address, LAN IP address: 172.16.10.1/24
    Draytek router: WAN: PPPoE, dynamic bublic ip address, LAN IP address: 172.16.11.1/24

    IPSEC config on PfSense:
    Phase 1:
    Key Exchange version: IKE v1
    Remote gateway: remote host name (no-ip.org) of draytek 2910
    Authentication method: mutual PSK
    Negotiation mode:  main mode
    Encryption algorithm: 3DES
    Hash algorithm: SHA1
    Other options set as default
    Phase 2:
    Remote Network: 172.16.11.0/24
    Protocol: ESP
    Encryption algorithms: 3DES
    Hash algorithms: SHA1
    Automatically ping host: 172.16.11.1 (the internal LAN IP of draytek router)
    Other options set as default

    The problem is the VPN shows that it established but I still can not ping (time out) the internal ip of draytek router from my desktop behind the pfsense.
    I've already create rules to allow all protocol on wan and ipsec interface



  • just to confirm, I saw the same thing: earlier snapshots work, later ones do not, tunnel establishes OK but no traffic can pass.  I suspect it was broken around the time strongswan was changed to v 5.2.0.  I've posted configs and logs in another thread; there are no obvious errors logged, just no traffic.

    Seems that PSK is common to recent reported failures, so my next step will be to try RSA, but I haven't had time to get back to this.



  • I'm also seeing this issue.

    Some additional info: I have 3 VPNs, two are to Sonicwalls and 1 to another pfSense box on 2.1.4. The VPN to the other pfsense box does work great. Neither of the VPNs to the Sonicwalls pass traffic.

    The Sonicwalls I've tried just about every combination of 3DES, AES, IKEv1, IKEv2 and so on. Always PSK though, haven't tried RSA. The connection always establishes easily and there are no errors in the logs (even with all IPSec debug options set to Highest) but no traffic is passed.



  • I am experiencing this as well.

    It seems that the vpn connection/handshake is made just fine and outgoing traffic makes it to the other side of the vpn, but all incoming packets are blocked. I have tried adding all sorts of firewall rules allowing any/any for Lan/Wan/IpSec and nothing makes a difference.



  • The traffic are blocked both in and out, on my system. The last snapshot that allow ipsec site-to-site VPN traffic pass through as i know was built on Aug 18 2014. I could not found it again on the pfsense 2.2 server but I had saved it to my storages (lucky me!). If you need to test it, pls email me or post in this thread. I will upload the image file soon.
    Thanks a lot for yours feedback to my problem!



  • No additional info from me, sorry, but a "same here" … with 2.2-BETA from Sep. 25th
    As I heavily need IPSEC-tunnels for daily work I have to switch back to 2.1.5 stable for now.
    I "subscribe" to this thread as I would love to hear about fixes.



  • Can you execute sysctl net.inet.ipsec.debug=0xffffff

    Try a ping and check your system logs or dmesg -a output at the end?



  • In the GUI I see entries like:

    charon: 06[KNL] unable to query SAD entry with SPI c5fc4e46: No such file or directory (2)

    On the shell in ipsec.log:

    Sep 26 20:26:24 pfsense charon: 10[ENC] parsed INFORMATIONAL_V1 request 3289322555 [ HASH N(DPD) ]
    Sep 26 20:26:24 pfsense charon: 10[ENC] generating INFORMATIONAL_V1 request 3671064088 [ HASH N(DPD_ACK) ]
    Sep 26 20:26:24 pfsense charon: 10[NET] sending packet: from MY_IP[500] to THEIR_IP[500] (92 bytes)

    (IPs "scrambled" ;-) )

    No ping gets through.

    EDIT:

    more from "dmesg -a":

    key_get: no SA found.
    key_get: no SA found.
    key_get: no SA found.
    esp_input: payload of 76 octets not a multiple of 16 octets,  SA MY_IP/c3aa20e4
    esp_input: payload of 76 octets not a multiple of 16 octets,  SA MY_IP/c3aa20e4

    EDIT 2:

    same behavior with current last Beta from sep, 26th …



  • I think you have a mismatch of configuration on both sides.
    Which platform are you running this on?
    Do you see anything if you run setkey -D



  • esp mode=tunnel spi=2525103204(0x96820464) reqid=2(0x00000002)
    E: rijndael-cbc  74fe8acd 2e8bafe8 79ef82eb 7be5fce2 2088036c 4e1e205b c0e8a9fc 814b2a73
    A: hmac-sha1  67d2415d 35cbbe62 07f075e6 429e94b9 fce13e1a
    seq=0x00000003 replay=32 flags=0x00000000 state=mature
    created: Sep 27 11:09:43 2014 current: Sep 27 11:11:22 2014
    diff: 99(s) hard: 28800(s) soft: 27724(s)
    last: Sep 27 11:09:50 2014 hard: 0(s) soft: 0(s)
    current: 384(bytes) hard: 0(bytes) soft: 0(bytes)
    allocated: 3 hard: 0 soft: 0
    sadb_seq=1 pid=94060 refcnt=2

    EDIT: btw it's an ALIX here. And no change with current Beta (sep, 26th, 14:06:31)

    If there is a mismatch, why does it work with pfsense 2.1.5?



  • Here are my logs. 1.1.1.1 is the local side, 20.20.20.20 is the remote side.

    2.2-BETA (amd64)
    built on Sat Sep 27 14:17:44 CDT 2014

    After setting sysctl net.inet.ipsec.debug=0xffffff this is from System/General:

    Sep 27 22:49:38	ipsec_starter[13996]: Starting weakSwan 5.2.0 IPsec [starter]...
    Sep 27 22:49:38	ipsec_starter[13996]: no netkey IPsec stack detected
    Sep 27 22:49:38	ipsec_starter[13996]: no KLIPS IPsec stack detected
    Sep 27 22:49:38	ipsec_starter[13996]: no known IPsec stack detected, ignoring!
    Sep 27 22:49:38	check_reload_status: Restarting ipsec tunnels
    Sep 27 22:49:38	ipsec_starter[14563]: charon (14770) started after 80 ms
    Sep 27 22:49:38	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
    Sep 27 22:49:38	ipsec_starter[14563]: 'con1' routed
    Sep 27 22:49:38	ipsec_starter[14563]:
    Sep 27 22:49:38	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
    Sep 27 22:49:40	kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50
    Sep 27 22:49:42	ipsec_starter[14563]: configuration 'con1' unrouted
    Sep 27 22:49:42	ipsec_starter[14563]:
    Sep 27 22:49:42	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
    Sep 27 22:49:42	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
    Sep 27 22:49:42	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
    Sep 27 22:49:42	ipsec_starter[14563]: 'con1' routed
    Sep 27 22:49:42	ipsec_starter[14563]:
    Sep 27 22:49:42	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
    Sep 27 22:49:42	check_reload_status: Reloading filter
    Sep 27 22:49:45	kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50
    Sep 27 22:49:46	kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
    Sep 27 22:49:51	kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
    Sep 27 22:49:54	php-fpm[10420]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Sep 27 22:49:55	ipsec_starter[14563]: configuration 'con1' unrouted
    Sep 27 22:49:55	ipsec_starter[14563]:
    Sep 27 22:49:55	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
    Sep 27 22:49:55	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
    Sep 27 22:49:55	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
    Sep 27 22:49:55	ipsec_starter[14563]: 'con1' routed
    Sep 27 22:49:55	ipsec_starter[14563]:
    Sep 27 22:49:55	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
    Sep 27 22:49:55	kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50
    Sep 27 22:49:56	kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
    Sep 27 22:50:01	kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
    Sep 27 22:50:05	kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50
    Sep 27 22:50:06	kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
    
    

    From IPSEC.log:

    Sep 27 22:49:38 pfSense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, FreeBSD 10.1-PRERELEASE, amd64)
    Sep 27 22:49:38 pfSense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
    Sep 27 22:49:38 pfSense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
    Sep 27 22:49:38 pfSense charon: 00[CFG] ipseckey plugin is disabled
    Sep 27 22:49:38 pfSense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Sep 27 22:49:38 pfSense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Sep 27 22:49:38 pfSense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Sep 27 22:49:38 pfSense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Sep 27 22:49:38 pfSense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
    Sep 27 22:49:38 pfSense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Sep 27 22:49:38 pfSense charon: 00[CFG]   loaded IKE secret for 20.20.20.20
    Sep 27 22:49:38 pfSense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
    Sep 27 22:49:38 pfSense charon: 00[CFG] loaded 0 RADIUS server configurations
    Sep 27 22:49:38 pfSense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
    Sep 27 22:49:38 pfSense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
    Sep 27 22:49:38 pfSense charon: 00[JOB] spawning 16 worker threads
    Sep 27 22:49:38 pfSense charon: 10[CFG] received stroke: add connection 'con1'
    Sep 27 22:49:38 pfSense charon: 10[CFG] added configuration 'con1'
    Sep 27 22:49:38 pfSense charon: 12[CFG] received stroke: route 'con1'
    Sep 27 22:49:42 pfSense charon: 08[CFG] rereading secrets
    Sep 27 22:49:42 pfSense charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Sep 27 22:49:42 pfSense charon: 08[CFG]   loaded IKE secret for 20.20.20.20
    Sep 27 22:49:42 pfSense charon: 08[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Sep 27 22:49:42 pfSense charon: 08[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Sep 27 22:49:42 pfSense charon: 08[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Sep 27 22:49:42 pfSense charon: 08[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Sep 27 22:49:42 pfSense charon: 08[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Sep 27 22:49:42 pfSense charon: 12[CFG] received stroke: unroute 'con1'
    Sep 27 22:49:42 pfSense charon: 16[CFG] received stroke: delete connection 'con1'
    Sep 27 22:49:42 pfSense charon: 16[CFG] deleted connection 'con1'
    Sep 27 22:49:42 pfSense charon: 08[CFG] received stroke: add connection 'con1'
    Sep 27 22:49:42 pfSense charon: 08[CFG] added configuration 'con1'
    Sep 27 22:49:42 pfSense charon: 16[CFG] received stroke: route 'con1'
    Sep 27 22:49:43 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (172 bytes)
    Sep 27 22:49:43 pfSense charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
    Sep 27 22:49:43 pfSense charon: 12[ENC] received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07
    Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
    Sep 27 22:49:43 pfSense charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
    Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Sep 27 22:49:43 pfSense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Sep 27 22:49:43 pfSense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Sep 27 22:49:43 pfSense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Sep 27 22:49:43 pfSense charon: 12[IKE] <1> 20.20.20.20 is initiating a Main Mode IKE_SA
    Sep 27 22:49:43 pfSense charon: 12[IKE] 20.20.20.20 is initiating a Main Mode IKE_SA
    Sep 27 22:49:43 pfSense charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
    Sep 27 22:49:43 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (132 bytes)
    Sep 27 22:49:43 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (288 bytes)
    Sep 27 22:49:43 pfSense charon: 12[ENC] parsed ID_PROT request 0 [ KE NAT-D NAT-D No V V V V ]
    Sep 27 22:49:43 pfSense charon: 12[ENC] received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
    Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received XAuth vendor ID
    Sep 27 22:49:43 pfSense charon: 12[IKE] received XAuth vendor ID
    Sep 27 22:49:43 pfSense charon: 12[ENC] received unknown vendor ID: da:8e:93:78:80:01:00:00
    Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received DPD vendor ID
    Sep 27 22:49:43 pfSense charon: 12[IKE] received DPD vendor ID
    Sep 27 22:49:43 pfSense charon: 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Sep 27 22:49:43 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (244 bytes)
    Sep 27 22:49:43 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (92 bytes)
    Sep 27 22:49:43 pfSense charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Sep 27 22:49:43 pfSense charon: 12[CFG] looking for pre-shared key peer configs matching 1.1.1.1...20.20.20.20[20.20.20.20]
    Sep 27 22:49:43 pfSense charon: 12[CFG] selected peer config "con1"
    Sep 27 22:49:43 pfSense charon: 12[IKE] <con1|1>IKE_SA con1[1] established between 1.1.1.1[1.1.1.1]...20.20.20.20[20.20.20.20]
    Sep 27 22:49:43 pfSense charon: 12[IKE] IKE_SA con1[1] established between 1.1.1.1[1.1.1.1]...20.20.20.20[20.20.20.20]
    Sep 27 22:49:43 pfSense charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
    Sep 27 22:49:43 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (68 bytes)
    Sep 27 22:49:43 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (156 bytes)
    Sep 27 22:49:43 pfSense charon: 16[ENC] parsed QUICK_MODE request 2144162142 [ HASH SA No ID ID ]
    Sep 27 22:49:43 pfSense charon: 16[IKE] <con1|1>received 28800s lifetime, configured 0s
    Sep 27 22:49:43 pfSense charon: 16[IKE] received 28800s lifetime, configured 0s
    Sep 27 22:49:43 pfSense charon: 16[ENC] generating QUICK_MODE response 2144162142 [ HASH SA No ID ID ]
    Sep 27 22:49:43 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (172 bytes)
    Sep 27 22:49:43 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (52 bytes)
    Sep 27 22:49:43 pfSense charon: 16[ENC] parsed QUICK_MODE request 2144162142 [ HASH ]
    Sep 27 22:49:43 pfSense charon: 16[IKE] <con1|1>CHILD_SA con1{1} established with SPIs c0955599_i ad77c3b1_o and TS 10.0.0.0/24|/0 === 192.168.93.0/24|/0 
    Sep 27 22:49:43 pfSense charon: 16[IKE] CHILD_SA con1{1} established with SPIs c0955599_i ad77c3b1_o and TS 10.0.0.0/24|/0 === 192.168.93.0/24|/0 
    Sep 27 22:49:53 pfSense charon: 16[IKE] <con1|1>sending DPD request
    Sep 27 22:49:53 pfSense charon: 16[IKE] sending DPD request
    Sep 27 22:49:53 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 1145261094 [ HASH N(DPD) ]
    Sep 27 22:49:53 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:49:53 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:49:53 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1340843437 [ HASH N(DPD_ACK) ]
    Sep 27 22:49:55 pfSense charon: 12[CFG] rereading secrets
    Sep 27 22:49:55 pfSense charon: 12[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Sep 27 22:49:55 pfSense charon: 12[CFG]   loaded IKE secret for 20.20.20.20
    Sep 27 22:49:55 pfSense charon: 12[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Sep 27 22:49:55 pfSense charon: 12[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Sep 27 22:49:55 pfSense charon: 12[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Sep 27 22:49:55 pfSense charon: 12[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Sep 27 22:49:55 pfSense charon: 12[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Sep 27 22:49:55 pfSense charon: 16[CFG] received stroke: unroute 'con1'
    Sep 27 22:49:55 pfSense charon: 12[CFG] received stroke: delete connection 'con1'
    Sep 27 22:49:55 pfSense charon: 12[CFG] deleted connection 'con1'
    Sep 27 22:49:55 pfSense charon: 16[CFG] received stroke: add connection 'con1'
    Sep 27 22:49:55 pfSense charon: 16[CFG] added configuration 'con1'
    Sep 27 22:49:55 pfSense charon: 12[CFG] received stroke: route 'con1'
    Sep 27 22:50:03 pfSense charon: 12[IKE] <con1|1>sending DPD request
    Sep 27 22:50:03 pfSense charon: 12[IKE] sending DPD request
    Sep 27 22:50:03 pfSense charon: 12[ENC] generating INFORMATIONAL_V1 request 3097320797 [ HASH N(DPD) ]
    Sep 27 22:50:03 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:50:03 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:50:03 pfSense charon: 12[ENC] parsed INFORMATIONAL_V1 request 673394272 [ HASH N(DPD_ACK) ]
    Sep 27 22:50:13 pfSense charon: 16[IKE] <con1|1>sending DPD request
    Sep 27 22:50:13 pfSense charon: 16[IKE] sending DPD request
    Sep 27 22:50:13 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 2063326953 [ HASH N(DPD) ]
    Sep 27 22:50:13 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:50:13 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:50:13 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1995717824 [ HASH N(DPD_ACK) ]
    Sep 27 22:50:23 pfSense charon: 16[IKE] <con1|1>sending DPD request
    Sep 27 22:50:23 pfSense charon: 16[IKE] sending DPD request
    Sep 27 22:50:23 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 4185681833 [ HASH N(DPD) ]
    Sep 27 22:50:23 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:50:23 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:50:23 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 599170903 [ HASH N(DPD_ACK) ]
    Sep 27 22:50:33 pfSense charon: 16[IKE] <con1|1>sending DPD request
    Sep 27 22:50:33 pfSense charon: 16[IKE] sending DPD request
    Sep 27 22:50:33 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 1518877182 [ HASH N(DPD) ]
    Sep 27 22:50:33 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:50:33 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:50:33 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1140437225 [ HASH N(DPD_ACK) ]
    Sep 27 22:50:43 pfSense charon: 16[IKE] <con1|1>sending DPD request
    Sep 27 22:50:43 pfSense charon: 16[IKE] sending DPD request
    Sep 27 22:50:43 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 2083770508 [ HASH N(DPD) ]
    Sep 27 22:50:43 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:50:43 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:50:43 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1134437330 [ HASH N(DPD_ACK) ]
    Sep 27 22:50:53 pfSense charon: 14[IKE] <con1|1>sending DPD request
    Sep 27 22:50:53 pfSense charon: 14[IKE] sending DPD request
    Sep 27 22:50:53 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 1556314298 [ HASH N(DPD) ]
    Sep 27 22:50:53 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:50:53 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:50:53 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 1840007776 [ HASH N(DPD_ACK) ]
    Sep 27 22:51:03 pfSense charon: 16[IKE] <con1|1>sending DPD request
    Sep 27 22:51:03 pfSense charon: 16[IKE] sending DPD request
    Sep 27 22:51:03 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 4016897296 [ HASH N(DPD) ]
    Sep 27 22:51:03 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:51:03 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:51:03 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 3484202734 [ HASH N(DPD_ACK) ]
    Sep 27 22:51:13 pfSense charon: 14[IKE] <con1|1>sending DPD request
    Sep 27 22:51:13 pfSense charon: 14[IKE] sending DPD request
    Sep 27 22:51:13 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 1002893300 [ HASH N(DPD) ]
    Sep 27 22:51:13 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:51:13 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:51:13 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 3871001919 [ HASH N(DPD_ACK) ]
    Sep 27 22:51:23 pfSense charon: 14[IKE] <con1|1>sending DPD request
    Sep 27 22:51:23 pfSense charon: 14[IKE] sending DPD request
    Sep 27 22:51:23 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 3614863798 [ HASH N(DPD) ]
    Sep 27 22:51:23 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:51:23 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:51:23 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 2932684252 [ HASH N(DPD_ACK) ]
    Sep 27 22:51:33 pfSense charon: 14[IKE] <con1|1>sending DPD request
    Sep 27 22:51:33 pfSense charon: 14[IKE] sending DPD request
    Sep 27 22:51:33 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 84044987 [ HASH N(DPD) ]
    Sep 27 22:51:33 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:51:33 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:51:33 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 4083742301 [ HASH N(DPD_ACK) ]
    Sep 27 22:51:43 pfSense charon: 14[IKE] <con1|1>sending DPD request
    Sep 27 22:51:43 pfSense charon: 14[IKE] sending DPD request
    Sep 27 22:51:43 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 2471563641 [ HASH N(DPD) ]
    Sep 27 22:51:43 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:51:43 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:51:43 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 1137160689 [ HASH N(DPD_ACK) ]
    Sep 27 22:51:53 pfSense charon: 06[IKE] <con1|1>sending DPD request
    Sep 27 22:51:53 pfSense charon: 06[IKE] sending DPD request
    Sep 27 22:51:53 pfSense charon: 06[ENC] generating INFORMATIONAL_V1 request 3457650075 [ HASH N(DPD) ]
    Sep 27 22:51:53 pfSense charon: 06[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:51:53 pfSense charon: 06[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:51:53 pfSense charon: 06[ENC] parsed INFORMATIONAL_V1 request 3228163712 [ HASH N(DPD_ACK) ]
    Sep 27 22:52:03 pfSense charon: 02[IKE] <con1|1>sending DPD request
    Sep 27 22:52:03 pfSense charon: 02[IKE] sending DPD request
    Sep 27 22:52:03 pfSense charon: 02[ENC] generating INFORMATIONAL_V1 request 1000037337 [ HASH N(DPD) ]
    Sep 27 22:52:03 pfSense charon: 02[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
    Sep 27 22:52:03 pfSense charon: 02[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
    Sep 27 22:52:03 pfSense charon: 02[ENC] parsed INFORMATIONAL_V1 request 2527782488 [ HASH N(DPD_ACK) ]</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1> 
    

    The follow line is repeated at the end of dmesg every few seconds after the connection is established:

    esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
    esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
    esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
    

    Output from setkey -D :

    $ setkey -D
    1.1.1.1 20.20.20.20 
    	esp mode=tunnel spi=2910307249(0xad77c3b1) reqid=1(0x00000001)
    	E: 3des-cbc  b012ff19 87901ab8 2bfdd330 02a997e7 45960d5b c572d045
    	A: hmac-sha1  139ac587 d63802b0 057f2067 51fcfdbd f2e41f4d
    	seq=0x0000005f replay=32 flags=0x00000000 state=mature 
    	created: Sep 27 22:49:43 2014	current: Sep 27 22:56:59 2014
    	diff: 436(s)	hard: 0(s)	soft: 0(s)
    	last: Sep 27 22:56:58 2014	hard: 0(s)	soft: 0(s)
    	current: 11328(bytes)	hard: 0(bytes)	soft: 0(bytes)
    	allocated: 95	hard: 0	soft: 0
    	sadb_seq=1 pid=41312 refcnt=2
    20.20.20.20 1.1.1.1 
    	esp mode=any spi=3231012249(0xc0955599) reqid=1(0x00000001)
    	E: 3des-cbc  827783e0 a836349a 6dcfc676 f1d3f25b 735754f9 0c6d828c
    	A: hmac-sha1  bca330a7 1d3cf511 82b91a5e 5bb716d6 946bd2eb
    	seq=0x00000000 replay=32 flags=0x00000000 state=mature 
    	created: Sep 27 22:49:43 2014	current: Sep 27 22:56:59 2014
    	diff: 436(s)	hard: 0(s)	soft: 0(s)
    	last:                     	hard: 0(s)	soft: 0(s)
    	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
    	allocated: 0	hard: 0	soft: 0
    	sadb_seq=0 pid=41312 refcnt=1
    


  • This is the link of pfsense 2.2 update firmware for i386 platform built on August 18 2014 that make IPSEC VPN connections working. I had been running this snapshot for my vpn connections and it just works fine and stable.
    I upload this to mediafire since I could not found it on pfsense 2.2 site any more.
    http://www.mediafire.com/download/qfgr99ylp71fu9d/pfSense-Full-Update-2.2-DEVELOPMENT-i386-20140818-0926.tgz
    All your configs should still remain. You should check on the "Perform full backup prior to upgrade" option so you can switch back to the current snapshot later. And of course, you should run this update successfully on a lab device before deploying this on production!

    Updated:  Added the same built updated firmware version for amd64 platfom (same functionality)

    http://www.mediafire.com/download/c44c5v8r6llofck/pfSense-Full-Update-2.2-DEVELOPMENT-amd64-20140818-1350.tgz



  • Can you confirm that for the ones that it does not work you are using *DES encryption type for phase2?



  • Yes, i'm sure that i'm using 3DES for both phase1 and phase 2. With the same VPN config, when i upgrade to newer version, even with the lastest 2.2 beta version today, the vpn stop working (can not ping peer IP) though it shown that vpn connected. Then i switch back to the alpha version built on 08.18.2014, everything is ok. I saw that some people hehe had been in the same situation of mine. The last 3 week, I've just paid for an APU from netgate and tested it with 64bit 4G nanobsd image on SD card (the pfsense firmware downloaded from netgate site is version 2.1.5). Pfsense 2.1.5 release always works greatly include IPSEC VPN! At least for me. Then I upgraded it to 2.2 beta version and got the same IPSEC VPN connection errors as such when installing full image beta 2.2 version on i386 and amd64 PC server.



  • Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
    I have not tested much on DES since AES is mostly recommended now days :)



  • @ermal:

    Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
    I have not tested much on DES since AES is mostly recommended now days :)

    My tunnels use AES … and also don't ping  ::)



  • @sgw:

    @ermal:

    Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
    I have not tested much on DES since AES is mostly recommended now days :)

    My tunnels use AES … and also don't ping  ::)

    Same, I tested 3DES and AES, no difference. IKEv1 and v2, no difference either.



  • @Knossos:

    Same, I tested 3DES and AES, no difference. IKEv1 and v2, no difference either.

    Yes, same here.



  • Same to me! Maybe we have to wait for the day pfsense 2.2 release?! :(



  • I am using AES-128 and SHA-1 and I cannot get traffic through any ipsec vpn I create (multiple destinations and target equipment). All indications are that the VPN connection is made and functioning correctly. It seems to me that the issue lies somewhere within the pfSense firewall. Its acting like the firewall is just blocking all IPSec traffic regardless of the firewall entries that tell it to allow.



  • To my knowledge, when we config vpn connections, the system rules were automatically made to allow traffic of IPSEC protocol go through WAN and we create rules manually to allow traffic bypass IPSEC interface (the IPSEC or OpenVPN interfaces only present after we created ipsec connection). So I suspect the lack of some routing configs in the routing table or some system rules had made this errors.



  • @hoanghaibinh:

    So I suspect the lack of some routing configs in the routing table or some system rules had made this errors.

    IPSec Mobile Client
      Mutual PSK
      Virtual Address Pool: 172.16.94.0/24

    Can someone please check if that route is right? (it doesn't look possible)

    
    Destination 	Gateway 	               Flags 	Use 	 Mtu 	    Netif
    172.16.94.1 	[Primary-GW-IP-of-pfSense] 	UGHS 	0 	1500 	hn0
    
    

    Same config in 2.1.5 but i haven't this route and traffic pass through.



  • I dont have much to add other than I too have this issue. I show connection on both ends Changing from DES to AES 128 but no traffic passes. Changing from DES to AES makes no difference.

    I will help test in any way if needed just let me know.

    Im on the 10/3 snapshot on ms hyper-v



  • I found this link on google and hope this help since it seems that the description in this case is quite similar in ours:
    https://forums.freebsd.org/viewtopic.php?&t=36125
    I haven't got much time to try this right now but I'll manage to do it soon and let you know the result.



  • Thanks for the pointer, unfortunately I am not really able to test that on my systems as I don't really know how to modify the mentioned pf-rules etc

    I compared the output of "netstat -r" (=routes) between the beta and stable 2.1.5 right now.

    I see explicit routes to the IP of the other IPSEC-gateway on 2.1.5 while they are missing on the beta. I have no idea if that matters, it's just what I was thinking of and checking … got to try to add these routes on the beta and re-test pinging (after writing this reply ... ).

    While I let ping run I checked pftop/pfinfo and couldn't spot dropped packages ...



  • So basically site to site IPsec is broke now correct? Has anyone got it to work yet?



  • I an unsure why it does not work for some people.

    For me on first setup it works!



  • @ermal:

    I an unsure why it does not work for some people.

    For me on first setup it works!

    Maybe it is related to the upgrade-procedure? Maybe the tunnel configs aren't transferred correctly when we upgrade from 2.1.5 to 2.2-beta?



  • @sgw:

    Maybe it is related to the upgrade-procedure? Maybe the tunnel configs aren't transferred correctly when we upgrade from 2.1.5 to 2.2-beta?

    No, I had a clean 2.2 install that was working well (road warrior config, shrewsoft client), then stopped working at some point with a new snapshot.  I believe it stopped working after pfSense updated Strongswan from 5.1.x to 5.2.0, and/or FreeBSD 10.0 to 10.1 prerelease.  Same symptoms as reported here: tunnel is established, but no traffic can pass.

    @ermal:

    I an unsure why it does not work for some people.

    For me on first setup it works!

    Site-to-site or mobile client?  Can you post a config that works?



  • Next snapshot should fix the issue.



  • @ermal:

    Next snapshot should fix the issue.

    cool. Can you point us at the bug/commit solving this? I am interested in what the issue was? Thanks!



  • The issue was in some hashes had wrong size in the kernel due to some improvements done to ipsec.

    That has been fixed now.



  • Thanks a lot! I upgraded to lastest snapshot . It's working now!



  • @hoanghaibinh:

    Thanks a lot! I upgraded to lastest snapshot . It's working now!

    Same here, great!



  • Kinda works for me, although the default gateway get's set to the IPSec connection. (OS X Mavericks)
    Can't figure out why as I've only chosen the LAN subnet in phase2 and am running a similar config on 2.1.5 without problems.

    Anyone got the same problem?



  • @filnko:

    although the default gateway get's set to the IPSec connection. (OS X Mavericks)

    Can you show your IPSec config more detail? What do you mean "OS X Mavericks" here?


Log in to reply