IPSEC tunnels display "connection established" but can not ping peer internal IP
-
I have pfSense 2.2-ALPHA (amd64) built on Mon Aug 18 22:46:22 CDT 2014 with 3 tunnel ipsec VPN (between pfsense and draytek vigor router 2910). It runs perfectly till I upgrade the later snapshot. All IPSEC tunnels display "connection established" but I can not ping peer internal IP hosts.
I've almost upgraded it with every daily build but no one works (include the latest 2.2-BETA built on Tue Sep 23 13:29:41 CDT 2014). I try to find way to fix this problem by a patch or suggestion on the pfsense 2.2 forum but there's no way.
I would greatly appreciated for any help! -
You have to describe more of what is not working since this does not provide enough information.
-
My topology is IPSEC Site to Site VPN:
Pfsense 2.2: WAN: PPPoE, dynamic bublic ip address, LAN IP address: 172.16.10.1/24
Draytek router: WAN: PPPoE, dynamic bublic ip address, LAN IP address: 172.16.11.1/24IPSEC config on PfSense:
Phase 1:
Key Exchange version: IKE v1
Remote gateway: remote host name (no-ip.org) of draytek 2910
Authentication method: mutual PSK
Negotiation mode: main mode
Encryption algorithm: 3DES
Hash algorithm: SHA1
Other options set as default
Phase 2:
Remote Network: 172.16.11.0/24
Protocol: ESP
Encryption algorithms: 3DES
Hash algorithms: SHA1
Automatically ping host: 172.16.11.1 (the internal LAN IP of draytek router)
Other options set as defaultThe problem is the VPN shows that it established but I still can not ping (time out) the internal ip of draytek router from my desktop behind the pfsense.
I've already create rules to allow all protocol on wan and ipsec interface -
just to confirm, I saw the same thing: earlier snapshots work, later ones do not, tunnel establishes OK but no traffic can pass. I suspect it was broken around the time strongswan was changed to v 5.2.0. I've posted configs and logs in another thread; there are no obvious errors logged, just no traffic.
Seems that PSK is common to recent reported failures, so my next step will be to try RSA, but I haven't had time to get back to this.
-
I'm also seeing this issue.
Some additional info: I have 3 VPNs, two are to Sonicwalls and 1 to another pfSense box on 2.1.4. The VPN to the other pfsense box does work great. Neither of the VPNs to the Sonicwalls pass traffic.
The Sonicwalls I've tried just about every combination of 3DES, AES, IKEv1, IKEv2 and so on. Always PSK though, haven't tried RSA. The connection always establishes easily and there are no errors in the logs (even with all IPSec debug options set to Highest) but no traffic is passed.
-
I am experiencing this as well.
It seems that the vpn connection/handshake is made just fine and outgoing traffic makes it to the other side of the vpn, but all incoming packets are blocked. I have tried adding all sorts of firewall rules allowing any/any for Lan/Wan/IpSec and nothing makes a difference.
-
The traffic are blocked both in and out, on my system. The last snapshot that allow ipsec site-to-site VPN traffic pass through as i know was built on Aug 18 2014. I could not found it again on the pfsense 2.2 server but I had saved it to my storages (lucky me!). If you need to test it, pls email me or post in this thread. I will upload the image file soon.
Thanks a lot for yours feedback to my problem! -
No additional info from me, sorry, but a "same here" … with 2.2-BETA from Sep. 25th
As I heavily need IPSEC-tunnels for daily work I have to switch back to 2.1.5 stable for now.
I "subscribe" to this thread as I would love to hear about fixes. -
Can you execute sysctl net.inet.ipsec.debug=0xffffff
Try a ping and check your system logs or dmesg -a output at the end?
-
In the GUI I see entries like:
charon: 06[KNL] unable to query SAD entry with SPI c5fc4e46: No such file or directory (2)
On the shell in ipsec.log:
Sep 26 20:26:24 pfsense charon: 10[ENC] parsed INFORMATIONAL_V1 request 3289322555 [ HASH N(DPD) ]
Sep 26 20:26:24 pfsense charon: 10[ENC] generating INFORMATIONAL_V1 request 3671064088 [ HASH N(DPD_ACK) ]
Sep 26 20:26:24 pfsense charon: 10[NET] sending packet: from MY_IP[500] to THEIR_IP[500] (92 bytes)(IPs "scrambled" ;-) )
No ping gets through.
EDIT:
more from "dmesg -a":
key_get: no SA found.
key_get: no SA found.
key_get: no SA found.
esp_input: payload of 76 octets not a multiple of 16 octets, SA MY_IP/c3aa20e4
esp_input: payload of 76 octets not a multiple of 16 octets, SA MY_IP/c3aa20e4EDIT 2:
same behavior with current last Beta from sep, 26th …
-
I think you have a mismatch of configuration on both sides.
Which platform are you running this on?
Do you see anything if you run setkey -D -
esp mode=tunnel spi=2525103204(0x96820464) reqid=2(0x00000002)
E: rijndael-cbc 74fe8acd 2e8bafe8 79ef82eb 7be5fce2 2088036c 4e1e205b c0e8a9fc 814b2a73
A: hmac-sha1 67d2415d 35cbbe62 07f075e6 429e94b9 fce13e1a
seq=0x00000003 replay=32 flags=0x00000000 state=mature
created: Sep 27 11:09:43 2014 current: Sep 27 11:11:22 2014
diff: 99(s) hard: 28800(s) soft: 27724(s)
last: Sep 27 11:09:50 2014 hard: 0(s) soft: 0(s)
current: 384(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=1 pid=94060 refcnt=2EDIT: btw it's an ALIX here. And no change with current Beta (sep, 26th, 14:06:31)
If there is a mismatch, why does it work with pfsense 2.1.5?
-
Here are my logs. 1.1.1.1 is the local side, 20.20.20.20 is the remote side.
2.2-BETA (amd64)
built on Sat Sep 27 14:17:44 CDT 2014After setting sysctl net.inet.ipsec.debug=0xffffff this is from System/General:
Sep 27 22:49:38 ipsec_starter[13996]: Starting weakSwan 5.2.0 IPsec [starter]... Sep 27 22:49:38 ipsec_starter[13996]: no netkey IPsec stack detected Sep 27 22:49:38 ipsec_starter[13996]: no KLIPS IPsec stack detected Sep 27 22:49:38 ipsec_starter[13996]: no known IPsec stack detected, ignoring! Sep 27 22:49:38 check_reload_status: Restarting ipsec tunnels Sep 27 22:49:38 ipsec_starter[14563]: charon (14770) started after 80 ms Sep 27 22:49:38 ipsec_starter[14563]: notifying watcher failed: Bad file descriptor Sep 27 22:49:38 ipsec_starter[14563]: 'con1' routed Sep 27 22:49:38 ipsec_starter[14563]: Sep 27 22:49:38 ipsec_starter[14563]: notifying watcher failed: Bad file descriptor Sep 27 22:49:40 kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50 Sep 27 22:49:42 ipsec_starter[14563]: configuration 'con1' unrouted Sep 27 22:49:42 ipsec_starter[14563]: Sep 27 22:49:42 ipsec_starter[14563]: notifying watcher failed: Bad file descriptor Sep 27 22:49:42 ipsec_starter[14563]: notifying watcher failed: Bad file descriptor Sep 27 22:49:42 ipsec_starter[14563]: notifying watcher failed: Bad file descriptor Sep 27 22:49:42 ipsec_starter[14563]: 'con1' routed Sep 27 22:49:42 ipsec_starter[14563]: Sep 27 22:49:42 ipsec_starter[14563]: notifying watcher failed: Bad file descriptor Sep 27 22:49:42 check_reload_status: Reloading filter Sep 27 22:49:45 kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50 Sep 27 22:49:46 kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599 Sep 27 22:49:51 kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599 Sep 27 22:49:54 php-fpm[10420]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing. Sep 27 22:49:55 ipsec_starter[14563]: configuration 'con1' unrouted Sep 27 22:49:55 ipsec_starter[14563]: Sep 27 22:49:55 ipsec_starter[14563]: notifying watcher failed: Bad file descriptor Sep 27 22:49:55 ipsec_starter[14563]: notifying watcher failed: Bad file descriptor Sep 27 22:49:55 ipsec_starter[14563]: notifying watcher failed: Bad file descriptor Sep 27 22:49:55 ipsec_starter[14563]: 'con1' routed Sep 27 22:49:55 ipsec_starter[14563]: Sep 27 22:49:55 ipsec_starter[14563]: notifying watcher failed: Bad file descriptor Sep 27 22:49:55 kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50 Sep 27 22:49:56 kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599 Sep 27 22:50:01 kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599 Sep 27 22:50:05 kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50 Sep 27 22:50:06 kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
From IPSEC.log:
Sep 27 22:49:38 pfSense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, FreeBSD 10.1-PRERELEASE, amd64) Sep 27 22:49:38 pfSense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument Sep 27 22:49:38 pfSense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed Sep 27 22:49:38 pfSense charon: 00[CFG] ipseckey plugin is disabled Sep 27 22:49:38 pfSense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' Sep 27 22:49:38 pfSense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' Sep 27 22:49:38 pfSense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' Sep 27 22:49:38 pfSense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' Sep 27 22:49:38 pfSense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls' Sep 27 22:49:38 pfSense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Sep 27 22:49:38 pfSense charon: 00[CFG] loaded IKE secret for 20.20.20.20 Sep 27 22:49:38 pfSense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory Sep 27 22:49:38 pfSense charon: 00[CFG] loaded 0 RADIUS server configurations Sep 27 22:49:38 pfSense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock Sep 27 22:49:38 pfSense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies) Sep 27 22:49:38 pfSense charon: 00[JOB] spawning 16 worker threads Sep 27 22:49:38 pfSense charon: 10[CFG] received stroke: add connection 'con1' Sep 27 22:49:38 pfSense charon: 10[CFG] added configuration 'con1' Sep 27 22:49:38 pfSense charon: 12[CFG] received stroke: route 'con1' Sep 27 22:49:42 pfSense charon: 08[CFG] rereading secrets Sep 27 22:49:42 pfSense charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Sep 27 22:49:42 pfSense charon: 08[CFG] loaded IKE secret for 20.20.20.20 Sep 27 22:49:42 pfSense charon: 08[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' Sep 27 22:49:42 pfSense charon: 08[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' Sep 27 22:49:42 pfSense charon: 08[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' Sep 27 22:49:42 pfSense charon: 08[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' Sep 27 22:49:42 pfSense charon: 08[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls' Sep 27 22:49:42 pfSense charon: 12[CFG] received stroke: unroute 'con1' Sep 27 22:49:42 pfSense charon: 16[CFG] received stroke: delete connection 'con1' Sep 27 22:49:42 pfSense charon: 16[CFG] deleted connection 'con1' Sep 27 22:49:42 pfSense charon: 08[CFG] received stroke: add connection 'con1' Sep 27 22:49:42 pfSense charon: 08[CFG] added configuration 'con1' Sep 27 22:49:42 pfSense charon: 16[CFG] received stroke: route 'con1' Sep 27 22:49:43 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (172 bytes) Sep 27 22:49:43 pfSense charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V ] Sep 27 22:49:43 pfSense charon: 12[ENC] received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07 Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID Sep 27 22:49:43 pfSense charon: 12[IKE] received NAT-T (RFC 3947) vendor ID Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID Sep 27 22:49:43 pfSense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Sep 27 22:49:43 pfSense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID Sep 27 22:49:43 pfSense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID Sep 27 22:49:43 pfSense charon: 12[IKE] <1> 20.20.20.20 is initiating a Main Mode IKE_SA Sep 27 22:49:43 pfSense charon: 12[IKE] 20.20.20.20 is initiating a Main Mode IKE_SA Sep 27 22:49:43 pfSense charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ] Sep 27 22:49:43 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (132 bytes) Sep 27 22:49:43 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (288 bytes) Sep 27 22:49:43 pfSense charon: 12[ENC] parsed ID_PROT request 0 [ KE NAT-D NAT-D No V V V V ] Sep 27 22:49:43 pfSense charon: 12[ENC] received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6 Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received XAuth vendor ID Sep 27 22:49:43 pfSense charon: 12[IKE] received XAuth vendor ID Sep 27 22:49:43 pfSense charon: 12[ENC] received unknown vendor ID: da:8e:93:78:80:01:00:00 Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received DPD vendor ID Sep 27 22:49:43 pfSense charon: 12[IKE] received DPD vendor ID Sep 27 22:49:43 pfSense charon: 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Sep 27 22:49:43 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (244 bytes) Sep 27 22:49:43 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (92 bytes) Sep 27 22:49:43 pfSense charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Sep 27 22:49:43 pfSense charon: 12[CFG] looking for pre-shared key peer configs matching 1.1.1.1...20.20.20.20[20.20.20.20] Sep 27 22:49:43 pfSense charon: 12[CFG] selected peer config "con1" Sep 27 22:49:43 pfSense charon: 12[IKE] <con1|1>IKE_SA con1[1] established between 1.1.1.1[1.1.1.1]...20.20.20.20[20.20.20.20] Sep 27 22:49:43 pfSense charon: 12[IKE] IKE_SA con1[1] established between 1.1.1.1[1.1.1.1]...20.20.20.20[20.20.20.20] Sep 27 22:49:43 pfSense charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ] Sep 27 22:49:43 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (68 bytes) Sep 27 22:49:43 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (156 bytes) Sep 27 22:49:43 pfSense charon: 16[ENC] parsed QUICK_MODE request 2144162142 [ HASH SA No ID ID ] Sep 27 22:49:43 pfSense charon: 16[IKE] <con1|1>received 28800s lifetime, configured 0s Sep 27 22:49:43 pfSense charon: 16[IKE] received 28800s lifetime, configured 0s Sep 27 22:49:43 pfSense charon: 16[ENC] generating QUICK_MODE response 2144162142 [ HASH SA No ID ID ] Sep 27 22:49:43 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (172 bytes) Sep 27 22:49:43 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (52 bytes) Sep 27 22:49:43 pfSense charon: 16[ENC] parsed QUICK_MODE request 2144162142 [ HASH ] Sep 27 22:49:43 pfSense charon: 16[IKE] <con1|1>CHILD_SA con1{1} established with SPIs c0955599_i ad77c3b1_o and TS 10.0.0.0/24|/0 === 192.168.93.0/24|/0 Sep 27 22:49:43 pfSense charon: 16[IKE] CHILD_SA con1{1} established with SPIs c0955599_i ad77c3b1_o and TS 10.0.0.0/24|/0 === 192.168.93.0/24|/0 Sep 27 22:49:53 pfSense charon: 16[IKE] <con1|1>sending DPD request Sep 27 22:49:53 pfSense charon: 16[IKE] sending DPD request Sep 27 22:49:53 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 1145261094 [ HASH N(DPD) ] Sep 27 22:49:53 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:49:53 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:49:53 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1340843437 [ HASH N(DPD_ACK) ] Sep 27 22:49:55 pfSense charon: 12[CFG] rereading secrets Sep 27 22:49:55 pfSense charon: 12[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Sep 27 22:49:55 pfSense charon: 12[CFG] loaded IKE secret for 20.20.20.20 Sep 27 22:49:55 pfSense charon: 12[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' Sep 27 22:49:55 pfSense charon: 12[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' Sep 27 22:49:55 pfSense charon: 12[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' Sep 27 22:49:55 pfSense charon: 12[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' Sep 27 22:49:55 pfSense charon: 12[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls' Sep 27 22:49:55 pfSense charon: 16[CFG] received stroke: unroute 'con1' Sep 27 22:49:55 pfSense charon: 12[CFG] received stroke: delete connection 'con1' Sep 27 22:49:55 pfSense charon: 12[CFG] deleted connection 'con1' Sep 27 22:49:55 pfSense charon: 16[CFG] received stroke: add connection 'con1' Sep 27 22:49:55 pfSense charon: 16[CFG] added configuration 'con1' Sep 27 22:49:55 pfSense charon: 12[CFG] received stroke: route 'con1' Sep 27 22:50:03 pfSense charon: 12[IKE] <con1|1>sending DPD request Sep 27 22:50:03 pfSense charon: 12[IKE] sending DPD request Sep 27 22:50:03 pfSense charon: 12[ENC] generating INFORMATIONAL_V1 request 3097320797 [ HASH N(DPD) ] Sep 27 22:50:03 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:50:03 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:50:03 pfSense charon: 12[ENC] parsed INFORMATIONAL_V1 request 673394272 [ HASH N(DPD_ACK) ] Sep 27 22:50:13 pfSense charon: 16[IKE] <con1|1>sending DPD request Sep 27 22:50:13 pfSense charon: 16[IKE] sending DPD request Sep 27 22:50:13 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 2063326953 [ HASH N(DPD) ] Sep 27 22:50:13 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:50:13 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:50:13 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1995717824 [ HASH N(DPD_ACK) ] Sep 27 22:50:23 pfSense charon: 16[IKE] <con1|1>sending DPD request Sep 27 22:50:23 pfSense charon: 16[IKE] sending DPD request Sep 27 22:50:23 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 4185681833 [ HASH N(DPD) ] Sep 27 22:50:23 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:50:23 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:50:23 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 599170903 [ HASH N(DPD_ACK) ] Sep 27 22:50:33 pfSense charon: 16[IKE] <con1|1>sending DPD request Sep 27 22:50:33 pfSense charon: 16[IKE] sending DPD request Sep 27 22:50:33 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 1518877182 [ HASH N(DPD) ] Sep 27 22:50:33 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:50:33 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:50:33 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1140437225 [ HASH N(DPD_ACK) ] Sep 27 22:50:43 pfSense charon: 16[IKE] <con1|1>sending DPD request Sep 27 22:50:43 pfSense charon: 16[IKE] sending DPD request Sep 27 22:50:43 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 2083770508 [ HASH N(DPD) ] Sep 27 22:50:43 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:50:43 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:50:43 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1134437330 [ HASH N(DPD_ACK) ] Sep 27 22:50:53 pfSense charon: 14[IKE] <con1|1>sending DPD request Sep 27 22:50:53 pfSense charon: 14[IKE] sending DPD request Sep 27 22:50:53 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 1556314298 [ HASH N(DPD) ] Sep 27 22:50:53 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:50:53 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:50:53 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 1840007776 [ HASH N(DPD_ACK) ] Sep 27 22:51:03 pfSense charon: 16[IKE] <con1|1>sending DPD request Sep 27 22:51:03 pfSense charon: 16[IKE] sending DPD request Sep 27 22:51:03 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 4016897296 [ HASH N(DPD) ] Sep 27 22:51:03 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:51:03 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:51:03 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 3484202734 [ HASH N(DPD_ACK) ] Sep 27 22:51:13 pfSense charon: 14[IKE] <con1|1>sending DPD request Sep 27 22:51:13 pfSense charon: 14[IKE] sending DPD request Sep 27 22:51:13 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 1002893300 [ HASH N(DPD) ] Sep 27 22:51:13 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:51:13 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:51:13 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 3871001919 [ HASH N(DPD_ACK) ] Sep 27 22:51:23 pfSense charon: 14[IKE] <con1|1>sending DPD request Sep 27 22:51:23 pfSense charon: 14[IKE] sending DPD request Sep 27 22:51:23 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 3614863798 [ HASH N(DPD) ] Sep 27 22:51:23 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:51:23 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:51:23 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 2932684252 [ HASH N(DPD_ACK) ] Sep 27 22:51:33 pfSense charon: 14[IKE] <con1|1>sending DPD request Sep 27 22:51:33 pfSense charon: 14[IKE] sending DPD request Sep 27 22:51:33 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 84044987 [ HASH N(DPD) ] Sep 27 22:51:33 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:51:33 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:51:33 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 4083742301 [ HASH N(DPD_ACK) ] Sep 27 22:51:43 pfSense charon: 14[IKE] <con1|1>sending DPD request Sep 27 22:51:43 pfSense charon: 14[IKE] sending DPD request Sep 27 22:51:43 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 2471563641 [ HASH N(DPD) ] Sep 27 22:51:43 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:51:43 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:51:43 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 1137160689 [ HASH N(DPD_ACK) ] Sep 27 22:51:53 pfSense charon: 06[IKE] <con1|1>sending DPD request Sep 27 22:51:53 pfSense charon: 06[IKE] sending DPD request Sep 27 22:51:53 pfSense charon: 06[ENC] generating INFORMATIONAL_V1 request 3457650075 [ HASH N(DPD) ] Sep 27 22:51:53 pfSense charon: 06[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:51:53 pfSense charon: 06[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:51:53 pfSense charon: 06[ENC] parsed INFORMATIONAL_V1 request 3228163712 [ HASH N(DPD_ACK) ] Sep 27 22:52:03 pfSense charon: 02[IKE] <con1|1>sending DPD request Sep 27 22:52:03 pfSense charon: 02[IKE] sending DPD request Sep 27 22:52:03 pfSense charon: 02[ENC] generating INFORMATIONAL_V1 request 1000037337 [ HASH N(DPD) ] Sep 27 22:52:03 pfSense charon: 02[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes) Sep 27 22:52:03 pfSense charon: 02[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes) Sep 27 22:52:03 pfSense charon: 02[ENC] parsed INFORMATIONAL_V1 request 2527782488 [ HASH N(DPD_ACK) ]</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1>
The follow line is repeated at the end of dmesg every few seconds after the connection is established:
esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599 esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599 esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
Output from setkey -D :
$ setkey -D 1.1.1.1 20.20.20.20 esp mode=tunnel spi=2910307249(0xad77c3b1) reqid=1(0x00000001) E: 3des-cbc b012ff19 87901ab8 2bfdd330 02a997e7 45960d5b c572d045 A: hmac-sha1 139ac587 d63802b0 057f2067 51fcfdbd f2e41f4d seq=0x0000005f replay=32 flags=0x00000000 state=mature created: Sep 27 22:49:43 2014 current: Sep 27 22:56:59 2014 diff: 436(s) hard: 0(s) soft: 0(s) last: Sep 27 22:56:58 2014 hard: 0(s) soft: 0(s) current: 11328(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 95 hard: 0 soft: 0 sadb_seq=1 pid=41312 refcnt=2 20.20.20.20 1.1.1.1 esp mode=any spi=3231012249(0xc0955599) reqid=1(0x00000001) E: 3des-cbc 827783e0 a836349a 6dcfc676 f1d3f25b 735754f9 0c6d828c A: hmac-sha1 bca330a7 1d3cf511 82b91a5e 5bb716d6 946bd2eb seq=0x00000000 replay=32 flags=0x00000000 state=mature created: Sep 27 22:49:43 2014 current: Sep 27 22:56:59 2014 diff: 436(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=41312 refcnt=1
-
This is the link of pfsense 2.2 update firmware for i386 platform built on August 18 2014 that make IPSEC VPN connections working. I had been running this snapshot for my vpn connections and it just works fine and stable.
I upload this to mediafire since I could not found it on pfsense 2.2 site any more.
http://www.mediafire.com/download/qfgr99ylp71fu9d/pfSense-Full-Update-2.2-DEVELOPMENT-i386-20140818-0926.tgz
All your configs should still remain. You should check on the "Perform full backup prior to upgrade" option so you can switch back to the current snapshot later. And of course, you should run this update successfully on a lab device before deploying this on production!Updated: Added the same built updated firmware version for amd64 platfom (same functionality)
-
Can you confirm that for the ones that it does not work you are using *DES encryption type for phase2?
-
Yes, i'm sure that i'm using 3DES for both phase1 and phase 2. With the same VPN config, when i upgrade to newer version, even with the lastest 2.2 beta version today, the vpn stop working (can not ping peer IP) though it shown that vpn connected. Then i switch back to the alpha version built on 08.18.2014, everything is ok. I saw that some people hehe had been in the same situation of mine. The last 3 week, I've just paid for an APU from netgate and tested it with 64bit 4G nanobsd image on SD card (the pfsense firmware downloaded from netgate site is version 2.1.5). Pfsense 2.1.5 release always works greatly include IPSEC VPN! At least for me. Then I upgraded it to 2.2 beta version and got the same IPSEC VPN connection errors as such when installing full image beta 2.2 version on i386 and amd64 PC server.
-
Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
I have not tested much on DES since AES is mostly recommended now days :) -
@ermal:
Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
I have not tested much on DES since AES is mostly recommended now days :)My tunnels use AES … and also don't ping ::)
-
@sgw:
@ermal:
Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
I have not tested much on DES since AES is mostly recommended now days :)My tunnels use AES … and also don't ping ::)
Same, I tested 3DES and AES, no difference. IKEv1 and v2, no difference either.
-
Same, I tested 3DES and AES, no difference. IKEv1 and v2, no difference either.
Yes, same here.