Problem with ipsec in main mode

blueice

Hi,
i have 2 pfsense installs (both have 1.2 release)
I have setup in aggressive mode a vpn  channel and work fine.
But if i change this to main (only this change, all the remain config is the same) then i have this errors:

racoon: ERROR: phase1 negotiation failed.
racoon: ERROR: failed to process packet.
racoon: ERROR: couldn't find the pskey for 88.88.88.88.
racoon: INFO: received Vendor ID: DPD
racoon: INFO: begin Identity Protection mode.
racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 77.77.77.77[500]<=>88.88.88.88[500]

in the client site the logs is:

racoon: ERROR: phase1 negotiation failed due to time up. 262dd3c71e164259:7449f4a01dabf8d9
racoon: []: INFO: phase2 sa deleted 88.88.88.88-77.77.77.77
racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
racoon: []: INFO: phase2 sa expired 88.88.88.88-77.77.77.77
racoon: []: INFO: phase2 sa deleted 88.88.88.88-77.77.77.77
racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
racoon: []: INFO: phase2 sa expired 88.88.88.88-77.77.77.77
racoon: INFO: received Vendor ID: DPD
racoon: INFO: begin Identity Protection mode.
racoon: []: INFO: initiate new phase 1 negotiation: 88.88.88.88[500]<=>77.77.77.77[500]
racoon: []: INFO: IPsec-SA request for 77.77.77.77 queued due to no phase1 found.
racoon: INFO: delete phase 2 handler.
racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 77.77.77.77[0]->88.88.88.88[0]
racoon: ERROR: phase1 negotiation failed due to time up. e6fb5d325ef6d5a4:48cad08db515f094

the server 88.88.88.88 have dynamic ip
my config is: main-3des-md5-dh2-lifetime8000-preshared_key-ESP-pfs_off.
I hope my config is ok because if i change only the main to agressive in both server the vpn is working fine.

heiko

for my tests dynamic endpoints and the main mode are not running.

greetings
heiko

blueice

@heiko:

for my tests dynamic endpoints and the main mode are not running.

greetings
heiko

oh, so it is bug.
you have test this in previous versions? All versions have this problem?

heiko

What Do you mean "all Versions", you have to choose only 1.2release or do you mean, beta, rcxx etc….

Static Endpoints and the main mode works fine and stable.
But maybe the other folks here have tested it successfully.....Could be!

Greetings
Heiko

blueice

@heiko:

What Do you mean "all Versions", you have to choose only 1.2release or do you mean, beta, rcxx etc….

Static Endpoints and the main mode works fine and stable.
But maybe the other folks here have tested it successfully.....Could be!

Greetings
Heiko

yes i mean the 1.0.1 and the beta and rc.
You have try to have mobile clients with aggressive and static with main in the same server? it is possible?
Thanks for all the help.

heiko

1.0.1 and the other version haven´t support….

http://blog.pfsense.org/?p=170

Support for previous versions

1.2 is the only supported pfSense version. No previous releases will receive any bug fix updates nor any future security updates. 1.2 is significantly more stable than past release versions, and we strongly recommend everyone make plans to upgrade. There are systems out there with several years of uptime running very early alpha pfSense releases that are stable, but we advise against that.

Yes, if the pfsense wan is static, you can have mixed main and agressive tunnels..

Please look also here http://doc.pfsense.org/index.php/VPN_Capability_IPSec

Greetings
Heiko

fastcon68

I have seen that error before when the ends of the tunnel are mismatched.  One being main and the other agressive.  I have seen it when I am first setting up the ipsec connections between symantec, linksys, & netgear boxes.
RC