IPSec fails after upgrade to 2.2RC (from 2.1.5) - SOLVED

shade

Hello,

I have just upgraded to 2.2RC to help test it out.

With a working IPSec login from 2.1.5 it fails on 2.2 with the following error in the logs:

Dec 11 02:06:55 charon: 06[KNL] creating acquire job for policy X.X.X.X/32|/0 === Y.Y.Y.Y/32|/0 with reqid {1}
Dec 11 02:06:55 charon: 16[IKE] <con1|1>initiating Main Mode IKE_SA con1[1] to Y.Y.Y.Y
Dec 11 02:06:55 charon: 16[IKE] initiating Main Mode IKE_SA con1[1] to Y.Y.Y.Y
Dec 11 02:06:55 charon: 16[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
Dec 11 02:06:55 charon: 16[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (200 bytes)
Dec 11 02:06:59 charon: 16[IKE] <con1|1>sending retransmit 1 of request message ID 0, seq 1
Dec 11 02:06:59 charon: 16[IKE] sending retransmit 1 of request message ID 0, seq 1
Dec 11 02:06:59 charon: 16[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (200 bytes)
Dec 11 02:07:06 charon: 16[IKE] <con1|1>sending retransmit 2 of request message ID 0, seq 1
Dec 11 02:07:06 charon: 16[IKE] sending retransmit 2 of request message ID 0, seq 1
Dec 11 02:07:06 charon: 16[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (200 bytes)
Dec 11 02:07:19 charon: 06[IKE] <con1|1>sending retransmit 3 of request message ID 0, seq 1
Dec 11 02:07:19 charon: 06[IKE] sending retransmit 3 of request message ID 0, seq 1
Dec 11 02:07:19 charon: 06[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (200 bytes)
Dec 11 02:07:27 charon: 06[KNL] creating acquire job for policy X.X.X.X/32|/0 === Y.Y.Y.Y/32|/0 with reqid {1}
Dec 11 02:07:27 charon: 14[CFG] ignoring acquire, connection attempt pending
Dec 11 02:07:43 charon: 14[IKE] <con1|1>sending retransmit 4 of request message ID 0, seq 1
Dec 11 02:07:43 charon: 14[IKE] sending retransmit 4 of request message ID 0, seq 1
Dec 11 02:07:43 charon: 14[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (200 bytes)
Dec 11 02:08:25 charon: 14[IKE] <con1|1>sending retransmit 5 of request message ID 0, seq 1
Dec 11 02:08:25 charon: 14[IKE] sending retransmit 5 of request message ID 0, seq 1
Dec 11 02:08:25 charon: 14[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (200 bytes)
Dec 11 02:09:40 charon: 14[IKE] <con1|1>giving up after 5 retransmits
Dec 11 02:09:40 charon: 14[IKE] giving up after 5 retransmits

If I downgrade to 2.1.5 it works again, it is a IPSec tunnel between 2 PFsense boxes.</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1>

cmb

What does the log on the other end show? What is your config like?

shade

the other end shows:

Dec 11 04:02:14 racoon: [VPN Tunnel]: [X.X.X.X] ERROR: phase1 negotiation failed.
Dec 11 04:02:14 racoon: [VPN Tunnel]: [X.X.X.X] ERROR: failed to pre-process ph1 packet [Check Phase 1 settings, lifetime, algorithm] (side: 1, status 1).
Dec 11 04:02:14 racoon: [VPN Tunnel]: [X.X.X.X] ERROR: failed to get valid proposal.
Dec 11 04:02:14 racoon: ERROR: no suitable proposal found.
Dec 11 04:02:14 racoon: ERROR: invalid life duration.
Dec 11 04:02:14 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 11 04:02:14 racoon: INFO: received Vendor ID: RFC 3947
Dec 11 04:02:14 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Dec 11 04:02:14 racoon: INFO: received Vendor ID: CISCO-UNITY
Dec 11 04:02:14 racoon: INFO: received Vendor ID: DPD
Dec 11 04:02:14 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Dec 11 04:02:14 racoon: INFO: begin Identity Protection mode.
Dec 11 04:02:14 racoon: [VPN Tunnel]: INFO: respond new phase 1 negotiation: Y.Y.Y.Y[500]<=>X.X.X.X[500]

Konfig is:

Mutual PSK
Main mode
AES encryptions
MD5 hash

cmb

Does your phase 1 on the 2.2 side have "Disable Rekey" checked? The "invalid life duration" is the issue, which is probably from having a 0 lifetime sent, which only seems to happen when rekeying is disabled on IKEv1. What is the lifetime configured as on your P1 and P2?

shade

Yes "Disable Rekey" is disable in the 2.2 side.

Lifetime is 28800.

I removed the checkmark in "Disable Rekey" and kept it in "Disable ReAuth", not it connect and it seems to work. Will test all 4 P2 tunnels.

cmb

Both disable rekey and disable reauth should be unchecked by default and remain that way for existing configs.

shade

With both those option unchecked all P2 tunnels to 4 different subnets works :)

There is only one thing that don't work, but I think the problem is related to the DNS resolver and not IPsec it self. After the upgrade (and also a switch to DNS resolver) it no loger does domain override on DNS.

I have testet and from a command prompt on different clients it is possible to use the DNS server that the domain override forwards to through the IPsec tunnel. If I switch back to the DNS forwards it works fine.

phil.davis

In DNS Forwarder Domain Overrides, are you using the "Source IP" field to tell it what local IP address to send the requests from?
That option is not available in DNS Resolver (Unbound)
This post discusses the issue and possible solutions: https://forum.pfsense.org/index.php?topic=84184.0

shade

Thanks for info.. Will stay with the DNS forwarder for now then.