2.2.1 IPSec to 2.1.4 won't work with mutual RSA

  • Hi,

    Since quite some years we use pfsense to connect remote locations to our network.  We always try to follow new releases, at least on the central location.  So I've been trying to build an IPSec tunnel between a 2.1.4 version and a 2.2.1 version.  This only seems to work when I use mutual PSK authentication, mutual RSA just won't work.

    I configured it the same way I always do;

    • create certificate + key on our own CA-server (not pfsense)
    • import certificate and key in remote pfsense (this is the 2.2.1 one)
    • import CA-certificate in remote pfsense (the 2.2.1 one)
    • import certificate in local pfsense (2.1.4 one)
    • create tunnels in both selecting the correct certificates for authentication.

    Odd thing is that when the 2.1.4 (racoon) starts negotiation, the remote 2.2.1 (strongswan) finishes negotiation with an up tunnel.  The local 2.1.4 does not finish negotiation, the tunnel is down on this end.  The remote 2.2.1 starts sending DPD-packets, which generate an error on the racoon end:
    racoon error: unknown informational exchange received

    I guess this means the local and can't decrypt the message, which is expected since this end has no IPSEC-SA established.
    On the remote 2.2.1 end there won't be any reply on the DPD-packets, so this end will close the tunnel after like half a minute.

    When I change my configuration to mutual-PSK, with all other options identical, I get a working tunnel no worries.

    Anyone an idea what's going on here?

    Bye, Jos

  • Rebel Alliance Developer Netgate

    On the 2.2 side, apply the logging changes for IPsec suggested here:

    And then have the 2.1.x side initiate to see what the problem really is.