After upgrading to 2.2.2\. IPsec not working.
-
2.2.2-RELEASE (amd64)
Upgraded from 2.1.5 to 2.2.2. Had some difficulty. Was shown to use "chown -R root:wheel /" and rebooted. That took care of the some of the problems but the IPsec tunnel will still not come up. No values have been changed with the configs on either side. "other" side is a SonicWALL TZ 205. Tunnel has been very stable for year+.
Here is what I'm seeing in the IPsec logs now:
Apr 24 10:40:25 charon: 05[NET] <58> sending packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (56 bytes) Apr 24 10:40:25 charon: 05[ENC] <58> generating INFORMATIONAL_V1 request 823218994 [ N(AUTH_FAILED) ] Apr 24 10:40:25 charon: 05[IKE] <58> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Apr 24 10:40:25 charon: 05[IKE] <58> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Apr 24 10:40:25 charon: 05[CFG] <58> looking for pre-shared key peer configs matching XXX.XXX.XXX.XXX...YYY.YYY.YYY.YYY[SonicWALL] Apr 24 10:40:25 charon: 05[IKE] <58> YYY.YYY.YYY.YYY is initiating a Aggressive Mode IKE_SA Apr 24 10:40:25 charon: 05[IKE] <58> YYY.YYY.YYY.YYY is initiating a Aggressive Mode IKE_SA Apr 24 10:40:25 charon: 05[IKE] <58> received XAuth vendor ID Apr 24 10:40:25 charon: 05[IKE] <58> received XAuth vendor ID Apr 24 10:40:25 charon: 05[IKE] <58> received DPD vendor ID Apr 24 10:40:25 charon: 05[IKE] <58> received DPD vendor ID Apr 24 10:40:25 charon: 05[ENC] <58> received unknown vendor ID: da:8e:93:78:80:01:00:00 Apr 24 10:40:25 charon: 05[ENC] <58> received unknown vendor ID: 5b:36:2b:c8:20:f6:00:08 Apr 24 10:40:25 charon: 05[ENC] <58> received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6 Apr 24 10:40:25 charon: 05[ENC] <58> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ] Apr 24 10:40:25 charon: 05[NET] <58> received packet: from YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (385 bytes) Apr 24 10:40:06 charon: 05[NET] <57> sending packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (56 bytes) Apr 24 10:40:06 charon: 05[ENC] <57> generating INFORMATIONAL_V1 request 2420712596 [ N(AUTH_FAILED) ]Here is the XML config for the IPsec:
<ipsec><client><mobilekey><ident>XXX.XXX.XXX.XXX</ident> <pre-shared-key>***CENSORED***</pre-shared-key></mobilekey> <mobilekey><ident>YYY.YYY.YYY.YYY</ident> <pre-shared-key>***CENSORED***</pre-shared-key></mobilekey> <phase1><ikeid>1</ikeid> <interface>wan</interface> <remote-gateway>YYY.YYY.YYY.YYY</remote-gateway> <mode>aggressive</mode> <protocol>inet</protocol> <myid_type>keyid tag</myid_type> <myid_data>pfSense</myid_data> <peerid_type>keyid tag</peerid_type> <peerid_data>SonicWALL</peerid_data> <encryption-algorithm><name>3des</name></encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>5</dhgroup> <lifetime>28800</lifetime> <pre-shared-key>***CENSORED #2 - not same as lines 6,10***</pre-shared-key> <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method> <generate_policy><proposal_check><nat_traversal>on</nat_traversal> <dpd_delay>120</dpd_delay> <dpd_maxfail>5</dpd_maxfail></proposal_check></generate_policy></caref></certref></private-key></phase1> <phase2><ikeid>1</ikeid> <mode>tunnel</mode> <localid><type>address</type> <address>10.10.10.20</address></localid> <remoteid><type>network</type> <address>192.168.1.0</address> <netbits>24</netbits></remoteid> <protocol>esp</protocol> <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <pfsgroup>5</pfsgroup> <lifetime>28800</lifetime> <pinghost>192.168.1.1</pinghost></phase2> <enable></enable></client></ipsec>I'm not sure where to begin. Help?
thank you.
-
I'm in the thick of some ipsec troubleshooting myself. Have you already gone through this resource?
https://doc.pfsense.org/index.php/IPsec_TroubleshootingLooks like you got a matching identifier, but out of curiosity what are your peer identifier settings?
-
I ended up rolling back to 2.1.5. I didn't have time to fully troubleshoot. I spent about 13 hours looking into it and I needed the tunnel back up.
-
Presently dealing with the same between 2 instances of 2.2.3 and 2.2.4.
Have another tunnel with the same 2.2.4 working against 2.15. -
I had the same problem when upgrading from 2.1.5 to 2.2.6(chnging hardware and restoring the config etc.), in the end i needed to re-specify what interface the local endpoint of the phase1 entry, seems to have reset itself to the interface and not the virtual IP that was originally used.
Hope this helps someone else.