Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    After upgrading to 2.2.2\. IPsec not working.

    Scheduled Pinned Locked Moved IPsec
    5 Posts 4 Posters 9.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      awsiemieniec
      last edited by

      2.2.2-RELEASE (amd64)

      Upgraded from 2.1.5 to 2.2.2.  Had some difficulty.  Was shown to use "chown -R root:wheel /" and rebooted.  That took care of the some of the problems but the IPsec tunnel will still not come up.  No values have been changed with the configs on either side.  "other" side is a SonicWALL TZ 205.  Tunnel has been very stable for year+.

      Here is what I'm seeing in the IPsec logs now:

      Apr 24 10:40:25	charon: 05[NET] <58> sending packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (56 bytes)
Apr 24 10:40:25	charon: 05[ENC] <58> generating INFORMATIONAL_V1 request 823218994 [ N(AUTH_FAILED) ]
Apr 24 10:40:25	charon: 05[IKE] <58> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
Apr 24 10:40:25	charon: 05[IKE] <58> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
Apr 24 10:40:25	charon: 05[CFG] <58> looking for pre-shared key peer configs matching XXX.XXX.XXX.XXX...YYY.YYY.YYY.YYY[SonicWALL]
Apr 24 10:40:25	charon: 05[IKE] <58> YYY.YYY.YYY.YYY is initiating a Aggressive Mode IKE_SA
Apr 24 10:40:25	charon: 05[IKE] <58> YYY.YYY.YYY.YYY is initiating a Aggressive Mode IKE_SA
Apr 24 10:40:25	charon: 05[IKE] <58> received XAuth vendor ID
Apr 24 10:40:25	charon: 05[IKE] <58> received XAuth vendor ID
Apr 24 10:40:25	charon: 05[IKE] <58> received DPD vendor ID
Apr 24 10:40:25	charon: 05[IKE] <58> received DPD vendor ID
Apr 24 10:40:25	charon: 05[ENC] <58> received unknown vendor ID: da:8e:93:78:80:01:00:00
Apr 24 10:40:25	charon: 05[ENC] <58> received unknown vendor ID: 5b:36:2b:c8:20:f6:00:08
Apr 24 10:40:25	charon: 05[ENC] <58> received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
Apr 24 10:40:25	charon: 05[ENC] <58> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Apr 24 10:40:25	charon: 05[NET] <58> received packet: from YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500] (385 bytes)
Apr 24 10:40:06	charon: 05[NET] <57> sending packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500] (56 bytes)
Apr 24 10:40:06	charon: 05[ENC] <57> generating INFORMATIONAL_V1 request 2420712596 [ N(AUTH_FAILED) ]

      Here is the XML config for the IPsec:

      
 <ipsec><client><mobilekey><ident>XXX.XXX.XXX.XXX</ident>
		<pre-shared-key>***CENSORED***</pre-shared-key></mobilekey> 
	 <mobilekey><ident>YYY.YYY.YYY.YYY</ident>
		<pre-shared-key>***CENSORED***</pre-shared-key></mobilekey> 
	 <phase1><ikeid>1</ikeid>
		<interface>wan</interface>
		<remote-gateway>YYY.YYY.YYY.YYY</remote-gateway>
		<mode>aggressive</mode>
		<protocol>inet</protocol>
		<myid_type>keyid tag</myid_type>
		<myid_data>pfSense</myid_data>
		<peerid_type>keyid tag</peerid_type>
		<peerid_data>SonicWALL</peerid_data>
		 <encryption-algorithm><name>3des</name></encryption-algorithm> 
		<hash-algorithm>sha1</hash-algorithm>
		<dhgroup>5</dhgroup>
		<lifetime>28800</lifetime>
		<pre-shared-key>***CENSORED #2 - not same as lines 6,10***</pre-shared-key>
		 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
		 <generate_policy><proposal_check><nat_traversal>on</nat_traversal>
		<dpd_delay>120</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></proposal_check></generate_policy></caref></certref></private-key></phase1> 
	 <phase2><ikeid>1</ikeid>
		<mode>tunnel</mode>
		 <localid><type>address</type>

<address>10.10.10.20</address></localid> 
		 <remoteid><type>network</type>

<address>192.168.1.0</address>

			<netbits>24</netbits></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
		<pfsgroup>5</pfsgroup>
		<lifetime>28800</lifetime>
		<pinghost>192.168.1.1</pinghost></phase2> 
	 <enable></enable></client></ipsec>

      I'm not sure where to begin.  Help?

      thank you.

      1 Reply Last reply Reply Quote 0
      • S
        ShutterBC
        last edited by

        I'm in the thick of some ipsec troubleshooting myself. Have you already gone through this resource?
        https://doc.pfsense.org/index.php/IPsec_Troubleshooting

        Looks like you got a matching identifier, but out of curiosity what are your peer identifier settings?

        1 Reply Last reply Reply Quote 0
        • A
          awsiemieniec
          last edited by

          I ended up rolling back to 2.1.5.  I didn't have time to fully troubleshoot.  I spent about 13 hours looking into it and I needed the tunnel back up.

          1 Reply Last reply Reply Quote 0
          • R
            rainabba
            last edited by

            Presently dealing with the same between 2 instances of 2.2.3 and 2.2.4.
            Have another tunnel with the same 2.2.4 working against 2.15.

            1 Reply Last reply Reply Quote 0
            • L
              liminaly
              last edited by

              I had the same problem when upgrading from 2.1.5 to 2.2.6(chnging hardware and restoring the config etc.), in the end i needed to re-specify what interface the local endpoint of the phase1 entry, seems to have reset itself to the interface and not the virtual IP that was originally used.

              Hope this helps someone else.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.