Upgrade from raccoon killed the vpn star



  • I've read previous posts about this, but nothing has helped at all.

    Can anyone tell me their ipsec site-to-site vpn settings on pfsense 2.2.4 to another 2.2.4? I'd rather not downgrade back to the previous version. I have a very temporary solution in place, but I'd like to get this "ipsec service" back up and running. I have tried deleting and re-creating the vpn settings on both, as well as switching from aggressive mode to main mode, and changing my identifier and peer identifier from "My IP Address" and "Peer IP Address" to "Ip address" and entering the WAN IPs manually. I'll post the logs below, as well. Any help would be greatly appreciated, this is getting me down!

    Aug 8 19:56:55	charon: 15[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {3}
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> initiating Main Mode IKE_SA con1000[1032] to 50.244.201.165
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> initiating Main Mode IKE_SA con1000[1032] to 50.244.201.165
    Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> generating ID_PROT request 0 [ SA V V V V V V ]
    Aug 8 19:56:55	charon: 10[NET] <con1000|1032> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (200 bytes)
    Aug 8 19:56:55	charon: 10[NET] <con1000|1032> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes)
    Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> parsed ID_PROT response 0 [ SA V V V V ]
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received XAuth vendor ID
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received XAuth vendor ID
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received DPD vendor ID
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received DPD vendor ID
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received Cisco Unity vendor ID
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received Cisco Unity vendor ID
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received NAT-T (RFC 3947) vendor ID
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received NAT-T (RFC 3947) vendor ID
    Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Aug 8 19:56:55	charon: 10[NET] <con1000|1032> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes)
    Aug 8 19:56:55	charon: 10[NET] <con1000|1032> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes)
    Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> generating ID_PROT request 0 [ ID HASH ]
    Aug 8 19:56:55	charon: 10[NET] <con1000|1032> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes)
    Aug 8 19:56:55	charon: 10[NET] <con1000|1032> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes)
    Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> parsed INFORMATIONAL_V1 request 4044762089 [ HASH N(AUTH_FAILED) ]
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received AUTHENTICATION_FAILED error notify
    Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received AUTHENTICATION_FAILED error notify
    Aug 8 19:57:03	charon: 10[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {3}
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> initiating Main Mode IKE_SA con1000[1033] to 50.244.201.165
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> initiating Main Mode IKE_SA con1000[1033] to 50.244.201.165
    Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> generating ID_PROT request 0 [ SA V V V V V V ]
    Aug 8 19:57:03	charon: 15[NET] <con1000|1033> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (200 bytes)
    Aug 8 19:57:03	charon: 15[NET] <con1000|1033> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes)
    Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> parsed ID_PROT response 0 [ SA V V V V ]
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received XAuth vendor ID
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received XAuth vendor ID
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received DPD vendor ID
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received DPD vendor ID
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received Cisco Unity vendor ID
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received Cisco Unity vendor ID
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received NAT-T (RFC 3947) vendor ID
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received NAT-T (RFC 3947) vendor ID
    Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Aug 8 19:57:03	charon: 15[NET] <con1000|1033> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes)
    Aug 8 19:57:03	charon: 15[NET] <con1000|1033> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes)
    Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> generating ID_PROT request 0 [ ID HASH ]
    Aug 8 19:57:03	charon: 15[NET] <con1000|1033> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes)
    Aug 8 19:57:03	charon: 15[NET] <con1000|1033> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes)
    Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> parsed INFORMATIONAL_V1 request 1466251066 [ HASH N(AUTH_FAILED) ]
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received AUTHENTICATION_FAILED error notify
    Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received AUTHENTICATION_FAILED error notify</con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032>
    
    Aug 8 19:56:55	charon: 11[IKE] <1032> received FRAGMENTATION vendor ID
    Aug 8 19:56:55	charon: 11[IKE] <1032> received FRAGMENTATION vendor ID
    Aug 8 19:56:55	charon: 11[IKE] <1032> received NAT-T (RFC 3947) vendor ID
    Aug 8 19:56:55	charon: 11[IKE] <1032> received NAT-T (RFC 3947) vendor ID
    Aug 8 19:56:55	charon: 11[IKE] <1032> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 8 19:56:55	charon: 11[IKE] <1032> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 8 19:56:55	charon: 11[IKE] <1032> 209.180.19.67 is initiating a Main Mode IKE_SA
    Aug 8 19:56:55	charon: 11[IKE] <1032> 209.180.19.67 is initiating a Main Mode IKE_SA
    Aug 8 19:56:55	charon: 11[ENC] <1032> generating ID_PROT response 0 [ SA V V V V ]
    Aug 8 19:56:55	charon: 11[NET] <1032> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes)
    Aug 8 19:56:55	charon: 11[NET] <1032> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes)
    Aug 8 19:56:55	charon: 11[ENC] <1032> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Aug 8 19:56:56	charon: 11[ENC] <1032> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Aug 8 19:56:56	charon: 11[NET] <1032> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes)
    Aug 8 19:56:56	charon: 11[NET] <1032> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes)
    Aug 8 19:56:56	charon: 11[ENC] <1032> parsed ID_PROT request 0 [ ID HASH ]
    Aug 8 19:56:56	charon: 11[CFG] <1032> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
    Aug 8 19:56:56	charon: 11[IKE] <1032> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    Aug 8 19:56:56	charon: 11[IKE] <1032> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    Aug 8 19:56:56	charon: 11[ENC] <1032> generating INFORMATIONAL_V1 request 4044762089 [ HASH N(AUTH_FAILED) ]
    Aug 8 19:56:56	charon: 11[NET] <1032> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes)
    Aug 8 19:57:03	charon: 11[NET] <1033> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (200 bytes)
    Aug 8 19:57:03	charon: 11[ENC] <1033> parsed ID_PROT request 0 [ SA V V V V V V ]
    Aug 8 19:57:03	charon: 11[IKE] <1033> received XAuth vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received XAuth vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received DPD vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received DPD vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received Cisco Unity vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received Cisco Unity vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received FRAGMENTATION vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received FRAGMENTATION vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received NAT-T (RFC 3947) vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received NAT-T (RFC 3947) vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 8 19:57:03	charon: 11[IKE] <1033> 209.180.19.67 is initiating a Main Mode IKE_SA
    Aug 8 19:57:03	charon: 11[IKE] <1033> 209.180.19.67 is initiating a Main Mode IKE_SA
    Aug 8 19:57:03	charon: 11[ENC] <1033> generating ID_PROT response 0 [ SA V V V V ]
    Aug 8 19:57:03	charon: 11[NET] <1033> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes)
    Aug 8 19:57:03	charon: 11[NET] <1033> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes)
    Aug 8 19:57:03	charon: 11[ENC] <1033> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Aug 8 19:57:04	charon: 11[ENC] <1033> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Aug 8 19:57:04	charon: 11[NET] <1033> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes)
    Aug 8 19:57:04	charon: 11[NET] <1033> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes)
    Aug 8 19:57:04	charon: 11[ENC] <1033> parsed ID_PROT request 0 [ ID HASH ]
    Aug 8 19:57:04	charon: 11[CFG] <1033> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
    Aug 8 19:57:04	charon: 11[IKE] <1033> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    Aug 8 19:57:04	charon: 11[IKE] <1033> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    Aug 8 19:57:04	charon: 11[ENC] <1033> generating INFORMATIONAL_V1 request 1466251066 [ HASH N(AUTH_FAILED) ]
    Aug 8 19:57:04	charon: 11[NET] <1033> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes)
    


  • You have a P1 mismatch of some sort.

    found 1 matching config, but none allows pre-shared key authentication using Main Mode
    


  • I noticed that. Checked and re-did configs three times. There's no way there's ACTUALLY a mismatch. How do I "flush" this thing, it's got something sitting somewhere that's messed up. I used the same password as I had previously. It makes no sense!



  • Try this-
    Stop the service.
    Make sure it's dead by checking with ps. Kill any charon or ipsec starter proceses.
    Check /var/run delete charon.*
    Restart the service.
    Rebooting the firewall may work as well.



  • A stop, then start of the IPsec service would suffice to clear out anything that was in place before (or reboot if you want). There won't be any processes or files or anything else left behind that matter, I wouldn't recommend dotdash's suggestion. No harm in doing exactly what he stated but if you're excessive with deleting things you might break other things, and it's not necessary to delete any of that.

    You probably have one side on main mode and the other on aggressive to get the logs you're getting.



  • I've tried both in main mode and in aggressive mode (which was the original working mode before the upgrade). I set both to aggressive mode and rebooted both firewalls. Hmm, at a loss here. Looks like it's the same.

    Aug 11 23:05:47	charon: 14[IKE] <45> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 11 23:05:47	charon: 14[IKE] <45> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
    Aug 11 23:05:47	charon: 14[IKE] <45> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
    Aug 11 23:05:48	charon: 14[CFG] <45> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
    Aug 11 23:05:48	charon: 14[IKE] <45> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
    Aug 11 23:05:48	charon: 14[IKE] <45> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
    Aug 11 23:05:48	charon: 14[ENC] <45> generating INFORMATIONAL_V1 request 1425566073 [ N(AUTH_FAILED) ]
    Aug 11 23:05:48	charon: 14[NET] <45> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
    Aug 11 23:05:54	charon: 07[NET] <46> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
    Aug 11 23:05:54	charon: 07[ENC] <46> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
    Aug 11 23:05:54	charon: 07[IKE] <46> received XAuth vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received XAuth vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received DPD vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received DPD vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received Cisco Unity vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received Cisco Unity vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received FRAGMENTATION vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received FRAGMENTATION vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received NAT-T (RFC 3947) vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received NAT-T (RFC 3947) vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 11 23:05:54	charon: 07[IKE] <46> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
    Aug 11 23:05:54	charon: 07[IKE] <46> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
    Aug 11 23:05:54	charon: 07[CFG] <46> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
    Aug 11 23:05:54	charon: 07[IKE] <46> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
    Aug 11 23:05:54	charon: 07[IKE] <46> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
    Aug 11 23:05:54	charon: 07[ENC] <46> generating INFORMATIONAL_V1 request 1128443671 [ N(AUTH_FAILED) ]
    Aug 11 23:05:54	charon: 07[NET] <46> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
    Aug 11 23:05:58	charon: 07[NET] <47> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
    Aug 11 23:05:58	charon: 07[ENC] <47> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
    Aug 11 23:05:58	charon: 07[IKE] <47> received XAuth vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received XAuth vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received DPD vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received DPD vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received Cisco Unity vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received Cisco Unity vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received FRAGMENTATION vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received FRAGMENTATION vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received NAT-T (RFC 3947) vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received NAT-T (RFC 3947) vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 11 23:05:58	charon: 07[IKE] <47> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
    Aug 11 23:05:58	charon: 07[IKE] <47> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
    Aug 11 23:05:58	charon: 07[CFG] <47> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
    Aug 11 23:05:58	charon: 07[IKE] <47> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
    Aug 11 23:05:58	charon: 07[IKE] <47> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
    Aug 11 23:05:58	charon: 07[ENC] <47> generating INFORMATIONAL_V1 request 2644743300 [ N(AUTH_FAILED) ]
    Aug 11 23:05:58	charon: 07[NET] <47> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
    
    Aug 11 23:05:17	charon: 13[NET] <con1000|42> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
    Aug 11 23:05:18	charon: 13[NET] <con1000|42> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
    Aug 11 23:05:18	charon: 13[ENC] <con1000|42> parsed INFORMATIONAL_V1 request 1265996762 [ N(AUTH_FAILED) ]
    Aug 11 23:05:18	charon: 13[IKE] <con1000|42> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:18	charon: 13[IKE] <con1000|42> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:26	charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
    Aug 11 23:05:26	charon: 14[IKE] <con1000|43> initiating Aggressive Mode IKE_SA con1000[43] to 50.244.201.165
    Aug 11 23:05:26	charon: 14[IKE] <con1000|43> initiating Aggressive Mode IKE_SA con1000[43] to 50.244.201.165
    Aug 11 23:05:26	charon: 14[ENC] <con1000|43> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
    Aug 11 23:05:26	charon: 14[NET] <con1000|43> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
    Aug 11 23:05:26	charon: 14[NET] <con1000|43> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
    Aug 11 23:05:26	charon: 14[ENC] <con1000|43> parsed INFORMATIONAL_V1 request 223373224 [ N(AUTH_FAILED) ]
    Aug 11 23:05:26	charon: 14[IKE] <con1000|43> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:26	charon: 14[IKE] <con1000|43> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:44	charon: 14[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
    Aug 11 23:05:44	charon: 13[IKE] <con1000|44> initiating Aggressive Mode IKE_SA con1000[44] to 50.244.201.165
    Aug 11 23:05:44	charon: 13[IKE] <con1000|44> initiating Aggressive Mode IKE_SA con1000[44] to 50.244.201.165
    Aug 11 23:05:44	charon: 13[ENC] <con1000|44> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
    Aug 11 23:05:44	charon: 13[NET] <con1000|44> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
    Aug 11 23:05:45	charon: 13[NET] <con1000|44> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
    Aug 11 23:05:45	charon: 13[ENC] <con1000|44> parsed INFORMATIONAL_V1 request 2551326345 [ N(AUTH_FAILED) ]
    Aug 11 23:05:45	charon: 13[IKE] <con1000|44> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:45	charon: 13[IKE] <con1000|44> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:47	charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
    Aug 11 23:05:47	charon: 14[IKE] <con1000|45> initiating Aggressive Mode IKE_SA con1000[45] to 50.244.201.165
    Aug 11 23:05:47	charon: 14[IKE] <con1000|45> initiating Aggressive Mode IKE_SA con1000[45] to 50.244.201.165
    Aug 11 23:05:47	charon: 14[ENC] <con1000|45> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
    Aug 11 23:05:47	charon: 14[NET] <con1000|45> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
    Aug 11 23:05:48	charon: 14[NET] <con1000|45> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
    Aug 11 23:05:48	charon: 14[ENC] <con1000|45> parsed INFORMATIONAL_V1 request 1425566073 [ N(AUTH_FAILED) ]
    Aug 11 23:05:48	charon: 14[IKE] <con1000|45> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:48	charon: 14[IKE] <con1000|45> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:54	charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
    Aug 11 23:05:54	charon: 12[IKE] <con1000|46> initiating Aggressive Mode IKE_SA con1000[46] to 50.244.201.165
    Aug 11 23:05:54	charon: 12[IKE] <con1000|46> initiating Aggressive Mode IKE_SA con1000[46] to 50.244.201.165
    Aug 11 23:05:54	charon: 12[ENC] <con1000|46> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
    Aug 11 23:05:54	charon: 12[NET] <con1000|46> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
    Aug 11 23:05:54	charon: 12[NET] <con1000|46> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
    Aug 11 23:05:54	charon: 12[ENC] <con1000|46> parsed INFORMATIONAL_V1 request 1128443671 [ N(AUTH_FAILED) ]
    Aug 11 23:05:54	charon: 12[IKE] <con1000|46> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:54	charon: 12[IKE] <con1000|46> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:58	charon: 12[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
    Aug 11 23:05:58	charon: 13[IKE] <con1000|47> initiating Aggressive Mode IKE_SA con1000[47] to 50.244.201.165
    Aug 11 23:05:58	charon: 13[IKE] <con1000|47> initiating Aggressive Mode IKE_SA con1000[47] to 50.244.201.165
    Aug 11 23:05:58	charon: 13[ENC] <con1000|47> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
    Aug 11 23:05:58	charon: 13[NET] <con1000|47> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
    Aug 11 23:05:58	charon: 13[NET] <con1000|47> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
    Aug 11 23:05:58	charon: 13[ENC] <con1000|47> parsed INFORMATIONAL_V1 request 2644743300 [ N(AUTH_FAILED) ]
    Aug 11 23:05:58	charon: 13[IKE] <con1000|47> received AUTHENTICATION_FAILED error notify
    Aug 11 23:05:58	charon: 13[IKE] <con1000|47> received AUTHENTICATION_FAILED error notify</con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|42></con1000|42></con1000|42></con1000|42></con1000|42>
    


  • Tried dotdash's suggestion

    [2.2.4-RELEASE][admin@pfsense.tcfedina.local]/root: Check /var/run delete charon.*
    Check: No match.
    [2.2.4-RELEASE][admin@pfsense.tcfedina.local]/root:
    
    

    Rebooting didn't help. Do I need to just go back to a previous firmware? …and if so, how do I do this?



  • Diving deeper into what's running the backend I see that raccoon was replaced with strongswan. Looks like a bad move, but whatever. I see this strongswan issue: https://wiki.strongswan.org/issues/956 but the resolution won't work, I cannot locate /etc/ipsec.conf … anyone have any idea where ipsec.conf is?



  • Found that file… /var/etc? Really? Then why have a /etc/ at all ... Can't stand BSD....

    on firewall1

    # This file is automatically generated. Do not edit
    config setup
            uniqueids = yes
            charondebug=""
    
    conn bypasslan
            leftsubnet = 192.168.0.0/24
            rightsubnet = 192.168.0.0/24
            authby = never
            type = passthrough
            auto = route
    
    conn con1000
            fragmentation = yes
            keyexchange = ikev1
            reauth = yes
            forceencaps = no
            mobike = no
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = 63.226.155.229
            right = 209.180.19.67
            leftid = 50.244.201.165
            ikelifetime = 28800s
            lifetime = 3600s
            ike = aes128-sha1-modp1024!
            esp = aes128-md5-modp1024,aes128-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024!
            leftauth = psk
            rightauth = psk
            rightid = 209.180.19.67
            aggressive = yes
            rightsubnet = 192.168.1.0/24
            leftsubnet = 192.168.0.0/24
    
    

    on firewall2

    # This file is automatically generated. Do not edit
    config setup
            uniqueids = yes
            charondebug=""
    
    conn bypasslan
            leftsubnet = 192.168.1.0/24
            rightsubnet = 192.168.1.0/24
            authby = never
            type = passthrough
            auto = route
    
    conn con1000
            fragmentation = yes
            keyexchange = ikev1
            reauth = yes
            forceencaps = no
            mobike = no
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = 209.180.19.67
            right = 50.244.201.165
            leftid = 209.180.19.67
            ikelifetime = 28800s
            lifetime = 3600s
            ike = aes128-sha1-modp1024!
            esp = aes128-md5-modp1024,aes128-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024!
            leftauth = psk
            rightauth = psk
            rightid = 50.244.201.165
            aggressive = yes
            rightsubnet = 192.168.0.0/24
            leftsubnet = 192.168.1.0/24
    
    

    I wanted to point out that 'aggressive = yes' in both the files.



  • To restate my original question, can someone please post what they're doing to get this working on 2.2.4. Looking at strongswan's ipsec.conf suggestions (https://www.strongswan.org/uml/testresults/ikev1/net2net-psk/), compared with the configuration populated by pfsense suggests to me that this isn't going to work at all.



  • Disabled the service, tried to change the handshake for phase 1 to certificate, but couldn't get it to work. Changed it back to psk, changed encryption type to blowfish and DH to 5 from 2 (honestly, just because I was bored). Started the service back up, and it reconnected… holy crap, I hope I never have to come back to this forum again! Down with PFSENSE!