Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade from raccoon killed the vpn star

    Scheduled Pinned Locked Moved IPsec
    11 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bittrekker
      last edited by

      I've read previous posts about this, but nothing has helped at all.

      Can anyone tell me their ipsec site-to-site vpn settings on pfsense 2.2.4 to another 2.2.4? I'd rather not downgrade back to the previous version. I have a very temporary solution in place, but I'd like to get this "ipsec service" back up and running. I have tried deleting and re-creating the vpn settings on both, as well as switching from aggressive mode to main mode, and changing my identifier and peer identifier from "My IP Address" and "Peer IP Address" to "Ip address" and entering the WAN IPs manually. I'll post the logs below, as well. Any help would be greatly appreciated, this is getting me down!

      Aug 8 19:56:55	charon: 15[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {3}
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> initiating Main Mode IKE_SA con1000[1032] to 50.244.201.165
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> initiating Main Mode IKE_SA con1000[1032] to 50.244.201.165
      Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> generating ID_PROT request 0 [ SA V V V V V V ]
      Aug 8 19:56:55	charon: 10[NET] <con1000|1032> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (200 bytes)
      Aug 8 19:56:55	charon: 10[NET] <con1000|1032> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes)
      Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> parsed ID_PROT response 0 [ SA V V V V ]
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received XAuth vendor ID
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received XAuth vendor ID
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received DPD vendor ID
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received DPD vendor ID
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received Cisco Unity vendor ID
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received Cisco Unity vendor ID
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received NAT-T (RFC 3947) vendor ID
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received NAT-T (RFC 3947) vendor ID
      Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Aug 8 19:56:55	charon: 10[NET] <con1000|1032> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes)
      Aug 8 19:56:55	charon: 10[NET] <con1000|1032> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes)
      Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> generating ID_PROT request 0 [ ID HASH ]
      Aug 8 19:56:55	charon: 10[NET] <con1000|1032> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes)
      Aug 8 19:56:55	charon: 10[NET] <con1000|1032> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes)
      Aug 8 19:56:55	charon: 10[ENC] <con1000|1032> parsed INFORMATIONAL_V1 request 4044762089 [ HASH N(AUTH_FAILED) ]
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received AUTHENTICATION_FAILED error notify
      Aug 8 19:56:55	charon: 10[IKE] <con1000|1032> received AUTHENTICATION_FAILED error notify
      Aug 8 19:57:03	charon: 10[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {3}
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> initiating Main Mode IKE_SA con1000[1033] to 50.244.201.165
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> initiating Main Mode IKE_SA con1000[1033] to 50.244.201.165
      Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> generating ID_PROT request 0 [ SA V V V V V V ]
      Aug 8 19:57:03	charon: 15[NET] <con1000|1033> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (200 bytes)
      Aug 8 19:57:03	charon: 15[NET] <con1000|1033> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes)
      Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> parsed ID_PROT response 0 [ SA V V V V ]
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received XAuth vendor ID
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received XAuth vendor ID
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received DPD vendor ID
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received DPD vendor ID
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received Cisco Unity vendor ID
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received Cisco Unity vendor ID
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received NAT-T (RFC 3947) vendor ID
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received NAT-T (RFC 3947) vendor ID
      Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Aug 8 19:57:03	charon: 15[NET] <con1000|1033> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes)
      Aug 8 19:57:03	charon: 15[NET] <con1000|1033> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes)
      Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> generating ID_PROT request 0 [ ID HASH ]
      Aug 8 19:57:03	charon: 15[NET] <con1000|1033> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes)
      Aug 8 19:57:03	charon: 15[NET] <con1000|1033> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes)
      Aug 8 19:57:03	charon: 15[ENC] <con1000|1033> parsed INFORMATIONAL_V1 request 1466251066 [ HASH N(AUTH_FAILED) ]
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received AUTHENTICATION_FAILED error notify
      Aug 8 19:57:03	charon: 15[IKE] <con1000|1033> received AUTHENTICATION_FAILED error notify</con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032>
      
      Aug 8 19:56:55	charon: 11[IKE] <1032> received FRAGMENTATION vendor ID
      Aug 8 19:56:55	charon: 11[IKE] <1032> received FRAGMENTATION vendor ID
      Aug 8 19:56:55	charon: 11[IKE] <1032> received NAT-T (RFC 3947) vendor ID
      Aug 8 19:56:55	charon: 11[IKE] <1032> received NAT-T (RFC 3947) vendor ID
      Aug 8 19:56:55	charon: 11[IKE] <1032> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 8 19:56:55	charon: 11[IKE] <1032> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 8 19:56:55	charon: 11[IKE] <1032> 209.180.19.67 is initiating a Main Mode IKE_SA
      Aug 8 19:56:55	charon: 11[IKE] <1032> 209.180.19.67 is initiating a Main Mode IKE_SA
      Aug 8 19:56:55	charon: 11[ENC] <1032> generating ID_PROT response 0 [ SA V V V V ]
      Aug 8 19:56:55	charon: 11[NET] <1032> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes)
      Aug 8 19:56:55	charon: 11[NET] <1032> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes)
      Aug 8 19:56:55	charon: 11[ENC] <1032> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Aug 8 19:56:56	charon: 11[ENC] <1032> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Aug 8 19:56:56	charon: 11[NET] <1032> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes)
      Aug 8 19:56:56	charon: 11[NET] <1032> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes)
      Aug 8 19:56:56	charon: 11[ENC] <1032> parsed ID_PROT request 0 [ ID HASH ]
      Aug 8 19:56:56	charon: 11[CFG] <1032> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
      Aug 8 19:56:56	charon: 11[IKE] <1032> found 1 matching config, but none allows pre-shared key authentication using Main Mode
      Aug 8 19:56:56	charon: 11[IKE] <1032> found 1 matching config, but none allows pre-shared key authentication using Main Mode
      Aug 8 19:56:56	charon: 11[ENC] <1032> generating INFORMATIONAL_V1 request 4044762089 [ HASH N(AUTH_FAILED) ]
      Aug 8 19:56:56	charon: 11[NET] <1032> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes)
      Aug 8 19:57:03	charon: 11[NET] <1033> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (200 bytes)
      Aug 8 19:57:03	charon: 11[ENC] <1033> parsed ID_PROT request 0 [ SA V V V V V V ]
      Aug 8 19:57:03	charon: 11[IKE] <1033> received XAuth vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received XAuth vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received DPD vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received DPD vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received Cisco Unity vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received Cisco Unity vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received FRAGMENTATION vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received FRAGMENTATION vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received NAT-T (RFC 3947) vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received NAT-T (RFC 3947) vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 8 19:57:03	charon: 11[IKE] <1033> 209.180.19.67 is initiating a Main Mode IKE_SA
      Aug 8 19:57:03	charon: 11[IKE] <1033> 209.180.19.67 is initiating a Main Mode IKE_SA
      Aug 8 19:57:03	charon: 11[ENC] <1033> generating ID_PROT response 0 [ SA V V V V ]
      Aug 8 19:57:03	charon: 11[NET] <1033> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes)
      Aug 8 19:57:03	charon: 11[NET] <1033> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes)
      Aug 8 19:57:03	charon: 11[ENC] <1033> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Aug 8 19:57:04	charon: 11[ENC] <1033> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Aug 8 19:57:04	charon: 11[NET] <1033> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes)
      Aug 8 19:57:04	charon: 11[NET] <1033> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes)
      Aug 8 19:57:04	charon: 11[ENC] <1033> parsed ID_PROT request 0 [ ID HASH ]
      Aug 8 19:57:04	charon: 11[CFG] <1033> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
      Aug 8 19:57:04	charon: 11[IKE] <1033> found 1 matching config, but none allows pre-shared key authentication using Main Mode
      Aug 8 19:57:04	charon: 11[IKE] <1033> found 1 matching config, but none allows pre-shared key authentication using Main Mode
      Aug 8 19:57:04	charon: 11[ENC] <1033> generating INFORMATIONAL_V1 request 1466251066 [ HASH N(AUTH_FAILED) ]
      Aug 8 19:57:04	charon: 11[NET] <1033> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes)
      
      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You have a P1 mismatch of some sort.

        found 1 matching config, but none allows pre-shared key authentication using Main Mode
        
        1 Reply Last reply Reply Quote 0
        • B
          bittrekker
          last edited by

          I noticed that. Checked and re-did configs three times. There's no way there's ACTUALLY a mismatch. How do I "flush" this thing, it's got something sitting somewhere that's messed up. I used the same password as I had previously. It makes no sense!

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            Try this-
            Stop the service.
            Make sure it's dead by checking with ps. Kill any charon or ipsec starter proceses.
            Check /var/run delete charon.*
            Restart the service.
            Rebooting the firewall may work as well.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              A stop, then start of the IPsec service would suffice to clear out anything that was in place before (or reboot if you want). There won't be any processes or files or anything else left behind that matter, I wouldn't recommend dotdash's suggestion. No harm in doing exactly what he stated but if you're excessive with deleting things you might break other things, and it's not necessary to delete any of that.

              You probably have one side on main mode and the other on aggressive to get the logs you're getting.

              1 Reply Last reply Reply Quote 0
              • B
                bittrekker
                last edited by

                I've tried both in main mode and in aggressive mode (which was the original working mode before the upgrade). I set both to aggressive mode and rebooted both firewalls. Hmm, at a loss here. Looks like it's the same.

                Aug 11 23:05:47	charon: 14[IKE] <45> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                Aug 11 23:05:47	charon: 14[IKE] <45> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
                Aug 11 23:05:47	charon: 14[IKE] <45> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
                Aug 11 23:05:48	charon: 14[CFG] <45> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
                Aug 11 23:05:48	charon: 14[IKE] <45> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
                Aug 11 23:05:48	charon: 14[IKE] <45> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
                Aug 11 23:05:48	charon: 14[ENC] <45> generating INFORMATIONAL_V1 request 1425566073 [ N(AUTH_FAILED) ]
                Aug 11 23:05:48	charon: 14[NET] <45> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
                Aug 11 23:05:54	charon: 07[NET] <46> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
                Aug 11 23:05:54	charon: 07[ENC] <46> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
                Aug 11 23:05:54	charon: 07[IKE] <46> received XAuth vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received XAuth vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received DPD vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received DPD vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received Cisco Unity vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received Cisco Unity vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received FRAGMENTATION vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received FRAGMENTATION vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received NAT-T (RFC 3947) vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received NAT-T (RFC 3947) vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                Aug 11 23:05:54	charon: 07[IKE] <46> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
                Aug 11 23:05:54	charon: 07[IKE] <46> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
                Aug 11 23:05:54	charon: 07[CFG] <46> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
                Aug 11 23:05:54	charon: 07[IKE] <46> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
                Aug 11 23:05:54	charon: 07[IKE] <46> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
                Aug 11 23:05:54	charon: 07[ENC] <46> generating INFORMATIONAL_V1 request 1128443671 [ N(AUTH_FAILED) ]
                Aug 11 23:05:54	charon: 07[NET] <46> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
                Aug 11 23:05:58	charon: 07[NET] <47> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
                Aug 11 23:05:58	charon: 07[ENC] <47> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
                Aug 11 23:05:58	charon: 07[IKE] <47> received XAuth vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received XAuth vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received DPD vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received DPD vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received Cisco Unity vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received Cisco Unity vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received FRAGMENTATION vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received FRAGMENTATION vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received NAT-T (RFC 3947) vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received NAT-T (RFC 3947) vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                Aug 11 23:05:58	charon: 07[IKE] <47> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
                Aug 11 23:05:58	charon: 07[IKE] <47> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
                Aug 11 23:05:58	charon: 07[CFG] <47> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
                Aug 11 23:05:58	charon: 07[IKE] <47> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
                Aug 11 23:05:58	charon: 07[IKE] <47> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
                Aug 11 23:05:58	charon: 07[ENC] <47> generating INFORMATIONAL_V1 request 2644743300 [ N(AUTH_FAILED) ]
                Aug 11 23:05:58	charon: 07[NET] <47> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
                
                Aug 11 23:05:17	charon: 13[NET] <con1000|42> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
                Aug 11 23:05:18	charon: 13[NET] <con1000|42> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
                Aug 11 23:05:18	charon: 13[ENC] <con1000|42> parsed INFORMATIONAL_V1 request 1265996762 [ N(AUTH_FAILED) ]
                Aug 11 23:05:18	charon: 13[IKE] <con1000|42> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:18	charon: 13[IKE] <con1000|42> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:26	charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
                Aug 11 23:05:26	charon: 14[IKE] <con1000|43> initiating Aggressive Mode IKE_SA con1000[43] to 50.244.201.165
                Aug 11 23:05:26	charon: 14[IKE] <con1000|43> initiating Aggressive Mode IKE_SA con1000[43] to 50.244.201.165
                Aug 11 23:05:26	charon: 14[ENC] <con1000|43> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
                Aug 11 23:05:26	charon: 14[NET] <con1000|43> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
                Aug 11 23:05:26	charon: 14[NET] <con1000|43> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
                Aug 11 23:05:26	charon: 14[ENC] <con1000|43> parsed INFORMATIONAL_V1 request 223373224 [ N(AUTH_FAILED) ]
                Aug 11 23:05:26	charon: 14[IKE] <con1000|43> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:26	charon: 14[IKE] <con1000|43> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:44	charon: 14[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
                Aug 11 23:05:44	charon: 13[IKE] <con1000|44> initiating Aggressive Mode IKE_SA con1000[44] to 50.244.201.165
                Aug 11 23:05:44	charon: 13[IKE] <con1000|44> initiating Aggressive Mode IKE_SA con1000[44] to 50.244.201.165
                Aug 11 23:05:44	charon: 13[ENC] <con1000|44> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
                Aug 11 23:05:44	charon: 13[NET] <con1000|44> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
                Aug 11 23:05:45	charon: 13[NET] <con1000|44> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
                Aug 11 23:05:45	charon: 13[ENC] <con1000|44> parsed INFORMATIONAL_V1 request 2551326345 [ N(AUTH_FAILED) ]
                Aug 11 23:05:45	charon: 13[IKE] <con1000|44> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:45	charon: 13[IKE] <con1000|44> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:47	charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
                Aug 11 23:05:47	charon: 14[IKE] <con1000|45> initiating Aggressive Mode IKE_SA con1000[45] to 50.244.201.165
                Aug 11 23:05:47	charon: 14[IKE] <con1000|45> initiating Aggressive Mode IKE_SA con1000[45] to 50.244.201.165
                Aug 11 23:05:47	charon: 14[ENC] <con1000|45> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
                Aug 11 23:05:47	charon: 14[NET] <con1000|45> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
                Aug 11 23:05:48	charon: 14[NET] <con1000|45> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
                Aug 11 23:05:48	charon: 14[ENC] <con1000|45> parsed INFORMATIONAL_V1 request 1425566073 [ N(AUTH_FAILED) ]
                Aug 11 23:05:48	charon: 14[IKE] <con1000|45> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:48	charon: 14[IKE] <con1000|45> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:54	charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
                Aug 11 23:05:54	charon: 12[IKE] <con1000|46> initiating Aggressive Mode IKE_SA con1000[46] to 50.244.201.165
                Aug 11 23:05:54	charon: 12[IKE] <con1000|46> initiating Aggressive Mode IKE_SA con1000[46] to 50.244.201.165
                Aug 11 23:05:54	charon: 12[ENC] <con1000|46> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
                Aug 11 23:05:54	charon: 12[NET] <con1000|46> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
                Aug 11 23:05:54	charon: 12[NET] <con1000|46> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
                Aug 11 23:05:54	charon: 12[ENC] <con1000|46> parsed INFORMATIONAL_V1 request 1128443671 [ N(AUTH_FAILED) ]
                Aug 11 23:05:54	charon: 12[IKE] <con1000|46> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:54	charon: 12[IKE] <con1000|46> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:58	charon: 12[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
                Aug 11 23:05:58	charon: 13[IKE] <con1000|47> initiating Aggressive Mode IKE_SA con1000[47] to 50.244.201.165
                Aug 11 23:05:58	charon: 13[IKE] <con1000|47> initiating Aggressive Mode IKE_SA con1000[47] to 50.244.201.165
                Aug 11 23:05:58	charon: 13[ENC] <con1000|47> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
                Aug 11 23:05:58	charon: 13[NET] <con1000|47> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
                Aug 11 23:05:58	charon: 13[NET] <con1000|47> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
                Aug 11 23:05:58	charon: 13[ENC] <con1000|47> parsed INFORMATIONAL_V1 request 2644743300 [ N(AUTH_FAILED) ]
                Aug 11 23:05:58	charon: 13[IKE] <con1000|47> received AUTHENTICATION_FAILED error notify
                Aug 11 23:05:58	charon: 13[IKE] <con1000|47> received AUTHENTICATION_FAILED error notify</con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|42></con1000|42></con1000|42></con1000|42></con1000|42>
                
                1 Reply Last reply Reply Quote 0
                • B
                  bittrekker
                  last edited by

                  Tried dotdash's suggestion

                  [2.2.4-RELEASE][admin@pfsense.tcfedina.local]/root: Check /var/run delete charon.*
                  Check: No match.
                  [2.2.4-RELEASE][admin@pfsense.tcfedina.local]/root:
                  
                  

                  Rebooting didn't help. Do I need to just go back to a previous firmware? …and if so, how do I do this?

                  1 Reply Last reply Reply Quote 0
                  • B
                    bittrekker
                    last edited by

                    Diving deeper into what's running the backend I see that raccoon was replaced with strongswan. Looks like a bad move, but whatever. I see this strongswan issue: https://wiki.strongswan.org/issues/956 but the resolution won't work, I cannot locate /etc/ipsec.conf … anyone have any idea where ipsec.conf is?

                    1 Reply Last reply Reply Quote 0
                    • B
                      bittrekker
                      last edited by

                      Found that file… /var/etc? Really? Then why have a /etc/ at all ... Can't stand BSD....

                      on firewall1

                      # This file is automatically generated. Do not edit
                      config setup
                              uniqueids = yes
                              charondebug=""
                      
                      conn bypasslan
                              leftsubnet = 192.168.0.0/24
                              rightsubnet = 192.168.0.0/24
                              authby = never
                              type = passthrough
                              auto = route
                      
                      conn con1000
                              fragmentation = yes
                              keyexchange = ikev1
                              reauth = yes
                              forceencaps = no
                              mobike = no
                              rekey = yes
                              installpolicy = yes
                              type = tunnel
                              dpdaction = restart
                              dpddelay = 10s
                              dpdtimeout = 60s
                              auto = route
                              left = 63.226.155.229
                              right = 209.180.19.67
                              leftid = 50.244.201.165
                              ikelifetime = 28800s
                              lifetime = 3600s
                              ike = aes128-sha1-modp1024!
                              esp = aes128-md5-modp1024,aes128-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024!
                              leftauth = psk
                              rightauth = psk
                              rightid = 209.180.19.67
                              aggressive = yes
                              rightsubnet = 192.168.1.0/24
                              leftsubnet = 192.168.0.0/24
                      
                      

                      on firewall2

                      # This file is automatically generated. Do not edit
                      config setup
                              uniqueids = yes
                              charondebug=""
                      
                      conn bypasslan
                              leftsubnet = 192.168.1.0/24
                              rightsubnet = 192.168.1.0/24
                              authby = never
                              type = passthrough
                              auto = route
                      
                      conn con1000
                              fragmentation = yes
                              keyexchange = ikev1
                              reauth = yes
                              forceencaps = no
                              mobike = no
                              rekey = yes
                              installpolicy = yes
                              type = tunnel
                              dpdaction = restart
                              dpddelay = 10s
                              dpdtimeout = 60s
                              auto = route
                              left = 209.180.19.67
                              right = 50.244.201.165
                              leftid = 209.180.19.67
                              ikelifetime = 28800s
                              lifetime = 3600s
                              ike = aes128-sha1-modp1024!
                              esp = aes128-md5-modp1024,aes128-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024!
                              leftauth = psk
                              rightauth = psk
                              rightid = 50.244.201.165
                              aggressive = yes
                              rightsubnet = 192.168.0.0/24
                              leftsubnet = 192.168.1.0/24
                      
                      

                      I wanted to point out that 'aggressive = yes' in both the files.

                      1 Reply Last reply Reply Quote 0
                      • B
                        bittrekker
                        last edited by

                        To restate my original question, can someone please post what they're doing to get this working on 2.2.4. Looking at strongswan's ipsec.conf suggestions (https://www.strongswan.org/uml/testresults/ikev1/net2net-psk/), compared with the configuration populated by pfsense suggests to me that this isn't going to work at all.

                        1 Reply Last reply Reply Quote 0
                        • B
                          bittrekker
                          last edited by

                          Disabled the service, tried to change the handshake for phase 1 to certificate, but couldn't get it to work. Changed it back to psk, changed encryption type to blowfish and DH to 5 from 2 (honestly, just because I was bored). Started the service back up, and it reconnected… holy crap, I hope I never have to come back to this forum again! Down with PFSENSE!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.