IPsec connection LAN-to-LAN doesn't work - pls help



  • Hi!

    I try to conect my pfSense to a remote router (TP-Link TL-6120). The setup of the TP-Link is not very difficult - I use the following settings:

    SETUP Side-B
    
    Mode:                 LAN-to-LAN
    Local Subnet:         192.168.0.0/24
    Remote Subnet:        10.0.0.0/15
    Remote Gateway:       [myDynDns]
    
    IPsec Proposal 1: 
    . Security Protocol:  ESP
    . ESP Authentication: SHA1
    . ESP Encryption:     AES256
    
    PFS:                  NONE
    SA Lifetime:          28800
    
    IKE Policy:
    . Excange Mode:       Main
    . Local ID Type:      IP Address
    . Local ID:           Local WAN IP
    . Remote ID Type:     IP Adress
    . Remote ID:          Remote Gateway ID
    . Pre-shared Key:     secretkey
    . SA Lifetime:        28800
    . DPD:                Enable
    . DPD Interval:       15
    
    IKE Proposal:
    . Authentification:   SHA1
    . Encyption:          AES256
    . DH Group:           DH5
    

    Here are the settings of my pfSense (Side-A):

    SETUP Side-A
    
    Phase 1:
    
    . Key Excahnge version:   V1
    . Internet Protocol:      IPv4
    . Interface:              WAN
    . Remote gateway:         [remoteDynDNS]
    
    . Authentication method:  Mutual PSK
    . Negotiation mode:       main
    . My identifier:          Dynamic DNS - [myDynDns]
    . Peer identifier:        Peer ID address
    . Pre-shared key:         secretkey
    
    . Encryption algorithm:   AES - 256 bits
    . Hash algorithm:         SHA1
    . DH key group:           5 (1536 bit)
    . Lifetime:               28800
    
    . NAT Traversak:          Auto
    . Dead Peer Detection:    checked - 15 seconds - 15 retries
    
    Phase 2:
    
    . Mode:                   Tunnel IPv4
    . Local Network:          Network - 10.0.0.0/15
    . Remote Network:         Network - 192.168.0.0/24
    
    . Protcol:                ESP
    . Encryption algorithm:   AES - auto
    . Hash algorithm:         SHA1
    . PFS key group:          off
    . Lifetime:               28800
    
    IPsec Setting:
    
    . Unique IDs:             YES
    . Unencrypted payloads:   checked
    

    After start the IPsec Service I get the following log-entries:

    Sep 10 13:30:52 ipsec_starter[91603]:  
    Sep 10 13:30:52 ipsec_starter[91603]: 'con1000' routed 
    Sep 10 13:30:52 charon: 16[CFG] received stroke: route 'con1000' 
    Sep 10 13:30:52 charon: 12[CFG] added configuration 'con1000' 
    Sep 10 13:30:52 charon: 12[CFG] received stroke: add connection 'con1000' 
    Sep 10 13:30:52 ipsec_starter[91603]: charon (91639) started after 80 ms 
    Sep 10 13:30:52 charon: 00[JOB] spawning 16 worker threads 
    Sep 10 13:30:52 charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity 
    Sep 10 13:30:52 charon: 00[CFG] loaded 0 RADIUS server configurations 
    Sep 10 13:30:52 charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory 
    Sep 10 13:30:52 charon: 00[CFG] loaded IKE secret for %any REMOTEIP 
    Sep 10 13:30:52 charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' 
    Sep 10 13:30:52 charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls' 
    Sep 10 13:30:52 charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' 
    Sep 10 13:30:52 charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' 
    Sep 10 13:30:52 charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' 
    Sep 10 13:30:52 charon: 00[CFG] loaded ca certificate "..." from '/var/etc/ipsec/ipsec.d/cacerts/df28683a.0.crt' 
    Sep 10 13:30:52 charon: 00[CFG] loaded ca certificate "..." from '/var/etc/ipsec/ipsec.d/cacerts/a9025906.0.crt' 
    Sep 10 13:30:52 charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' 
    Sep 10 13:30:52 charon: 00[CFG] ipseckey plugin is disabled 
    Sep 10 13:30:52 charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed 
    Sep 10 13:30:52 charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument 
    Sep 10 13:30:52 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.1-RELEASE-p15, amd64) 
    Sep 10 13:30:52 ipsec_starter[91011]: no known IPsec stack detected, ignoring! 
    Sep 10 13:30:52 ipsec_starter[91011]: no KLIPS IPsec stack detected 
    Sep 10 13:30:52 ipsec_starter[91011]: no netkey IPsec stack detected 
    Sep 10 13:30:52 ipsec_starter[91011]: Starting strongSwan 5.3.2 IPsec [starter]... 
    

    I try to connect (Status: IPsec):

    Sep 10 13:32:37 charon: 10[NET] <con1000|1>sending packet: from MYIP[500] to REMOTEIP[500] (200 bytes) 
    Sep 10 13:32:37 charon: 10[IKE] <con1000|1>sending retransmit 3 of request message ID 0, seq 1 
    Sep 10 13:32:37 charon: 10[IKE] <con1000|1>sending retransmit 3 of request message ID 0, seq 1 
    Sep 10 13:32:24 charon: 10[NET] <con1000|1>sending packet: from MYIP[500] to REMOTEIP[500] (200 bytes) 
    Sep 10 13:32:24 charon: 10[IKE] <con1000|1>sending retransmit 2 of request message ID 0, seq 1 
    Sep 10 13:32:24 charon: 10[IKE] <con1000|1>sending retransmit 2 of request message ID 0, seq 1 
    Sep 10 13:32:17 charon: 10[NET] <con1000|1>sending packet: from MYIP[500] to REMOTEIP[500] (200 bytes) 
    Sep 10 13:32:17 charon: 10[IKE] <con1000|1>sending retransmit 1 of request message ID 0, seq 1 
    Sep 10 13:32:17 charon: 10[IKE] <con1000|1>sending retransmit 1 of request message ID 0, seq 1 
    Sep 10 13:32:13 charon: 10[NET] <con1000|1>sending packet: from MYIP[500] to REMOTEIP[500] (200 bytes) 
    Sep 10 13:32:13 charon: 10[ENC] <con1000|1>generating ID_PROT request 0 [ SA V V V V V V ] 
    Sep 10 13:32:13 charon: 10[IKE] <con1000|1>initiating Main Mode IKE_SA con1000[1] to REMOTEIP 
    Sep 10 13:32:13 charon: 10[IKE] <con1000|1>initiating Main Mode IKE_SA con1000[1] to REMOTEIP 
    Sep 10 13:32:13 charon: 16[CFG] received stroke: initiate 'con1000' 
    Sep 10 13:32:13 charon: 10[CFG] no IKE_SA named 'con1000' found 
    Sep 10 13:32:13 charon: 10[CFG] received stroke: terminate 'con1000'</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1> 
    

    What's wrong? Please help!

    Best regards,
    Thomas



  • Your identifiers don't match. You have an IP on one side and a domain name on the other.



  • Thanks for your answer! There was as mistake in the DynDns.

    Now, the connection is established, but I can't ping any client on the remote side.

    I get the following log-entries:

    Sep 19 09:58:35 charon: 09[IKE] <con1000|64>INFORMATIONAL_V1 request with message ID 510091493 processing failed 
    Sep 19 09:58:35 charon: 09[IKE] <con1000|64>INFORMATIONAL_V1 request with message ID 510091493 processing failed 
    Sep 19 09:58:35 charon: 09[IKE] <con1000|64>ignore malformed INFORMATIONAL request 
    Sep 19 09:58:35 charon: 09[IKE] <con1000|64>ignore malformed INFORMATIONAL request 
    Sep 19 09:58:35 charon: 09[IKE] <con1000|64>message verification failed 
    Sep 19 09:58:35 charon: 09[IKE] <con1000|64>message verification failed 
    Sep 19 09:58:35 charon: 09[ENC] <con1000|64>ignoring unprotected INFORMATIONAL from <ip of="" the="" remote="" side="">Sep 19 09:58:35 charon: 09[ENC] <con1000|64>parsed INFORMATIONAL_V1 request 510091493 [ N(NO_PROP) ]</con1000|64></ip></con1000|64></con1000|64></con1000|64></con1000|64></con1000|64></con1000|64></con1000|64> 
    

    Thanking you in anticipation.

    Thomas



  • Still something mismatched there. NO_PROP seems to indicate an identifier mismatch. Try hard coding the current IP and using only IP identifiers, no dyndns anywhere, and see if that works. That'll at least narrow it down some.



  • Now, I have a stable IPsec tunnel, but i can't reach any client on the remote side. I get the following logs:

    Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify 
    Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify 
    Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify 
    Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify 
    Sep 20 21:18:08 charon: 15[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 3846293289 [ HASH N((30)) ] 
    Sep 20 21:18:08 charon: 15[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (76 bytes) 
    Sep 20 21:18:08 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) 
    Sep 20 21:18:08 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3559683763, seq 5 
    Sep 20 21:18:08 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3559683763, seq 5 
    Sep 20 21:18:04 charon: 08[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) 
    Sep 20 21:18:04 charon: 08[ENC] <con1000|1>generating QUICK_MODE response 3559683763 [ HASH SA No ID ID ] 
    Sep 20 21:18:04 charon: 08[IKE] <con1000|1>received 28800s lifetime, configured 0s 
    Sep 20 21:18:04 charon: 08[IKE] <con1000|1>received 28800s lifetime, configured 0s 
    Sep 20 21:18:04 charon: 08[ENC] <con1000|1>parsed QUICK_MODE request 3559683763 [ HASH SA No ID ID ] 
    Sep 20 21:18:04 charon: 08[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (204 bytes) 
    Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify 
    Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify 
    Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify 
    Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify 
    Sep 20 21:17:59 charon: 15[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 3122718413 [ HASH N((30)) ] 
    Sep 20 21:17:59 charon: 15[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (76 bytes) 
    Sep 20 21:17:59 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) 
    Sep 20 21:17:59 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3922146324, seq 4 
    Sep 20 21:17:59 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3922146324, seq 4 
    Sep 20 21:17:54 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) 
    Sep 20 21:17:54 charon: 15[ENC] <con1000|1>generating QUICK_MODE response 3922146324 [ HASH SA No ID ID ] 
    Sep 20 21:17:54 charon: 15[IKE] <con1000|1>received 28800s lifetime, configured 0s 
    Sep 20 21:17:54 charon: 15[IKE] <con1000|1>received 28800s lifetime, configured 0s 
    Sep 20 21:17:54 charon: 15[ENC] <con1000|1>parsed QUICK_MODE request 3922146324 [ HASH SA No ID ID ] 
    Sep 20 21:17:54 charon: 15[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (204 bytes) 
    Sep 20 21:17:54 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (76 bytes) 
    Sep 20 21:17:54 charon: 15[ENC] <con1000|1>generating ID_PROT response 0 [ ID HASH ] 
    Sep 20 21:17:54 charon: 15[IKE] <con1000|1>IKE_SA con1000[1] established between 193.81.148.115[193.81.148.115]...81.217.23.223[81.217.23.223] 
    Sep 20 21:17:54 charon: 15[IKE] <con1000|1>IKE_SA con1000[1] established between 193.81.148.115[193.81.148.115]...81.217.23.223[81.217.23.223]</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1> 
    

    Thanks!

    Thomas