*SOLVED* pfSense to Openswan 2.6 IPSec
-
Hello All,
–-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
#Edit
Strictly by trial and error I got this resolved.
- On the Openswan config I had the following line in it
auth=ah (also tried auth-esp)
1a) After removing this line all together -> default of blank which is ESP the following lines disappead in logs on both IPSec servers, and the site to site IPSec is stable.
Almost appears that one of the two endpoints finally gave up staying connected on account of this misconfig,on my part,I guess?
Updated pfSense from 2.1.4-RELEASE(amd64) to pfSense-2.2.4-RELEASE(amd64) a few days ago and had quite a time getting the IPSec site to site to connect and ended up having to add about 3 more lines on the Openswan-2.6 remote end (Debian) server to get traffic passing as it is suppose to.
Everything appeard ok....but;
After about 6-8 hours the connection stops functioning. NO pings to remote end either direction. A simple fix is to ping from the pfSense(which shows green in the STATUS>IPSec connections) to the Openswan remote end,immediatley traffic is passing again.Here is a paste of the Openswan log:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3448 {using isakmp#2666 msgid:7c3a1f14 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #3447: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #3447: starting keying attempt 1191 of an unlimited number
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #3451: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3447 {using isakmp#2666 msgid:972ba4f0 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #3446: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #3446: starting keying attempt 1451 of an unlimited number
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #3452: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3446 {using isakmp#2666 msgid:3e4e74b3 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #2666: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #2666: received and ignored informational message
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #2666: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #2666: received and ignored informational message
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #2666: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Oct 6 14:22:53 server1 pluto[15125]: "ipsecconn" #2666: received and ignored informational message
Oct 6 14:23:03 server1 pluto[15125]: "ipsecconn" #2666: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Oct 6 14:23:03 server1 pluto[15125]: "ipsecconn" #2666: received and ignored informational message
Oct 6 14:23:03 server1 pluto[15125]: "ipsecconn" #2666: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Oct 6 14:23:03 server1 pluto[15125]: "ipsecconn" #2666: received and ignored informational message
Oct 6 14:23:11 server1 pluto[15125]: "ipsecconn" #2666: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000Also even after traffic is passing the following is appearing on the Openswan server:
Oct 6 14:35:32 server1 pluto[15125]: "ipsecconn" #2666: received and ignored informational message
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #3493: max number of retransmissions (2) reached STATE_QUICK_I1
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #3493: starting keying attempt 1462 of an unlimited number
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #3495: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3493 {using isakmp#2666 msgid:29932a88 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #3492: max number of retransmissions (2) reached STATE_QUICK_I1
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #3492: starting keying attempt 1202 of an unlimited number
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #3496: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3492 {using isakmp#2666 msgid:0c0a6702 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #3491: max number of retransmissions (2) reached STATE_QUICK_I1
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #3491: starting keying attempt 791 of an unlimited number
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #3497: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3491 {using isakmp#2666 msgid:ef41c9d6 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #2666: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #2666: received and ignored informational message
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #2666: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #2666: received and ignored informational message
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #2666: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Oct 6 14:35:44 server1 pluto[15125]: "ipsecconn" #2666: received and ignored informational messageBefore updating pfSense never had any trouble with connection,(about 2 years running) but something tells me I need to add more lines to the Openswan conn . config file.
Anyone have any ideas what these logs are saying?
Thank You,
Barry - On the Openswan config I had the following line in it