Solved IPSec Site to Site Issue– PFsense to TL-R600VPN

jabadm

Solved!

I've chanced the IP-adress into domain name and it works!

Hi @ all

I’ve a Problem with IPSec Site to Site VPN between PFsense 2.2.3 to TL-R600 VPN (Behind Fritzbox)
It doesn’t work

The Situation:
We’ve a site office in which we like to implementate a site to site vpn. The problem here is that we use the infrastructure of our client.

Pfsense –----------I-Net----------Fritzbox-------TL-R600VPN

Ports 500 and 4500 are forwarded to the WAN Interface (TL-R600VPN)

Config PF Sense
Phase 1
Key Exchange version V1
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: IP-Site office

Authentication method: Mutual PSK
Negotiation mode: Main
My identifier: My IP Adress
Peer identifier: Peer IP Adress
Pre-Shared Key: secret

Encryption algorithm; AES 256 Bits
Hash algorithem: SHA1
DH key Group: 2 (1024bit)
Liftime 28800
Disable Rekey: Unchecked
Responder Only: Checked
NAT Traversal: Auto
Dead Peer Detection: checked 10 Sec and 5 retries

Phase 2
Protocol: ESP
Encryption algorithms: AES
Hash algorithms: SHA1
PFS Key Group: 2
Lifetime: 3600

Config TL-R600VPN

Exchange Mode: Main
Authentication algorithem: SHA1
Encryption algorithem: AES256
DH Group: DH2
SA Lifetime: 28800
DPD: Enable
DPD: Interval:10 seconds

Local Subnet: Network behind TL-R600
Remote Subnet: network in main office
Remote Gateway: WAN IP PFsense
Exchange Mode: IKE
Security Protocol: ESP
Authentication algorithem: SHA1
Encryption algorithem: AES256
PFS Group: DH2
Lifetime:28800
Status Enable

Log PFSense:
charon: 15[NET] <177> sending packet: from 80.x.x.x[4500] to 188.x.x.x[4500] (92 bytes)
charon: 15[ENC] <177> generating INFORMATIONAL_V1 request 1237439593 [ HASH N(AUTH_FAILED) ]
charon: 15[IKE] <177> found 1 matching config, but none allows pre-shared key authentication using Main Mode
charon: 15[IKE] <177> found 1 matching config, but none allows pre-shared key authentication using Main Mode
charon: 15[CFG] <177> looking for pre-shared key peer configs matching 80.x.x.x…188.x.x.x[192.168.178.23]
charon: 15[ENC] <177> parsed ID_PROT request 0 [ ID HASH ]
charon: 15[NET] <177> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
charon: 15[NET] <177> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (244 bytes)
charon: 15[ENC] <177> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon: 15[IKE] <177> remote host is behind NAT
charon: 15[IKE] <177> remote host is behind NAT
charon: 15[ENC] <177> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 15[NET] <177> received packet: from 188.x.x.x[500] to 80.x.x.x[500] (228 bytes)
charon: 15[NET] <177> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (156 bytes)
charon: 15[ENC] <177> generating ID_PROT response 0 [ SA V V V V ]
charon: 15[IKE] <177> 188.x.x.x is initiating a Main Mode IKE_SA
charon: 15[IKE] <177> 188.x.x.x is initiating a Main Mode IKE_SA
charon: 15[IKE] <177> received DPD vendor ID
charon: 15[IKE] <177> received DPD vendor ID
charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 15[IKE] <177> received NAT-T (RFC 3947) vendor ID
charon: 15[IKE] <177> received NAT-T (RFC 3947) vendor ID
charon: 15[ENC] <177> parsed ID_PROT request 0 [ SA V V V V V ]

Can somebody help me?

with kind regards
from Germany

corradolab

Pretty hard to figure out without config and logs from the TL-R600 also.

Anyhow, seems you have an authentication failure.
You could have mispelled the password on one site, or have the TP-Link configured to use certifcates instead of PSK.

Also you have the peer identifier set to "peer ip address" on pfSense.
This is not going to work because the TP-Link is behind NAT.
You can set it to the private ip address used by the TP-Link.

Hope it helps,
Corrado

jabadm

I've had a missmatch at the Pre-Key

but after i've corrected it

i've another Problem

invalid ID_V1 payload length, decryption failed?

charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1694776300 [ HASH N(PLD_MAL) ]
charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1694776300 [ HASH N(PLD_MAL) ]
charon: 07[IKE] <421> message parsing failed
charon: 07[IKE] <421> message parsing failed
charon: 07[ENC] <421> could not decrypt payloads
charon: 07[ENC] <421> could not decrypt payloads
charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1305596103 [ HASH N(PLD_MAL) ]
charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1305596103 [ HASH N(PLD_MAL) ]
charon: 07[IKE] <421> message parsing failed
charon: 07[IKE] <421> message parsing failed
charon: 07[ENC] <421> could not decrypt payloads
charon: 07[ENC] <421> could not decrypt payloads
charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1062404574 [ HASH N(PLD_MAL) ]
charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1062404574 [ HASH N(PLD_MAL) ]
charon: 07[IKE] <421> message parsing failed
charon: 07[IKE] <421> message parsing failed
charon: 07[ENC] <421> could not decrypt payloads
charon: 07[ENC] <421> could not decrypt payloads
charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
charon: 09[IKE] <421> ID_PROT request with message ID 0 processing failed
charon: 09[IKE] <421> ID_PROT request with message ID 0 processing failed
charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
charon: 09[ENC] <421> generating INFORMATIONAL_V1 request 250669060 [ HASH N(PLD_MAL) ]
charon: 09[ENC] <421> generating INFORMATIONAL_V1 request 250669060 [ HASH N(PLD_MAL) ]
charon: 09[IKE] <421> message parsing failed
charon: 09[IKE] <421> message parsing failed
charon: 09[ENC] <421> could not decrypt payloads
charon: 09[ENC] <421> could not decrypt payloads
charon: 09[ENC] <421> invalid ID_V1 payload length, decryption failed?
charon: 09[ENC] <421> invalid ID_V1 payload length, decryption failed?
charon: 09[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
charon: 09[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (244 bytes)
charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (244 bytes)
charon: 09[ENC] <421> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon: 09[ENC] <421> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon: 09[IKE] <421> remote host is behind NAT
charon: 09[IKE] <421> remote host is behind NAT
charon: 09[ENC] <421> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 09[ENC] <421> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 09[NET] <421> received packet: from 188.x.x.x[500] to 80.x.x.x[500] (228 bytes)
charon: 09[NET] <421> received packet: from 188.x.x.x[500] to 80.x.x.x[500] (228 bytes)
charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (156 bytes)
charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (156 bytes)
charon: 09[ENC] <421> generating ID_PROT response 0 [ SA V V V V ]
charon: 09[ENC] <421> generating ID_PROT response 0 [ SA V V V V ]
charon: 09[IKE] <421> sending NAT-T (RFC 3947) vendor ID
charon: 09[IKE] <421> sending NAT-T (RFC 3947) vendor ID
charon: 09[IKE] <421> sending Cisco Unity vendor ID
charon: 09[IKE] <421> sending Cisco Unity vendor ID
charon: 09[IKE] <421> sending DPD vendor ID
charon: 09[IKE] <421> sending DPD vendor ID
charon: 09[IKE] <421> sending XAuth vendor ID
charon: 09[IKE] <421> sending XAuth vendor ID
charon: 09[CFG] <421> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 09[CFG] <421> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 09[CFG] <421> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/E
charon: 09[CFG] <421> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/E
charon: 09[CFG] <421> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 09[CFG] <421> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 09[CFG] <421> proposal matches
charon: 09[CFG] <421> proposal matches
charon: 09[CFG] <421> selecting proposal:
charon: 09[CFG] <421> selecting proposal:
charon: 09[CFG] <421> no acceptable ENCRYPTION_ALGORITHM found
charon: 09[CFG] <421> no acceptable ENCRYPTION_ALGORITHM found
charon: 09[CFG] <421> selecting proposal:
charon: 09[CFG] <421> selecting proposal:
charon: 09[CFG] <421> no acceptable ENCRYPTION_ALGORITHM found
charon: 09[CFG] <421> no acceptable ENCRYPTION_ALGORITHM found
charon: 09[CFG] <421> selecting proposal:
charon: 09[CFG] <421> selecting proposal:
charon: 09[IKE] <421> IKE_SA (unnamed)[421] state change: CREATED => CONNECTING
charon: 09[IKE] <421> IKE_SA (unnamed)[421] state change: CREATED => CONNECTING
charon: 09[IKE] <421> 188.x.x.x is initiating a Main Mode IKE_SA
charon: 09[IKE] <421> 188.x.x.x is initiating a Main Mode IKE_SA
charon: 09[IKE] <421> received DPD vendor ID
charon: 09[IKE] <421> received DPD vendor ID
charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 09[IKE] <421> received NAT-T (RFC 3947) vendor ID
charon: 09[IKE] <421> received NAT-T (RFC 3947) vendor ID
charon: 09[CFG] <421> found matching ike config: %any…%any with prio 24
charon: 09[CFG] <421> found matching ike config: %any…%any with prio 24
charon: 09[CFG] <421> candidate: %any…%any, prio 24
charon: 09[CFG] <421> candidate: %any…%any, prio 24
charon: 09[CFG] <421> looking for an ike config for 80.x.x.x…188.x.x.x
charon: 09[CFG] <421> looking for an ike config for 80.x.x.x…188.x.x.x
charon: 09[ENC] <421> parsed ID_PROT request 0 [ SA V V V V V ]
charon: 09[ENC] <421> parsed ID_PROT request 0 [ SA V V V V V ]
charon: 09[NET] <421> received packet: from 188.x.x.x[500] to 80.x.x.x[500] (184 bytes)

Thanks for replay

jabadm

now i've modify the identifyer
My identifier: WAN IP PFsense 80.x.x.1
Peer identifier: WAN IP TL-R600R 172.16.0.193

08[IKE] <80> message parsing failed
08[IKE] <80> message parsing failed
08[ENC] <80> could not decrypt payloads
08[ENC] <80> invalid ID_V1 payload length, decryption failed?
08[NET] <80> received packet: from 80.x.x.2[500] to 80.x.x.1[500] (68 bytes)
08[NET] <80> sending packet: from 80.x.x.1[500] to 80.x.x.2[500] (196 bytes)

Pre-Shared Key are both

jabadm

So here is the Config off both routers

![IPSec config.jpg](/public/imported_attachments/1/IPSec config.jpg)
![IPSec config.jpg_thumb](/public/imported_attachments/1/IPSec config.jpg_thumb)
![IPSec config2.jpg](/public/imported_attachments/1/IPSec config2.jpg)
![IPSec config2.jpg_thumb](/public/imported_attachments/1/IPSec config2.jpg_thumb)
![IPSec config3.jpg](/public/imported_attachments/1/IPSec config3.jpg)
![IPSec config3.jpg_thumb](/public/imported_attachments/1/IPSec config3.jpg_thumb)

julianbros

Sorry for this post.

@Thread creator: how did you solve the problem? I'm running in exactly the same problem!