Solved IPSec Site to Site Issue– PFsense to TL-R600VPN



  • Solved!

    I've chanced the IP-adress into domain name and it works!

    Hi @ all

    I’ve a Problem with IPSec Site to Site VPN between PFsense 2.2.3 to TL-R600 VPN (Behind Fritzbox)
    It doesn’t work

    The Situation:
    We’ve a site office in which we like to implementate a site to site vpn. The problem here is that we use the infrastructure of our client.

    Pfsense –----------I-Net----------Fritzbox-------TL-R600VPN

    Ports 500 and 4500 are forwarded to the WAN Interface (TL-R600VPN)

    Config PF Sense
    Phase 1
    Key Exchange version V1
    Internet Protocol: IPv4
    Interface: WAN
    Remote Gateway: IP-Site office

    Authentication method: Mutual PSK
    Negotiation mode: Main
    My identifier: My IP Adress
    Peer identifier: Peer IP Adress
    Pre-Shared Key: secret

    Encryption algorithm; AES 256 Bits
    Hash algorithem: SHA1
    DH key Group: 2 (1024bit)
    Liftime 28800
    Disable Rekey: Unchecked
    Responder Only: Checked
    NAT Traversal: Auto
    Dead Peer Detection: checked 10 Sec and 5 retries

    Phase 2
    Protocol: ESP
    Encryption algorithms: AES
    Hash algorithms: SHA1
    PFS Key Group: 2
    Lifetime: 3600

    Config TL-R600VPN

    Exchange Mode: Main
    Authentication algorithem: SHA1
    Encryption algorithem: AES256
    DH Group: DH2
    SA Lifetime: 28800
    DPD: Enable
    DPD: Interval:10 seconds

    Local Subnet: Network behind TL-R600
    Remote Subnet: network in main office
    Remote Gateway: WAN IP PFsense
    Exchange Mode: IKE
    Security Protocol: ESP
    Authentication algorithem: SHA1
    Encryption algorithem: AES256
    PFS Group: DH2
    Lifetime:28800
    Status Enable

    Log PFSense:
    charon: 15[NET] <177> sending packet: from 80.x.x.x[4500] to 188.x.x.x[4500] (92 bytes)
    charon: 15[ENC] <177> generating INFORMATIONAL_V1 request 1237439593 [ HASH N(AUTH_FAILED) ]
    charon: 15[IKE] <177> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    charon: 15[IKE] <177> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    charon: 15[CFG] <177> looking for pre-shared key peer configs matching 80.x.x.x…188.x.x.x[192.168.178.23]
    charon: 15[ENC] <177> parsed ID_PROT request 0 [ ID HASH ]
    charon: 15[NET] <177> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
    charon: 15[NET] <177> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (244 bytes)
    charon: 15[ENC] <177> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    charon: 15[IKE] <177> remote host is behind NAT
    charon: 15[IKE] <177> remote host is behind NAT
    charon: 15[ENC] <177> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    charon: 15[NET] <177> received packet: from 188.x.x.x[500] to 80.x.x.x[500] (228 bytes)
    charon: 15[NET] <177> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (156 bytes)
    charon: 15[ENC] <177> generating ID_PROT response 0 [ SA V V V V ]
    charon: 15[IKE] <177> 188.x.x.x is initiating a Main Mode IKE_SA
    charon: 15[IKE] <177> 188.x.x.x is initiating a Main Mode IKE_SA
    charon: 15[IKE] <177> received DPD vendor ID
    charon: 15[IKE] <177> received DPD vendor ID
    charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    charon: 15[IKE] <177> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    charon: 15[IKE] <177> received NAT-T (RFC 3947) vendor ID
    charon: 15[IKE] <177> received NAT-T (RFC 3947) vendor ID
    charon: 15[ENC] <177> parsed ID_PROT request 0 [ SA V V V V V ]

    Can somebody help me?

    with kind regards
    from Germany



  • Pretty hard to figure out without config and logs from the TL-R600 also.

    Anyhow, seems you have an authentication failure.
    You could have mispelled the password on one site, or have the TP-Link configured to use certifcates instead of PSK.

    Also you have the peer identifier set to "peer ip address" on pfSense.
    This is not going to work because the TP-Link is behind NAT.
    You can set it to the private ip address used by the TP-Link.

    Hope it helps,
      Corrado



  • I've had a missmatch at the Pre-Key

    but after i've corrected it

    i've another Problem

    invalid ID_V1 payload length, decryption failed?

    charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
    charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
    charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
    charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
    charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1694776300 [ HASH N(PLD_MAL) ]
    charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1694776300 [ HASH N(PLD_MAL) ]
    charon: 07[IKE] <421> message parsing failed
    charon: 07[IKE] <421> message parsing failed
    charon: 07[ENC] <421> could not decrypt payloads
    charon: 07[ENC] <421> could not decrypt payloads
    charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
    charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
    charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
    charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
      charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
      charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
      charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
      charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
      charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1305596103 [ HASH N(PLD_MAL) ]
      charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1305596103 [ HASH N(PLD_MAL) ]
      charon: 07[IKE] <421> message parsing failed
      charon: 07[IKE] <421> message parsing failed
      charon: 07[ENC] <421> could not decrypt payloads
      charon: 07[ENC] <421> could not decrypt payloads
      charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
      charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
      charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
      charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
      charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
      charon: 07[IKE] <421> ID_PROT request with message ID 0 processing failed
      charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
      charon: 07[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
      charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1062404574 [ HASH N(PLD_MAL) ]
      charon: 07[ENC] <421> generating INFORMATIONAL_V1 request 1062404574 [ HASH N(PLD_MAL) ]
      charon: 07[IKE] <421> message parsing failed
      charon: 07[IKE] <421> message parsing failed
      charon: 07[ENC] <421> could not decrypt payloads
      charon: 07[ENC] <421> could not decrypt payloads
      charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
      charon: 07[ENC] <421> invalid ID_V1 payload length, decryption failed?
      charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
      charon: 07[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
      charon: 09[IKE] <421> ID_PROT request with message ID 0 processing failed
      charon: 09[IKE] <421> ID_PROT request with message ID 0 processing failed
      charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
      charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (76 bytes)
      charon: 09[ENC] <421> generating INFORMATIONAL_V1 request 250669060 [ HASH N(PLD_MAL) ]
      charon: 09[ENC] <421> generating INFORMATIONAL_V1 request 250669060 [ HASH N(PLD_MAL) ]
      charon: 09[IKE] <421> message parsing failed
      charon: 09[IKE] <421> message parsing failed
      charon: 09[ENC] <421> could not decrypt payloads
      charon: 09[ENC] <421> could not decrypt payloads
      charon: 09[ENC] <421> invalid ID_V1 payload length, decryption failed?
      charon: 09[ENC] <421> invalid ID_V1 payload length, decryption failed?
      charon: 09[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
      charon: 09[NET] <421> received packet: from 188.x.x.x[4500] to 80.x.x.x[4500] (76 bytes)
      charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (244 bytes)
      charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (244 bytes)
      charon: 09[ENC] <421> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      charon: 09[ENC] <421> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      charon: 09[IKE] <421> remote host is behind NAT
      charon: 09[IKE] <421> remote host is behind NAT
      charon: 09[ENC] <421> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      charon: 09[ENC] <421> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      charon: 09[NET] <421> received packet: from 188.x.x.x[500] to 80.x.x.x[500] (228 bytes)
      charon: 09[NET] <421> received packet: from 188.x.x.x[500] to 80.x.x.x[500] (228 bytes)
      charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (156 bytes)
      charon: 09[NET] <421> sending packet: from 80.x.x.x[500] to 188.x.x.x[500] (156 bytes)
      charon: 09[ENC] <421> generating ID_PROT response 0 [ SA V V V V ]
      charon: 09[ENC] <421> generating ID_PROT response 0 [ SA V V V V ]
      charon: 09[IKE] <421> sending NAT-T (RFC 3947) vendor ID
      charon: 09[IKE] <421> sending NAT-T (RFC 3947) vendor ID
      charon: 09[IKE] <421> sending Cisco Unity vendor ID
      charon: 09[IKE] <421> sending Cisco Unity vendor ID
      charon: 09[IKE] <421> sending DPD vendor ID
      charon: 09[IKE] <421> sending DPD vendor ID
      charon: 09[IKE] <421> sending XAuth vendor ID
      charon: 09[IKE] <421> sending XAuth vendor ID
      charon: 09[CFG] <421> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      charon: 09[CFG] <421> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      charon: 09[CFG] <421> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/E
      charon: 09[CFG] <421> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/E
      charon: 09[CFG] <421> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      charon: 09[CFG] <421> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      charon: 09[CFG] <421> proposal matches
      charon: 09[CFG] <421> proposal matches
      charon: 09[CFG] <421> selecting proposal:
      charon: 09[CFG] <421> selecting proposal:
      charon: 09[CFG] <421> no acceptable ENCRYPTION_ALGORITHM found
      charon: 09[CFG] <421> no acceptable ENCRYPTION_ALGORITHM found
      charon: 09[CFG] <421> selecting proposal:
      charon: 09[CFG] <421> selecting proposal:
      charon: 09[CFG] <421> no acceptable ENCRYPTION_ALGORITHM found
      charon: 09[CFG] <421> no acceptable ENCRYPTION_ALGORITHM found
      charon: 09[CFG] <421> selecting proposal:
      charon: 09[CFG] <421> selecting proposal:
      charon: 09[IKE] <421> IKE_SA (unnamed)[421] state change: CREATED => CONNECTING
      charon: 09[IKE] <421> IKE_SA (unnamed)[421] state change: CREATED => CONNECTING
      charon: 09[IKE] <421> 188.x.x.x is initiating a Main Mode IKE_SA
      charon: 09[IKE] <421> 188.x.x.x is initiating a Main Mode IKE_SA
      charon: 09[IKE] <421> received DPD vendor ID
      charon: 09[IKE] <421> received DPD vendor ID
      charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      charon: 09[IKE] <421> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      charon: 09[IKE] <421> received NAT-T (RFC 3947) vendor ID
      charon: 09[IKE] <421> received NAT-T (RFC 3947) vendor ID
      charon: 09[CFG] <421> found matching ike config: %any…%any with prio 24
      charon: 09[CFG] <421> found matching ike config: %any…%any with prio 24
      charon: 09[CFG] <421> candidate: %any…%any, prio 24
      charon: 09[CFG] <421> candidate: %any…%any, prio 24
      charon: 09[CFG] <421> looking for an ike config for 80.x.x.x…188.x.x.x
      charon: 09[CFG] <421> looking for an ike config for 80.x.x.x…188.x.x.x
      charon: 09[ENC] <421> parsed ID_PROT request 0 [ SA V V V V V ]
      charon: 09[ENC] <421> parsed ID_PROT request 0 [ SA V V V V V ]
      charon: 09[NET] <421> received packet: from 188.x.x.x[500] to 80.x.x.x[500] (184 bytes)

    Thanks for replay



  • now i've modify the identifyer
    My identifier: WAN IP PFsense 80.x.x.1
    Peer identifier: WAN IP TL-R600R 172.16.0.193

    08[IKE] <80> message parsing failed
    08[IKE] <80> message parsing failed
    08[ENC] <80> could not decrypt payloads
    08[ENC] <80> invalid ID_V1 payload length, decryption failed?
    08[NET] <80> received packet: from 80.x.x.2[500] to 80.x.x.1[500] (68 bytes)
    08[NET] <80> sending packet: from 80.x.x.1[500] to 80.x.x.2[500] (196 bytes)

    Pre-Shared Key are both



  • So here is the Config off both routers

    ![IPSec config.jpg](/public/imported_attachments/1/IPSec config.jpg)
    ![IPSec config.jpg_thumb](/public/imported_attachments/1/IPSec config.jpg_thumb)
    ![IPSec config2.jpg](/public/imported_attachments/1/IPSec config2.jpg)
    ![IPSec config2.jpg_thumb](/public/imported_attachments/1/IPSec config2.jpg_thumb)
    ![IPSec config3.jpg](/public/imported_attachments/1/IPSec config3.jpg)
    ![IPSec config3.jpg_thumb](/public/imported_attachments/1/IPSec config3.jpg_thumb)



  • Sorry for this post.

    @Thread creator: how did you solve the problem? I'm running in exactly the same problem!


Log in to reply