IPSec between version 2.1.2 and version 2.2.5



  • Hi All,

    We have a ipsec tunnel configured between two sites. The first is running version 2.1.2 and we just upgraded the second site to 2.2.5 (from 2.1.5).

    So now the layout is :

    site 1 (pfsense 2.1.2) <-> site 2 (pfsense 2.2.5)

    Before the upgrade of site 2. The ipsec tunnel between them was working fine. However as soon as we upgraded, the tunnel did not establish again.

    The errors ipsec log was returning is:

    
    "ERROR: unsupported ID type 7"
    "racoon: ERROR: too short payload length (broken message?)"
    

    My first question is that can ipsec tunnel between 2.1.2 work i.e. as they are very different versions.

    And secondly, what do the errors above mean? After the upgrade, everything else worked fine, even mobile clients could connect in, just the tunnel between the two sites could not be established.

    If you need any more info please let me know. Thanks in advance.

    EDIT:

    Here is the log snippet from the other side. i.e. site 2 (pfsense 2.2.5):

    
    Dec  4 07:53:44 fire01 charon: 16[NET] <con2000|48>received packet: from 87.117.243.10[4500] to 195.188.254.61[4500] (164 bytes)
    Dec  4 07:53:44 fire01 charon: 16[ENC] <con2000|48>invalid HASH_V1 payload length, decryption failed?
    Dec  4 07:53:44 fire01 charon: 16[ENC] <con2000|48>could not decrypt payloads
    Dec  4 07:53:44 fire01 charon: 16[IKE] <con2000|48>message parsing failed
    Dec  4 07:53:44 fire01 charon: 16[ENC] <con2000|48>generating INFORMATIONAL_V1 request 165141809 [ HASH N(PLD_MAL) ]
    Dec  4 07:53:44 fire01 charon: 16[NET] <con2000|48>sending packet: from 195.188.254.61[4500] to 87.117.243.10[4500] (68 bytes)
    Dec  4 07:53:44 fire01 charon: 16[IKE] <con2000|48>QUICK_MODE request with message ID 2656606028 processing failed</con2000|48></con2000|48></con2000|48></con2000|48></con2000|48></con2000|48></con2000|48> 
    

    According to the Ip sec troubleshooting page. This means the the keys were wrong. However the keys were definitely right as we checked.



  • How is the negotiation mode ? between are the same ? have you tried to recreate the same ?



  • rramonsg,

    Both sites are on main mode setting.



  • Please try to recreate the tunnel, i think that it should be resolving it.
    I had the same once and recreated the tunnel resolved my problem, i don't know what's happening with this version 2.2.5 but i had some problems that i haven't old version



  • What identifier type(s) are you using on the P1? Guessing IP, using "My IP"/"Remote IP", and at least one of your ends is behind NAT it appears given it's using NAT-T. Probably your identifiers never matched but racoon didn't care. In which case, fix the IPs in the P1 so they actually do match.
    https://doc.pfsense.org/index.php/UpgradeGuide#Stricter_Phase_1_Identifier_Validation

    @rramonsg:

    Please try to recreate the tunnel, i think that it should be resolving it.
    I had the same once and recreated the tunnel resolved my problem, i don't know what's happening with this version 2.2.5 but i had some problems that i haven't old version

    There's nothing worse in 2.2.5 than any previous version. Recreating the tunnel isn't going to help anything. Probably the delete that sent across applied the new config in your case, could have just flushed the SA for the same end result.



  • FIXED:

    Thanks for the replies.

    I can confirm that the reason was due to the fact that our key had a space character at the end.

    This page is very helpful: https://doc.pfsense.org/index.php/IPsec_Troubleshooting


Log in to reply