Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec between version 2.1.2 and version 2.2.5

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      waqark3389
      last edited by

      Hi All,

      We have a ipsec tunnel configured between two sites. The first is running version 2.1.2 and we just upgraded the second site to 2.2.5 (from 2.1.5).

      So now the layout is :

      site 1 (pfsense 2.1.2) <-> site 2 (pfsense 2.2.5)

      Before the upgrade of site 2. The ipsec tunnel between them was working fine. However as soon as we upgraded, the tunnel did not establish again.

      The errors ipsec log was returning is:

      
      "ERROR: unsupported ID type 7"
      "racoon: ERROR: too short payload length (broken message?)"
      

      My first question is that can ipsec tunnel between 2.1.2 work i.e. as they are very different versions.

      And secondly, what do the errors above mean? After the upgrade, everything else worked fine, even mobile clients could connect in, just the tunnel between the two sites could not be established.

      If you need any more info please let me know. Thanks in advance.

      EDIT:

      Here is the log snippet from the other side. i.e. site 2 (pfsense 2.2.5):

      
      Dec  4 07:53:44 fire01 charon: 16[NET] <con2000|48>received packet: from 87.117.243.10[4500] to 195.188.254.61[4500] (164 bytes)
      Dec  4 07:53:44 fire01 charon: 16[ENC] <con2000|48>invalid HASH_V1 payload length, decryption failed?
      Dec  4 07:53:44 fire01 charon: 16[ENC] <con2000|48>could not decrypt payloads
      Dec  4 07:53:44 fire01 charon: 16[IKE] <con2000|48>message parsing failed
      Dec  4 07:53:44 fire01 charon: 16[ENC] <con2000|48>generating INFORMATIONAL_V1 request 165141809 [ HASH N(PLD_MAL) ]
      Dec  4 07:53:44 fire01 charon: 16[NET] <con2000|48>sending packet: from 195.188.254.61[4500] to 87.117.243.10[4500] (68 bytes)
      Dec  4 07:53:44 fire01 charon: 16[IKE] <con2000|48>QUICK_MODE request with message ID 2656606028 processing failed</con2000|48></con2000|48></con2000|48></con2000|48></con2000|48></con2000|48></con2000|48> 
      

      According to the Ip sec troubleshooting page. This means the the keys were wrong. However the keys were definitely right as we checked.

      1 Reply Last reply Reply Quote 0
      • R
        rramonsg
        last edited by

        How is the negotiation mode ? between are the same ? have you tried to recreate the same ?

        1 Reply Last reply Reply Quote 0
        • W
          waqark3389
          last edited by

          rramonsg,

          Both sites are on main mode setting.

          1 Reply Last reply Reply Quote 0
          • R
            rramonsg
            last edited by

            Please try to recreate the tunnel, i think that it should be resolving it.
            I had the same once and recreated the tunnel resolved my problem, i don't know what's happening with this version 2.2.5 but i had some problems that i haven't old version

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              What identifier type(s) are you using on the P1? Guessing IP, using "My IP"/"Remote IP", and at least one of your ends is behind NAT it appears given it's using NAT-T. Probably your identifiers never matched but racoon didn't care. In which case, fix the IPs in the P1 so they actually do match.
              https://doc.pfsense.org/index.php/UpgradeGuide#Stricter_Phase_1_Identifier_Validation

              @rramonsg:

              Please try to recreate the tunnel, i think that it should be resolving it.
              I had the same once and recreated the tunnel resolved my problem, i don't know what's happening with this version 2.2.5 but i had some problems that i haven't old version

              There's nothing worse in 2.2.5 than any previous version. Recreating the tunnel isn't going to help anything. Probably the delete that sent across applied the new config in your case, could have just flushed the SA for the same end result.

              1 Reply Last reply Reply Quote 0
              • W
                waqark3389
                last edited by

                FIXED:

                Thanks for the replies.

                I can confirm that the reason was due to the fact that our key had a space character at the end.

                This page is very helpful: https://doc.pfsense.org/index.php/IPsec_Troubleshooting

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.