Help with IPSEC not connecting

Dinmiller · Dec 5, 2015, 5:12 AM

I am new to this, I have basically had to take a crash course of tons of reading to build this from scratch. I had a new client call me up and really needed me to come try to get this running for him. I have everything up and running except for some reason I can't get the VPN tunnel to connect and I am at a loss. 1 side is running 2.0.3-RELEASE
and the other is up to date with 2.2.5-RELEASE (amd64). I will post the logs from one side, they are attempting to talk to each other but it is failing somewhere, and well I am sure a lot of you know how it can be entering a train wreck.

Also He has a phone switch that has to travel through the VPN to the other side, is there some way I need to force the connection through this VPN to the other side? I have no way of testing the phone switch because the netgear switch on the other side is fried and we are running sunday to replace it. I will be taking out IPs for obvious reasons.

Dec 4 22:53:59 racoon: []:ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:53:59 racoon: INFO: begin Aggressive mode.
Dec 4 22:53:59 racoon: []: INFO: initiate new phase 1 negotiation:
Dec 4 22:53:59 racoon: []: INFO: IPsec-SA request for queued due to no phase1 found.
Dec 4 22:53:59 racoon: INFO: delete phase 2 handler.
Dec 4 22:53:59 racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP
Dec 4 22:53:34 racoon: ERROR: phase1 negotiation failed due to time up. 368007a05be3be28:0000000000000000
Dec 4 22:53:28 racoon: []: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Dec 4 22:53:24 racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:53:15 racoon: INFO: delete phase 2 handler.
Dec 4 22:53:15 racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP
Dec 4 22:53:14 racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:53:04 racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:52:54 racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:52:44 racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:52:44 racoon: INFO: begin Aggressive mode.
Dec 4 22:52:44 racoon: []: INFO: initiate new phase 1 negotiation:
Dec 4 22:52:44 racoon: []: INFO: IPsec-SA request for queued due to no phase1 found.
Dec 4 22:52:38 racoon: INFO: delete phase 2 handler.
Dec 4 22:52:38 racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP
Dec 4 22:52:13 racoon: ERROR: phase1 negotiation failed due to time up. 7e3c16028ee9ac85:0000000000000000
Dec 4 22:52:07 racoon: []:INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Dec 4 22:52:03 racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:51:54 racoon: INFO: delete phase 2 handler.
Dec 4 22:51:54 racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP
Dec 4 22:51:53 racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:51:43 racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:51:33 racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:51:23 racoon: []: ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 4 22:51:23 racoon: INFO: begin Aggressive mode.
Dec 4 22:51:23 racoon: []: INFO: initiate new phase 1 negotiation:
Dec 4 22:51:23 racoon: []: INFO: IPsec-SA request for queued due to no phase1 found.
Dec 4 22:51:14 racoon: INFO: delete phase 2 handler.

I have a feeling its something very simple, but I have had little sleep between having an 11 month old and then staying up all night working on everything thats happened. Thank you all in advance.

cmb · Dec 5, 2015, 5:25 AM

You have a phase 1 mismatch of some sort, no way to tell what from that. Just make sure things match up on both sides.

Dinmiller · Dec 5, 2015, 5:30 AM

It's hard to tell what it could be because there are some different settings on the newer that aren’t there on the older version. I may just have to create a new machine up at the main office with an up to date pfsense and build it out.

Dinmiller · Dec 5, 2015, 6:00 AM

picture 1 and 2 are the old pfsense and 3 4 5 are of the new one. any tips at this point would be appreciated

cmb · Dec 5, 2015, 6:15 AM

The ones that matter in the context of no proposal chosen are identical between them. Interface, remote gateway, identifiers. Make them main mode, you don't want aggressive. AES would be better than 3DES (faster and more secure) though that won't matter since they match.

There should be no reason you can't upgrade the 2.0x side, that's extremely dated at this point.

Dinmiller · Dec 5, 2015, 6:28 AM

Well i changed what you suggested, and double checked the other settings, in the logs im still getting spam of delete phase 2, So I am still at a loss lol,

Dinmiller · Dec 5, 2015, 6:37 AM

Is it possible all i need to do is delete and recreate the tunnel on the old one, i never re created it i just assumed it would work with the new one considering the ip and everything stayed the same.

cmb · Dec 5, 2015, 9:48 AM

The part above the "delete phase 2 handler" is what matters (that just indicates a P1 mismatch), is that still no proposal chosen?

Updating it after an IP change is fine, no need to re-create it.

Dinmiller · Dec 5, 2015, 2:25 PM

Dec 5 08:20:09 racoon: ERROR: phase1 negotiation failed due to time up. 586c519806462d76:0000000000000000
Dec 5 08:20:01 racoon: []: [66.xx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Dec 5 08:19:59 racoon: []: [66.xx.xxx.xxx] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 5 08:19:50 racoon: INFO: delete phase 2 handler.
Dec 5 08:19:50 racoon: []: [66.xx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 66.xx.xxx.xxx[0]->208.xxx.xxx.xxx[0]
Dec 5 08:19:49 racoon: []: [66.xx.xxx.xxx] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.

Thats what im still getting

Dinmiller · Dec 5, 2015, 2:42 PM

charon: 07[IKE] <2371> no IKE config found for 66.xx.xxx.xxx…208.xxx.xxx.xxx, sending NO_PROPOSAL_CHOSEN

I am getting that on the other firewall

Netizen1 · Dec 5, 2015, 5:35 PM

I just did this last week, but I was on the same version of pfsense at both sites. (2.2.5 RELEASE)

Why can't you upgrade your 2.0.3 side?
Did you double check your settings, making sure you're entering the proper IP's in 'Remote Gateway'? On gw1 enter the remote IP of gw2 and vice versa…
Set 'Key Exchange version' to Auto
Set 'Negotiation mode' to Main mode as cmb suggested

Is there an Auto setting for 'NAT Traversal' in the old version? In 2.2.5 there's only Auto or Force

Double check your 'Pre-Shared Key' in both firewalls, they have to match!

Dinmiller · Dec 5, 2015, 5:45 PM

Yeah I've double checked all of that, the client doesn't want to upgrade yet because he is afraid of it causing issues. But i think that may be the only choice