OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: rtpch on May 26, 2017, 02:57:17 pm

Title: IPsec fails after migration to OPNsense from pfSense
Post by: rtpch on May 26, 2017, 02:57:17 pm

Hi all

We used pfSense 2.4 formerly and had a IPsec site to site connection to a Fortinet firewall, which was working properly.

We now switched to OPNsense but are not able to establish the same VPN as before. The only difference in the configuration is a change of the DH key group as OPNsense does not support DH group 19. So we switched to DH group 18.

We have the following configuration:

Code: [Select]

  <ipsec>
    <phase1>
      <ikeid>1</ikeid>
      <iketype>ikev1</iketype>
      <interface>wan</interface>
      <mode>main</mode>
      <protocol>inet</protocol>
      <myid_type>myaddress</myid_type>
      <peerid_type>peeraddress</peerid_type>
      <encryption-algorithm>
        <name>aes</name>
        <keylen>256</keylen>
      </encryption-algorithm>
      <hash-algorithm>sha256</hash-algorithm>
      <dhgroup>18</dhgroup>
      <lifetime>86400</lifetime>
      <pre-shared-key>XXX</pre-shared-key>
      <authentication_method>pre_shared_key</authentication_method>
      <descr>VPN-Tunnel to Remote</descr>
      <nat_traversal>on</nat_traversal>
      <private-key/>
      <remote-gateway>REMOTE_GATEWAY</remote-gateway>
      <dpd_delay>10</dpd_delay>
      <dpd_maxfail>5</dpd_maxfail>
    </phase1>
    <phase2>
      <ikeid>1</ikeid>
      <uniqid>5920b017a7c2b</uniqid>
      <mode>tunnel</mode>
      <pfsgroup>18</pfsgroup>
      <lifetime>3600</lifetime>
      <pinghost>REMOTE_IP</pinghost>
      <descr>remote host</descr>
      <protocol>esp</protocol>
      <natlocalid>
        <type>address</type>
        <address>WAN_IP</address>
        <nattype>auto</nattype>
      </natlocalid>
      <localid>
        <type>lan</type>
      </localid>
      <remoteid>
        <type>address</type>
        <address>REMOTE_IP</address>
      </remoteid>
      <encryption-algorithm-option>
        <name>aes</name>
        <keylen>256</keylen>
      </encryption-algorithm-option>
      <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    </phase2>
  </ipsec>

We also configured the firewall rules to pass the correspondent traffic.

We think, that Phase 1 is established successfully (according to the log file) but Phase 2 fails constantly. Here an excerpt of the IPsec logfile:

Code: [Select]

00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, FreeBSD 11.0-RELEASE-p10, amd64)
00[KNL] unable to set UDP_ENCAP: Invalid argument
00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for <REMOTE_GATEWAY>
00[CFG] loaded 0 RADIUS server configurations
00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
00[JOB] spawning 16 worker threads
16[CFG] received stroke: add connection 'con1'
16[CFG] added configuration 'con1'
05[CFG] received stroke: route 'con1'
05[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (212 bytes)
05[ENC] parsed ID_PROT request 0 [ SA V V V V ]
05[IKE] received DPD vendor ID
05[IKE] received FRAGMENTATION vendor ID
05[IKE] received FRAGMENTATION vendor ID
05[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:05:02:e6
05[IKE] <REMOTE_GATEWAY> is initiating a Main Mode IKE_SA
05[IKE] <REMOTE_GATEWAY> is initiating a Main Mode IKE_SA
05[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
05[IKE] sending XAuth vendor ID
05[IKE] sending DPD vendor ID
05[IKE] sending FRAGMENTATION vendor ID
05[ENC] generating ID_PROT response 0 [ SA V V V ]
05[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (144 bytes)
05[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (1076 bytes)
05[ENC] parsed ID_PROT request 0 [ KE No ]
05[ENC] generating ID_PROT response 0 [ KE No ]
05[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (1092 bytes)
05[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (108 bytes)
05[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
05[CFG] looking for pre-shared key peer configs matching <WAN_IP>...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
05[CFG] selected peer config "con1"
05[IKE] IKE_SA con1[1] established between <WAN_IP>[<WAN_IP>]...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
05[IKE] IKE_SA con1[1] established between <WAN_IP>[<WAN_IP>]...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
05[IKE] IKE_SA con1[1] state change: CONNECTING => ESTABLISHED
05[IKE] scheduling reauthentication in 85487s
05[IKE] maximum IKE_SA lifetime 86027s
05[ENC] generating ID_PROT response 0 [ ID HASH ]
05[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (92 bytes)
15[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (1196 bytes)
15[ENC] parsed QUICK_MODE request 2120383014 [ HASH SA No KE ID ID ]
15[IKE] no matching CHILD_SA config found
15[IKE] queueing INFORMATIONAL task
15[IKE] activating new tasks
15[IKE]   activating INFORMATIONAL task
15[ENC] generating INFORMATIONAL_V1 request 2879248864 [ HASH N(INVAL_ID) ]
15[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (92 bytes)
[...]
15[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (1196 bytes)
15[ENC] parsed QUICK_MODE request 2120383014 [ HASH SA No KE ID ID ]
15[ENC] received HASH payload does not match
15[IKE] integrity check failed
15[ENC] generating INFORMATIONAL_V1 request 3665471938 [ HASH N(INVAL_HASH) ]
15[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (92 bytes)
15[IKE] QUICK_MODE request with message ID 2120383014 processing failed
15[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (108 bytes)
15[ENC] parsed INFORMATIONAL_V1 request 1902660597 [ HASH N(DPD) ]
15[IKE] queueing ISAKMP_DPD task
15[IKE] activating new tasks
15[IKE]   activating ISAKMP_DPD task
15[ENC] generating INFORMATIONAL_V1 request 2994610690 [ HASH N(DPD_ACK) ]
15[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (108 bytes)
[...]
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (108 bytes)
10[ENC] parsed INFORMATIONAL_V1 request 3827322351 [ HASH D ]
10[IKE] received DELETE for IKE_SA con1[1]
10[IKE] deleting IKE_SA con1[1] between <WAN_IP>[<WAN_IP>]...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
10[IKE] deleting IKE_SA con1[1] between <WAN_IP>[<WAN_IP>]...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
10[IKE] IKE_SA con1[1] state change: ESTABLISHED => DELETING
10[IKE] IKE_SA con1[1] state change: DELETING => DELETING
10[IKE] IKE_SA con1[1] state change: DELETING => DESTROYING
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (212 bytes)
10[ENC] parsed ID_PROT request 0 [ SA V V V V ]
10[IKE] received DPD vendor ID
10[IKE] received FRAGMENTATION vendor ID
10[IKE] received FRAGMENTATION vendor ID
10[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:05:02:e6
10[IKE] <REMOTE_GATEWAY> is initiating a Main Mode IKE_SA
10[IKE] <REMOTE_GATEWAY> is initiating a Main Mode IKE_SA
10[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
10[IKE] sending XAuth vendor ID
10[IKE] sending DPD vendor ID
10[IKE] sending FRAGMENTATION vendor ID
10[ENC] generating ID_PROT response 0 [ SA V V V ]
10[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (144 bytes)
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (1076 bytes)
10[ENC] parsed ID_PROT request 0 [ KE No ]
10[ENC] generating ID_PROT response 0 [ KE No ]
10[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (1092 bytes)
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (108 bytes)
10[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
10[CFG] looking for pre-shared key peer configs matching <WAN_IP>...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
10[CFG] selected peer config "con1"
10[IKE] IKE_SA con1[2] established between <WAN_IP>[<WAN_IP>]...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
10[IKE] IKE_SA con1[2] established between <WAN_IP>[<WAN_IP>]...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
10[IKE] IKE_SA con1[2] state change: CONNECTING => ESTABLISHED
10[IKE] scheduling reauthentication in 85592s
10[IKE] maximum IKE_SA lifetime 86132s
10[ENC] generating ID_PROT response 0 [ ID HASH ]
10[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (92 bytes)
05[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (364 bytes)
05[ENC] parsed QUICK_MODE request 1287641317 [ HASH SA No KE ID ID ]
05[IKE] no matching CHILD_SA config found
05[IKE] queueing INFORMATIONAL task
05[IKE] activating new tasks
05[IKE]   activating INFORMATIONAL task
05[ENC] generating INFORMATIONAL_V1 request 1308943122 [ HASH N(INVAL_ID) ]
05[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (92 bytes)
05[IKE] activating new tasks
05[IKE] nothing to initiate
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (364 bytes)
10[IKE] received retransmit of request with ID 1287641317, but no response to retransmit
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (108 bytes)
10[ENC] parsed INFORMATIONAL_V1 request 3364558570 [ HASH N(DPD) ]
10[IKE] queueing ISAKMP_DPD task
10[IKE] activating new tasks
10[IKE]   activating ISAKMP_DPD task
10[ENC] generating INFORMATIONAL_V1 request 521142270 [ HASH N(DPD_ACK) ]
10[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (108 bytes)
10[IKE] activating new tasks
10[IKE] nothing to initiate
10[KNL] creating acquire job for policy <WAN_IP>/32 === <REMOTE_GATEWAY>/32 with reqid {1}
10[IKE] queueing QUICK_MODE task
10[IKE] activating new tasks
10[IKE]   activating QUICK_MODE task
10[ENC] generating QUICK_MODE request 3012369156 [ HASH SA No KE ID ID ]
10[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (1228 bytes)
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (364 bytes)
10[ENC] parsed QUICK_MODE request 1287641317 [ HASH SA No KE ID ID ]
10[ENC] received HASH payload does not match
10[IKE] integrity check failed
10[ENC] generating INFORMATIONAL_V1 request 3041320764 [ HASH N(INVAL_HASH) ]
10[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (92 bytes)
10[IKE] QUICK_MODE request with message ID 1287641317 processing failed
10[IKE] sending retransmit 1 of request message ID 3012369156, seq 3
10[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (1228 bytes)
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (108 bytes)
10[ENC] parsed INFORMATIONAL_V1 request 407145585 [ HASH N(DPD) ]
10[IKE] queueing ISAKMP_DPD task
10[IKE] delaying task initiation, QUICK_MODE exchange in progress
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (108 bytes)
10[ENC] parsed INFORMATIONAL_V1 request 3707031783 [ HASH N(DPD) ]
10[IKE] queueing ISAKMP_DPD task
10[IKE] delaying task initiation, QUICK_MODE exchange in progress
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (364 bytes)
10[ENC] parsed QUICK_MODE request 1287641317 [ HASH SA No KE ID ID ]
10[ENC] received HASH payload does not match
10[IKE] integrity check failed
10[ENC] generating INFORMATIONAL_V1 request 1596815564 [ HASH N(INVAL_HASH) ]
10[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (92 bytes)
10[IKE] QUICK_MODE request with message ID 1287641317 processing failed
10[IKE] sending retransmit 2 of request message ID 3012369156, seq 3
10[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (1228 bytes)
10[KNL] creating acquire job for policy <WAN_IP>/32 === <REMOTE_GATEWAY>/32 with reqid {1}
10[CFG] ignoring acquire, connection attempt pending
10[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (108 bytes)
10[ENC] parsed INFORMATIONAL_V1 request 1524991498 [ HASH N(DPD) ]
10[IKE] queueing ISAKMP_DPD task
10[IKE] delaying task initiation, QUICK_MODE exchange in progress
09[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (108 bytes)
09[ENC] parsed INFORMATIONAL_V1 request 3342942689 [ HASH D ]
09[IKE] received DELETE for IKE_SA con1[2]
09[IKE] deleting IKE_SA con1[2] between <WAN_IP>[<WAN_IP>]...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
09[IKE] deleting IKE_SA con1[2] between <WAN_IP>[<WAN_IP>]...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
09[IKE] IKE_SA con1[2] state change: ESTABLISHED => DELETING
09[IKE] queueing ISAKMP_VENDOR task
09[IKE] queueing ISAKMP_CERT_PRE task
09[IKE] queueing MAIN_MODE task
09[IKE] queueing ISAKMP_CERT_POST task
09[IKE] queueing ISAKMP_NATD task
09[IKE] activating new tasks
09[IKE]   activating ISAKMP_VENDOR task
09[IKE]   activating ISAKMP_CERT_PRE task
09[IKE]   activating MAIN_MODE task
09[IKE]   activating ISAKMP_CERT_POST task
09[IKE]   activating ISAKMP_NATD task
09[IKE] sending XAuth vendor ID
09[IKE] sending DPD vendor ID
09[IKE] sending FRAGMENTATION vendor ID
09[IKE] sending NAT-T (RFC 3947) vendor ID
09[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
09[IKE] initiating Main Mode IKE_SA con1[3] to <REMOTE_GATEWAY>
09[IKE] initiating Main Mode IKE_SA con1[3] to <REMOTE_GATEWAY>
09[IKE] IKE_SA con1[3] state change: CREATED => CONNECTING
09[ENC] generating ID_PROT request 0 [ SA V V V V V ]
09[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (184 bytes)
09[IKE] IKE_SA con1[2] state change: DELETING => DELETING
09[IKE] IKE_SA con1[2] state change: DELETING => DESTROYING
09[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (172 bytes)
09[ENC] parsed ID_PROT response 0 [ SA V V V V ]
09[IKE] received DPD vendor ID
09[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:05:02:e6
09[IKE] received FRAGMENTATION vendor ID
09[IKE] received FRAGMENTATION vendor ID
09[IKE] reinitiating already active tasks
09[IKE]   ISAKMP_VENDOR task
09[IKE]   MAIN_MODE task
09[ENC] generating ID_PROT request 0 [ KE No ]
09[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (1092 bytes)
09[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (1076 bytes)
09[ENC] parsed ID_PROT response 0 [ KE No ]
09[IKE] reinitiating already active tasks
09[IKE]   ISAKMP_VENDOR task
09[IKE]   MAIN_MODE task
09[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
09[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (108 bytes)
09[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (92 bytes)
09[ENC] parsed ID_PROT response 0 [ ID HASH ]
09[IKE] IKE_SA con1[3] established between <WAN_IP>[<WAN_IP>]...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
09[IKE] IKE_SA con1[3] established between <WAN_IP>[<WAN_IP>]...<REMOTE_GATEWAY>[<REMOTE_GATEWAY>]
09[IKE] IKE_SA con1[3] state change: CONNECTING => ESTABLISHED
09[IKE] scheduling reauthentication in 85598s
09[IKE] maximum IKE_SA lifetime 86138s
09[IKE] activating new tasks
09[IKE]   activating QUICK_MODE task
09[ENC] generating QUICK_MODE request 150100022 [ HASH SA No KE ID ID ]
09[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (1228 bytes)
09[KNL] creating acquire job for policy <WAN_IP>/32 === <REMOTE_GATEWAY>/32 with reqid {1}
08[IKE] queueing QUICK_MODE task
08[IKE] delaying task initiation, QUICK_MODE exchange in progress
08[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (364 bytes)
08[ENC] parsed QUICK_MODE request 1622390271 [ HASH SA No KE ID ID ]
08[IKE] no matching CHILD_SA config found
08[IKE] queueing INFORMATIONAL task
08[IKE] delaying task initiation, QUICK_MODE exchange in progress
08[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (364 bytes)
08[IKE] received retransmit of request with ID 1622390271, but no response to retransmit
08[IKE] sending retransmit 1 of request message ID 150100022, seq 4
08[NET] sending packet: from <WAN_IP>[500] to <REMOTE_GATEWAY>[500] (1228 bytes)
09[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (108 bytes)
09[ENC] parsed INFORMATIONAL_V1 request 1440918862 [ HASH N(DPD) ]
09[IKE] queueing ISAKMP_DPD task
09[IKE] delaying task initiation, QUICK_MODE exchange in progress
09[NET] received packet: from <REMOTE_GATEWAY>[500] to <WAN_IP>[500] (364 bytes)
09[ENC] invalid HASH_V1 payload length, decryption failed?
09[ENC] could not decrypt payloads
09[IKE] message parsing failed


We have no idea if the problem arises from the change of the DH group or if it has something to do with the difference between pfSense and OPNsense.

Does anyone has any idea what the problem could be?

Thank you.
Lukas.