Messages

OPNsense 15.7.18_1-amd64
FreeBSD 10.1-RELEASE-p23
OpenSSL 1.0.2d 9 Jul 2015

I have tried almost every possible combination of settings and I CANNOT produce a working IPSec VPN connection, with either my Android phone or ShewSoft VPN Client on Linux or Windows.

I always hit the same two errors and cannot for the life of me figure out how to solve either.

When trying Hybrid RSA + Xauth this is the result.

Code Select Expand


Mar 18 12:39:40 charon: 09[JOB] deleting half open IKE_SA after timeout
Mar 18 12:39:10 charon: 09[NET] sending packet: from 24.73.###.### [500] to 66.87.###.###[2917] (397 bytes)
Mar 18 12:39:10 charon: 09[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Mar 18 12:39:10 charon: 09[IKE] sending cert request for "C=US, ST=Florida, L=Clearwater, O=bah, E=, CN=internal-ca"
Mar 18 12:39:10 charon: 09[IKE] <47> sending cert request for "C=US, ST=Florida, L=Clearwater, O=example, E=test@example.com, CN=internal-ca"
Mar 18 12:39:10 charon: 09[IKE] remote host is behind NAT
Mar 18 12:39:10 charon: 09[IKE] <47> remote host is behind NAT
Mar 18 12:39:10 charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 18 12:39:10 charon: 09[NET] received packet: from 66.87.###.###[2917] to 24.73.###.###[500] (228 bytes)
Mar 18 12:39:10 charon: 09[NET] sending packet: from 24.73.###.###[500] to 66.87.###.###[2917] (180 bytes)
Mar 18 12:39:10 charon: 09[ENC] generating ID_PROT response 0 [ SA V V V V V ]
Mar 18 12:39:10 charon: 09[IKE] 66.87.###.### is initiating a Main Mode IKE_SA
Mar 18 12:39:10 charon: 09[IKE] <47> 66.87.###.### is initiating a Main Mode IKE_SA
Mar 18 12:39:10 charon: 09[IKE] received DPD vendor ID
Mar 18 12:39:10 charon: 09[IKE] <47> received DPD vendor ID
Mar 18 12:39:10 charon: 09[IKE] received FRAGMENTATION vendor ID
Mar 18 12:39:10 charon: 09[IKE] <47> received FRAGMENTATION vendor ID
Mar 18 12:39:10 charon: 09[IKE] received Cisco Unity vendor ID
Mar 18 12:39:10 charon: 09[IKE] <47> received Cisco Unity vendor ID
Mar 18 12:39:10 charon: 09[IKE] received XAuth vendor ID
Mar 18 12:39:10 charon: 09[IKE] <47> received XAuth vendor ID
Mar 18 12:39:10 charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Mar 18 12:39:10 charon: 09[IKE] <47> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Mar 18 12:39:10 charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 18 12:39:10 charon: 09[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 18 12:39:10 charon: 09[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 18 12:39:10 charon: 09[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 18 12:39:10 charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
Mar 18 12:39:10 charon: 09[IKE] <47> received NAT-T (RFC 3947) vendor ID
Mar 18 12:39:10 charon: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Mar 18 12:39:10 charon: 09[NET] received packet: from 66.87.###.###[2917] to 24.73.###.###[500] (476 bytes)


When trying Hybrid PSK + Xauth  I get reconnecting errors until it times out and deletes the half open IKE session.

I have followed the guides word for word, still unable to get this working.

Please help.

I am happy to report that the problem has been resolved using the suggestions you provided.  I used a tool on my laptop to test the MTU on the given path to the host 10.1.0.14 and it gave an MSS of 1465, so I entered that on the interface connected to the MPLS under MSS Clamping, and enabled the IP Do Not Fragment option on the firewall and it seems to have resolved the issue.

Thank you for all the help Ad, now onto content filtering and VPN... yay!

Sincerely,

Blaine

Here is some additional info.

Thank you for your prompt reply.  Attached is the information you asked for plus putty logs.

I have searched the forum already and not found any clues as to what maybe causing this problem.  I have also searched the pfsense forums and found nothing.  I am going to try and explain this and provide as much documentation as possible, but if I forget something please let me know.

Here is a brief over view of the network topology that I am working with here.


LAN [ em0 (10.254.0.0) / opt1 on em0 VLAN 99 - (192.168.200.2) ] --> HP SWITCH (Layer 2) Trunk Port [VLANS 1 (UT), 99-104,108,112,116(T)] <-- Access Port VLAN 99 (UT) --> CISCO 892 --> MPLS (10.1.0.0/16) --> HP SWITCH DATA CENTER (Layer 2) Trunk Port --> [VLAN 1 (UT), 100-104,108, 112,116 (T) .

At the Data Center I have several devices attached to the HP Switch and some I can access others I cannot.

The switch itself is 10.1.0.2 / SSHv 1.99 good
Observium server on Ubuntu (14.0.4.3) IP-10.1.0.14 SSHv2 unable to connect HTTP 80 unable to connect
Observium server IMPI 10.1.0.4 SSHv 1 good, HTTP and HTTPS 80/443 good
PBX 10.1.3.3 HTTPS: 8089 good.

The problem is the observium server, here is where it gets interesting.

I am able to PING 10.1.0.14, and tracert 10.1.0.14 from inside the OPNSense FW (10.254.0.0/16) but I cannot SSH or access HTTP on 80.   OPSense blocks it as shown in the syslogs.

I can however ssh to OPNSense then SSH to 10.1.0.14 on port 22 fine.

I can also as stated SSH from inside the OPNSense FW to my HP switch running SSHv1.99 fine.

If I go to another site in the MPLS I can ssh to the 10.1.0.14 fine and view the webserver on port 80 as well.

This all happens with the default permit any FW rule for the LAN network.

My vendor has checked my office access on the MPLS and cannot replicate the problem. My Data Center Support team says that there is nothing wrong with their configuration.  I believe that the problem is something with the way pf is working that is mangling the SSH communication.

I have banged my head against the wall for 3 days trying to figure this out.  It just does not make sense why with the permit any rule that traffic to this host is being denied through the default deny rule.

If I create a rule for this host 10.1.0.14 only it is still being blocked.

Attached is my OPNSense Config and SSH Logs.

Please help my sanity is running low.