Bug #4565
closed
Previously working IPsec broken by upgrading to 2.2.1
0%
Description
I previously had a site-to-site VPN up and working between two sites when one endpoint was 2.2 and the other was 2.1.1.
The first was upgraded to 2.2.1 over the weekend - the second was as well but we had to revert this morning when we realized that forwarding between VLANs was mostly not working (some rules would work, some wouldn't, lots of strange failures)
Now I'm seeing the following when trying to establish the IPsec link. From the logs on the 2.2.1 site:
Mar 30 12:59:13 pfsense charon: 05[CFG] received proposals: ESP:BLOWFISH_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 30 12:59:13 pfsense charon: 05[CFG] configured proposals: ESP:BLOWFISH_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
Mar 30 12:59:13 pfsense charon: 05[IKE] <con4000|3> no matching proposal found, sending NO_PROPOSAL_CHOSEN
Mar 30 12:59:13 pfsense charon: 05[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
Mar 30 12:59:13 pfsense charon: 05[ENC] generating INFORMATIONAL_V1 request 2017941413 [ HASH N(NO_PROP) ]
The two IPsec proposals are configured identically but it seems as though charon is expecting something that racoon isn't providing.
Updated by Jim Pingle about 10 years ago
- Status changed from New to Rejected
Your end shows it has a pfs group set in Phase 2. Check the mobile clients tab, ensure pfs isn't set there as that takes effect globally. There's already a ticket for that, #4538
Otherwise follow up on the forum before opening a ticket here so the root cause can be determined.
Updated by Michael Brown about 10 years ago
Confirmed this was the cause - resolved by setting the DH group for phase2 on both ends.
Thanks!