Project

General

Profile

Actions
Copy link

Bug #5339

closed

IPSec with 2 phases 2

Added by Marco Messina almost 10 years ago. Updated almost 10 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
10/23/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
All

Description

Good morning,
I tried to create an IPSec tunnel with 2 Phase 2, but I received the following error: 

Oct 23 17:47:14 charon: 06[ENC] <con2|1> parsed QUICK_MODE request 2748080475 [ HASH ]
Oct 23 17:47:14    charon: 06[IKE] <con2|1> sa payload missing
Oct 23 17:47:14    charon: 06[IKE] <con2|1> sa payload missing
Oct 23 17:47:14    charon: 06[NET] <con2|1> received packet: from 10.130.34.250[500] to 10.130.4.161[500] (348 bytes)
Oct 23 17:47:14    charon: 06[ENC] <con2|1> parsed QUICK_MODE response 156018472 [ HASH SA No KE ID ID ]
Oct 23 17:47:14    charon: 06[ENC] <con2|1> received HASH payload does not match
Oct 23 17:47:14    charon: 06[IKE] <con2|1> integrity check failed
Oct 23 17:47:14    charon: 06[IKE] <con2|1> integrity check failed
Oct 23 17:47:14    charon: 06[ENC] <con2|1> generating INFORMATIONAL_V1 request 2308555727 [ HASH N(INVAL_HASH) ]
Oct 23 17:47:14    charon: 06[NET] <con2|1> sending packet: from 10.130.4.161[500] to 10.130.34.250[500] (76 bytes)
Oct 23 17:47:14    charon: 06[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed
Oct 23 17:47:14    charon: 06[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed
Oct 23 17:47:18    charon: 06[IKE] <con2|1> sending retransmit 1 of request message ID 156018472, seq 1
Oct 23 17:47:18    charon: 06[IKE] <con2|1> sending retransmit 1 of request message ID 156018472, seq 1
Oct 23 17:47:18    charon: 06[NET] <con2|1> sending packet: from 10.130.4.161[500] to 10.130.34.250[500] (316 bytes)
Oct 23 17:47:18    charon: 06[NET] <con2|1> received packet: from 10.130.34.250[500] to 10.130.4.161[500] (348 bytes)
Oct 23 17:47:18    charon: 06[ENC] <con2|1> parsed QUICK_MODE response 156018472 [ HASH SA No KE ID ID ]
Oct 23 17:47:18    charon: 06[ENC] <con2|1> received HASH payload does not match
Oct 23 17:47:18    charon: 06[IKE] <con2|1> integrity check failed
Oct 23 17:47:18    charon: 06[IKE] <con2|1> integrity check failed
Oct 23 17:47:18    charon: 06[ENC] <con2|1> generating INFORMATIONAL_V1 request 3627683057 [ HASH N(INVAL_HASH) ]
Oct 23 17:47:18    charon: 06[NET] <con2|1> sending packet: from 10.130.4.161[500] to 10.130.34.250[500] (76 bytes)
Oct 23 17:47:18    charon: 06[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed
Oct 23 17:47:18    charon: 06[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed
Oct 23 17:47:19    charon: 08[NET] <con2|1> received packet: from 10.130.34.250[500] to 10.130.4.161[500] (348 bytes)
Oct 23 17:47:19    charon: 08[ENC] <con2|1> parsed QUICK_MODE request 3901313929 [ HASH SA No KE ID ID ]
Oct 23 17:47:19    charon: 08[ENC] <con2|1> generating QUICK_MODE response 3901313929 [ HASH SA No KE ID ID ]
Oct 23 17:47:19    charon: 08[NET] <con2|1> sending packet: from 10.130.4.161[500] to 10.130.34.250[500] (316 bytes)
Oct 23 17:47:19    charon: 08[NET] <con2|1> received packet: from 10.130.34.250[500] to 10.130.4.161[500] (60 bytes)
Oct 23 17:47:19    charon: 08[ENC] <con2|1> parsed QUICK_MODE request 3901313929 [ HASH ]
Oct 23 17:47:19    charon: 08[IKE] <con2|1> CHILD_SA con2{5} established with SPIs cbe54f7b_i c8565f41_o and TS 100.128.2.0/24|/0 === 100.40.1.0/24|/0
Oct 23 17:47:19    charon: 08[IKE] <con2|1> CHILD_SA con2{5} established with SPIs cbe54f7b_i c8565f41_o and TS 100.128.2.0/24|/0 === 100.40.1.0/24|/0
Oct 23 17:47:19    charon: 08[NET] <con2|1> received packet: from 10.130.34.250[500] to 10.130.4.161[500] (348 bytes)
Oct 23 17:47:19    charon: 08[ENC] <con2|1> parsed QUICK_MODE response 156018472 [ HASH SA No KE ID ID ]
Oct 23 17:47:19    charon: 08[ENC] <con2|1> received HASH payload does not match
Oct 23 17:47:19    charon: 08[IKE] <con2|1> integrity check failed
Oct 23 17:47:19    charon: 08[IKE] <con2|1> integrity check failed
Oct 23 17:47:19    charon: 08[ENC] <con2|1> generating INFORMATIONAL_V1 request 1922165167 [ HASH N(INVAL_HASH) ]
Oct 23 17:47:19    charon: 08[NET] <con2|1> sending packet: from 10.130.4.161[500] to 10.130.34.250[500] (76 bytes)
Oct 23 17:47:19    charon: 08[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed
Oct 23 17:47:19    charon: 08[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed

And only the second phase 2 works well.
With only one phase 2 I don't have any problems.
You can find my configuration below:

<phase1>
 <ikeid>2</ikeid>
 <iketype>auto</iketype>
 <interface>lan</interface>
 <remote-gateway>10.130.34.250</remote-gateway>
 <protocol>inet</protocol>
 <myid_type>address</myid_type>
 <myid_data>10.130.4.161</myid_data>
 <peerid_type>address</peerid_type>
 <peerid_data>10.130.34.250</peerid_data>
 <encryption-algorithm>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm>
 <hash-algorithm>sha1</hash-algorithm>
 <dhgroup>2</dhgroup>
 <lifetime>28800</lifetime>
 <pre-shared-key>12345678</pre>

How I could resolve this issue?

Best regards</pre-shared-key>
 <private-key/>
 <certref/>
 <caref/>
 <authentication_method>pre_shared_key</authentication_method>
 <descr><![CDATA[IPSec Phase 1]]></descr>
 <nat_traversal>on</nat_traversal>
 <mobike>off</mobike>
 <dpd_delay>120</dpd_delay>
 <dpd_maxfail>5</dpd_maxfail>
</phase1>



	
<phase2>
 <ikeid>2</ikeid>
 <uniqid>5627a4dc9581e</uniqid>
 <mode>tunnel</mode>
 <reqid>2</reqid>
 <localid>
  <type>network</type>
  <address>100.128.1.0</address>
  <netbits>24</netbits>
 </localid>
 <remoteid>
  <type>network</type>
  <address>100.40.1.0</address>
  <netbits>24</netbits>
 </remoteid>
 <protocol>esp</protocol>
 <encryption-algorithm-option>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm-option>
 <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
 <pfsgroup>2</pfsgroup>
 <lifetime>3600</lifetime>
 <pinghost/>
 <descr><![CDATA[IPSec Phase 2 1]]></descr>
</phase2>



	
<phase2>
 <ikeid>2</ikeid>
 <uniqid>562a512047398</uniqid>
 <mode>tunnel</mode>
 <reqid>3</reqid>
 <localid>
  <type>network</type>
  <address>100.128.2.0</address>
  <netbits>24</netbits>
 </localid>
 <remoteid>
  <type>network</type>
  <address>100.40.1.0</address>
  <netbits>24</netbits>
 </remoteid>
 <protocol>esp</protocol>
 <encryption-algorithm-option>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm-option>
 <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
 <pfsgroup>2</pfsgroup>
 <lifetime>3600</lifetime>
 <pinghost/>
 <descr><![CDATA[IPSec Phase 2 2]]></descr>
</phase2>
Actions
Copy link
 #1

Updated by Chris Buechler almost 10 years ago

  • Status changed from New to Not a Bug
  • Affected Version deleted (2.2.2)

That's a config problem, please use one of our available support resources for assistance. https://pfsense.org/support

If you're still on 2.2.2, first upgrade to 2.2.4

Actions
Copy link
 #2

Updated by Marco Messina almost 10 years ago

This is the correct configuration on my pfsense.
Please, could you provide me where is the configuration error.

<phase1>
 <ikeid>2</ikeid>
 <iketype>auto</iketype>
 <interface>lan</interface>
 <remote-gateway>10.130.34.250</remote-gateway>
 <protocol>inet</protocol>
 <myid_type>address</myid_type>
 <myid_data>10.130.4.161</myid_data>
 <peerid_type>address</peerid_type>
 <peerid_data>10.130.34.250</peerid_data>
 <encryption-algorithm>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm>
 <hash-algorithm>sha1</hash-algorithm>
 <dhgroup>2</dhgroup>
 <lifetime>28800</lifetime>
 <pre-shared-key>12345678</pre>
 <private-key/>
 <certref/>
 <caref/>
 <authentication_method>pre_shared_key</authentication_method>
 <descr><![CDATA[IPSec Phase 1]]></descr>
 <nat_traversal>on</nat_traversal>
 <mobike>off</mobike>
 <dpd_delay>120</dpd_delay>
 <dpd_maxfail>5</dpd_maxfail>
</phase1>

<phase2>
 <ikeid>2</ikeid>
 <uniqid>5627a4dc9581e</uniqid>
 <mode>tunnel</mode>
 <reqid>2</reqid>
 <localid>
  <type>network</type>
  <address>100.128.1.0</address>
  <netbits>24</netbits>
 </localid>
 <remoteid>
  <type>network</type>
  <address>100.40.1.0</address>
  <netbits>24</netbits>
 </remoteid>
 <protocol>esp</protocol>
 <encryption-algorithm-option>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm-option>
 <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
 <pfsgroup>2</pfsgroup>
 <lifetime>3600</lifetime>
 <pinghost/>
 <descr><![CDATA[IPSec Phase 2 1]]></descr>
</phase2>

<phase2>
 <ikeid>2</ikeid>
 <uniqid>562a512047398</uniqid>
 <mode>tunnel</mode>
 <reqid>3</reqid>
 <localid>
  <type>network</type>
  <address>100.128.2.0</address>
  <netbits>24</netbits>
 </localid>
 <remoteid>
  <type>network</type>
  <address>100.40.1.0</address>
  <netbits>24</netbits>
 </remoteid>
 <protocol>esp</protocol>
 <encryption-algorithm-option>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm-option>
 <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
 <pfsgroup>2</pfsgroup>
 <lifetime>3600</lifetime>
 <pinghost/>
 <descr><![CDATA[IPSec Phase 2 2]]></descr>
</phase2>

Best regards.

Actions
Copy link
 #3

Updated by Chris Buechler almost 10 years ago

some sort of mismatch with the other end. Can't help with that here, please use the forum or other support resources.

Actions
Copy link

Also available in: Atom PDF