Project

General

Profile

Actions
Copy link

Bug #5339

closed

IPSec with 2 phases 2

Added by Marco Messina over 9 years ago. Updated over 9 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
10/23/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
All

Description

Good morning,
I tried to create an IPSec tunnel with 2 Phase 2, but I received the following error: 

Oct 23 17:47:14 charon: 06[ENC] <con2|1> parsed QUICK_MODE request 2748080475 [ HASH ]
Oct 23 17:47:14    charon: 06[IKE] <con2|1> sa payload missing
Oct 23 17:47:14    charon: 06[IKE] <con2|1> sa payload missing
Oct 23 17:47:14    charon: 06[NET] <con2|1> received packet: from 10.130.34.250[500] to 10.130.4.161[500] (348 bytes)
Oct 23 17:47:14    charon: 06[ENC] <con2|1> parsed QUICK_MODE response 156018472 [ HASH SA No KE ID ID ]
Oct 23 17:47:14    charon: 06[ENC] <con2|1> received HASH payload does not match
Oct 23 17:47:14    charon: 06[IKE] <con2|1> integrity check failed
Oct 23 17:47:14    charon: 06[IKE] <con2|1> integrity check failed
Oct 23 17:47:14    charon: 06[ENC] <con2|1> generating INFORMATIONAL_V1 request 2308555727 [ HASH N(INVAL_HASH) ]
Oct 23 17:47:14    charon: 06[NET] <con2|1> sending packet: from 10.130.4.161[500] to 10.130.34.250[500] (76 bytes)
Oct 23 17:47:14    charon: 06[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed
Oct 23 17:47:14    charon: 06[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed
Oct 23 17:47:18    charon: 06[IKE] <con2|1> sending retransmit 1 of request message ID 156018472, seq 1
Oct 23 17:47:18    charon: 06[IKE] <con2|1> sending retransmit 1 of request message ID 156018472, seq 1
Oct 23 17:47:18    charon: 06[NET] <con2|1> sending packet: from 10.130.4.161[500] to 10.130.34.250[500] (316 bytes)
Oct 23 17:47:18    charon: 06[NET] <con2|1> received packet: from 10.130.34.250[500] to 10.130.4.161[500] (348 bytes)
Oct 23 17:47:18    charon: 06[ENC] <con2|1> parsed QUICK_MODE response 156018472 [ HASH SA No KE ID ID ]
Oct 23 17:47:18    charon: 06[ENC] <con2|1> received HASH payload does not match
Oct 23 17:47:18    charon: 06[IKE] <con2|1> integrity check failed
Oct 23 17:47:18    charon: 06[IKE] <con2|1> integrity check failed
Oct 23 17:47:18    charon: 06[ENC] <con2|1> generating INFORMATIONAL_V1 request 3627683057 [ HASH N(INVAL_HASH) ]
Oct 23 17:47:18    charon: 06[NET] <con2|1> sending packet: from 10.130.4.161[500] to 10.130.34.250[500] (76 bytes)
Oct 23 17:47:18    charon: 06[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed
Oct 23 17:47:18    charon: 06[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed
Oct 23 17:47:19    charon: 08[NET] <con2|1> received packet: from 10.130.34.250[500] to 10.130.4.161[500] (348 bytes)
Oct 23 17:47:19    charon: 08[ENC] <con2|1> parsed QUICK_MODE request 3901313929 [ HASH SA No KE ID ID ]
Oct 23 17:47:19    charon: 08[ENC] <con2|1> generating QUICK_MODE response 3901313929 [ HASH SA No KE ID ID ]
Oct 23 17:47:19    charon: 08[NET] <con2|1> sending packet: from 10.130.4.161[500] to 10.130.34.250[500] (316 bytes)
Oct 23 17:47:19    charon: 08[NET] <con2|1> received packet: from 10.130.34.250[500] to 10.130.4.161[500] (60 bytes)
Oct 23 17:47:19    charon: 08[ENC] <con2|1> parsed QUICK_MODE request 3901313929 [ HASH ]
Oct 23 17:47:19    charon: 08[IKE] <con2|1> CHILD_SA con2{5} established with SPIs cbe54f7b_i c8565f41_o and TS 100.128.2.0/24|/0 === 100.40.1.0/24|/0
Oct 23 17:47:19    charon: 08[IKE] <con2|1> CHILD_SA con2{5} established with SPIs cbe54f7b_i c8565f41_o and TS 100.128.2.0/24|/0 === 100.40.1.0/24|/0
Oct 23 17:47:19    charon: 08[NET] <con2|1> received packet: from 10.130.34.250[500] to 10.130.4.161[500] (348 bytes)
Oct 23 17:47:19    charon: 08[ENC] <con2|1> parsed QUICK_MODE response 156018472 [ HASH SA No KE ID ID ]
Oct 23 17:47:19    charon: 08[ENC] <con2|1> received HASH payload does not match
Oct 23 17:47:19    charon: 08[IKE] <con2|1> integrity check failed
Oct 23 17:47:19    charon: 08[IKE] <con2|1> integrity check failed
Oct 23 17:47:19    charon: 08[ENC] <con2|1> generating INFORMATIONAL_V1 request 1922165167 [ HASH N(INVAL_HASH) ]
Oct 23 17:47:19    charon: 08[NET] <con2|1> sending packet: from 10.130.4.161[500] to 10.130.34.250[500] (76 bytes)
Oct 23 17:47:19    charon: 08[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed
Oct 23 17:47:19    charon: 08[IKE] <con2|1> QUICK_MODE response with message ID 156018472 processing failed

And only the second phase 2 works well.
With only one phase 2 I don't have any problems.
You can find my configuration below:

<phase1>
 <ikeid>2</ikeid>
 <iketype>auto</iketype>
 <interface>lan</interface>
 <remote-gateway>10.130.34.250</remote-gateway>
 <protocol>inet</protocol>
 <myid_type>address</myid_type>
 <myid_data>10.130.4.161</myid_data>
 <peerid_type>address</peerid_type>
 <peerid_data>10.130.34.250</peerid_data>
 <encryption-algorithm>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm>
 <hash-algorithm>sha1</hash-algorithm>
 <dhgroup>2</dhgroup>
 <lifetime>28800</lifetime>
 <pre-shared-key>12345678</pre>

How I could resolve this issue?

Best regards</pre-shared-key>
 <private-key/>
 <certref/>
 <caref/>
 <authentication_method>pre_shared_key</authentication_method>
 <descr><![CDATA[IPSec Phase 1]]></descr>
 <nat_traversal>on</nat_traversal>
 <mobike>off</mobike>
 <dpd_delay>120</dpd_delay>
 <dpd_maxfail>5</dpd_maxfail>
</phase1>



	
<phase2>
 <ikeid>2</ikeid>
 <uniqid>5627a4dc9581e</uniqid>
 <mode>tunnel</mode>
 <reqid>2</reqid>
 <localid>
  <type>network</type>
  <address>100.128.1.0</address>
  <netbits>24</netbits>
 </localid>
 <remoteid>
  <type>network</type>
  <address>100.40.1.0</address>
  <netbits>24</netbits>
 </remoteid>
 <protocol>esp</protocol>
 <encryption-algorithm-option>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm-option>
 <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
 <pfsgroup>2</pfsgroup>
 <lifetime>3600</lifetime>
 <pinghost/>
 <descr><![CDATA[IPSec Phase 2 1]]></descr>
</phase2>



	
<phase2>
 <ikeid>2</ikeid>
 <uniqid>562a512047398</uniqid>
 <mode>tunnel</mode>
 <reqid>3</reqid>
 <localid>
  <type>network</type>
  <address>100.128.2.0</address>
  <netbits>24</netbits>
 </localid>
 <remoteid>
  <type>network</type>
  <address>100.40.1.0</address>
  <netbits>24</netbits>
 </remoteid>
 <protocol>esp</protocol>
 <encryption-algorithm-option>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm-option>
 <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
 <pfsgroup>2</pfsgroup>
 <lifetime>3600</lifetime>
 <pinghost/>
 <descr><![CDATA[IPSec Phase 2 2]]></descr>
</phase2>
Actions
Copy link
 #1

Updated by Chris Buechler over 9 years ago

  • Status changed from New to Not a Bug
  • Affected Version deleted (2.2.2)

That's a config problem, please use one of our available support resources for assistance. https://pfsense.org/support

If you're still on 2.2.2, first upgrade to 2.2.4

Actions
Copy link
 #2

Updated by Marco Messina over 9 years ago

This is the correct configuration on my pfsense.
Please, could you provide me where is the configuration error.

<phase1>
 <ikeid>2</ikeid>
 <iketype>auto</iketype>
 <interface>lan</interface>
 <remote-gateway>10.130.34.250</remote-gateway>
 <protocol>inet</protocol>
 <myid_type>address</myid_type>
 <myid_data>10.130.4.161</myid_data>
 <peerid_type>address</peerid_type>
 <peerid_data>10.130.34.250</peerid_data>
 <encryption-algorithm>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm>
 <hash-algorithm>sha1</hash-algorithm>
 <dhgroup>2</dhgroup>
 <lifetime>28800</lifetime>
 <pre-shared-key>12345678</pre>
 <private-key/>
 <certref/>
 <caref/>
 <authentication_method>pre_shared_key</authentication_method>
 <descr><![CDATA[IPSec Phase 1]]></descr>
 <nat_traversal>on</nat_traversal>
 <mobike>off</mobike>
 <dpd_delay>120</dpd_delay>
 <dpd_maxfail>5</dpd_maxfail>
</phase1>

<phase2>
 <ikeid>2</ikeid>
 <uniqid>5627a4dc9581e</uniqid>
 <mode>tunnel</mode>
 <reqid>2</reqid>
 <localid>
  <type>network</type>
  <address>100.128.1.0</address>
  <netbits>24</netbits>
 </localid>
 <remoteid>
  <type>network</type>
  <address>100.40.1.0</address>
  <netbits>24</netbits>
 </remoteid>
 <protocol>esp</protocol>
 <encryption-algorithm-option>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm-option>
 <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
 <pfsgroup>2</pfsgroup>
 <lifetime>3600</lifetime>
 <pinghost/>
 <descr><![CDATA[IPSec Phase 2 1]]></descr>
</phase2>

<phase2>
 <ikeid>2</ikeid>
 <uniqid>562a512047398</uniqid>
 <mode>tunnel</mode>
 <reqid>3</reqid>
 <localid>
  <type>network</type>
  <address>100.128.2.0</address>
  <netbits>24</netbits>
 </localid>
 <remoteid>
  <type>network</type>
  <address>100.40.1.0</address>
  <netbits>24</netbits>
 </remoteid>
 <protocol>esp</protocol>
 <encryption-algorithm-option>
  <name>aes</name>
  <keylen>256</keylen>
 </encryption-algorithm-option>
 <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
 <pfsgroup>2</pfsgroup>
 <lifetime>3600</lifetime>
 <pinghost/>
 <descr><![CDATA[IPSec Phase 2 2]]></descr>
</phase2>

Best regards.

Actions
Copy link
 #3

Updated by Chris Buechler over 9 years ago

some sort of mismatch with the other end. Can't help with that here, please use the forum or other support resources.

Actions
Copy link

Also available in: Atom PDF