Vick Khera
2011-05-04 15:27:37 UTC
My main office location is on static IP that has mobile IPsec clients
enabled. We were running 1.2.3 successfully. I upgraded my home
office to pfSense 2.0RC1 and everything still continued to work. The
home office was set up to VPN the whole LAN.
When we upgraded the office pfSense to 2.0, the mobile client portion
stopped working, in that no traffic will pass. The logs show
successful negotiation of the tunnels phase 1 and phase 2. Once I try
to pass traffic, the main office firewall logs these: "ERROR: no
configuration found for 68.50.28.223." and "ERROR: failed to begin
ipsec sa negotication." over and over.
I have no idea what the "trns_id mismatched:" are from. Both ends
have all the phase2 encryption algorithms checked as "on" except DES.
I really don't think it has anything to do with firewall rules,
because the static point-to-point IPsec tunnels from the main office
to the data center work just splendidly with any combination of 1.2.3
and 2.0RC1 software.
The only hint I found was that in redmine I found a note that mobile
clients were not properly supported in ipsec-tools 0.8, which is the
version found on my home office. The main office (and data center)
are both running a February 26 snapshot with ipsec-tools 0.6.6. I
wanted to ask here before I go and upgrade the main office to a more
recent snapshot with the newer ipsec-tools.
The home office is running 2.0RC1 built Mon May 2 17:19:57 EDT 2011
The main office is running 2.0RC1 built Sat Feb 26 16:00:14 EST 2011
On my home office firewall:
May 4 10:35:08 racoon: [KCI Main Office (rapiddsl)]: INFO: IPsec-SA
established: ESP 68.50.28.223[500]->69.46.251.130[500]
spi=10457326(0x9f90ee)
May 4 10:35:08 racoon: [KCI Main Office (rapiddsl)]: INFO: IPsec-SA
established: ESP 68.50.28.223[500]->69.46.251.130[500]
spi=145364656(0x8aa16b0)
May 4 10:35:08 racoon: [KCI Main Office (rapiddsl)]: INFO: initiate
new phase 2 negotiation: 68.50.28.223[500]<=>69.46.251.130[500]
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: INFO: ISAKMP-SA
established 68.50.28.223[500]-69.46.251.130[500]
spi:f65fa84c8cfe61c9:e816613c9a0d6c33
May 4 10:35:07 racoon: [Self]: [68.50.28.223] INFO: Hashing
68.50.28.223[500] with algo #2
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130]
INFO: Hashing 69.46.251.130[500] with algo #2
May 4 10:35:07 racoon: INFO: Adding remote and local NAT-D payloads.
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130]
NOTIFY: couldn't find the proper pskey, try to get one by the peer's
address.
May 4 10:35:07 racoon: INFO: NAT not detected
May 4 10:35:07 racoon: INFO: NAT-D payload #0 verified
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130]
INFO: Hashing 69.46.251.130[500] with algo #2
May 4 10:35:07 racoon: INFO: NAT-D payload #-1 verified
May 4 10:35:07 racoon: [Self]: [68.50.28.223] INFO: Hashing
68.50.28.223[500] with algo #2
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130]
INFO: Selected NAT-T version: RFC 3947
May 4 10:35:07 racoon: INFO: received Vendor ID: DPD
May 4 10:35:07 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 4 10:35:07 racoon: INFO: received Vendor ID: RFC 3947
May 4 10:35:07 racoon: INFO: begin Aggressive mode.
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: INFO: initiate
new phase 1 negotiation: 68.50.28.223[500]<=>69.46.251.130[500]
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: INFO: IPsec-SA
request for 69.46.251.130 queued due to no phase1 found.
May 4 10:35:06 racoon: INFO: unsupported PF_KEY message REGISTER
On the main office firewall:
May 4 10:35:58 racoon: ERROR: failed to begin ipsec sa negotication.
May 4 10:35:58 racoon: ERROR: no configuration found for 68.50.28.223.
May 4 10:35:11 racoon: ERROR: failed to begin ipsec sa negotication.
May 4 10:35:11 racoon: ERROR: no configuration found for 68.50.28.223.
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy
does not already exist: "192.168.7.0/24[0] 192.168.135.0/24[0]
proto=any dir=out"
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy
does not already exist: "192.168.135.0/24[0] 192.168.7.0/24[0]
proto=any dir=in"
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA
established: ESP 69.46.251.130[500]->68.50.28.223[500]
spi=145364656(0x8aa16b0)
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA
established: ESP 69.46.251.130[500]->68.50.28.223[500]
spi=10457326(0x9f90ee)
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: INFO: no policy
found, try to generate the policy : 192.168.135.0/24[0]
192.168.7.0/24[0] proto=any dir=in
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: INFO: respond new
phase 2 negotiation: 69.46.251.130[500]<=>68.50.28.223[500]
May 4 10:35:07 racoon: [68.50.28.223] INFO: received INITIAL-CONTACT
May 4 10:35:07 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA
established 69.46.251.130[500]-68.50.28.223[500]
spi:f65fa84c8cfe61c9:e816613c9a0d6c33
May 4 10:35:07 racoon: INFO: NAT not detected
May 4 10:35:07 racoon: INFO: NAT-D payload #1 verified
May 4 10:35:07 racoon: [68.50.28.223] INFO: Hashing 68.50.28.223[500]
with algo #2
May 4 10:35:07 racoon: INFO: NAT-D payload #0 verified
May 4 10:35:07 racoon: [69.46.251.130] INFO: Hashing
69.46.251.130[500] with algo #2
May 4 10:35:07 racoon: [69.46.251.130] INFO: Hashing
69.46.251.130[500] with algo #2
May 4 10:35:07 racoon: [68.50.28.223] INFO: Hashing 68.50.28.223[500]
with algo #2
May 4 10:35:07 racoon: INFO: Adding remote and local NAT-D payloads.
May 4 10:35:07 racoon: [68.50.28.223] INFO: Selected NAT-T version: RFC 3947
May 4 10:35:07 racoon: INFO: received Vendor ID: DPD
May 4 10:35:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
May 4 10:35:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 4 10:35:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 4 10:35:07 racoon: INFO: received Vendor ID: RFC 3947
May 4 10:35:07 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 4 10:35:07 racoon: INFO: begin Aggressive mode.
May 4 10:35:07 racoon: [Unknown Gateway/Dynamic]: INFO: respond new
phase 1 negotiation: 69.46.251.130[500]<=>68.50.28.223[500]
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org
Commercial support available - https://portal.pfsense.org
enabled. We were running 1.2.3 successfully. I upgraded my home
office to pfSense 2.0RC1 and everything still continued to work. The
home office was set up to VPN the whole LAN.
When we upgraded the office pfSense to 2.0, the mobile client portion
stopped working, in that no traffic will pass. The logs show
successful negotiation of the tunnels phase 1 and phase 2. Once I try
to pass traffic, the main office firewall logs these: "ERROR: no
configuration found for 68.50.28.223." and "ERROR: failed to begin
ipsec sa negotication." over and over.
I have no idea what the "trns_id mismatched:" are from. Both ends
have all the phase2 encryption algorithms checked as "on" except DES.
I really don't think it has anything to do with firewall rules,
because the static point-to-point IPsec tunnels from the main office
to the data center work just splendidly with any combination of 1.2.3
and 2.0RC1 software.
The only hint I found was that in redmine I found a note that mobile
clients were not properly supported in ipsec-tools 0.8, which is the
version found on my home office. The main office (and data center)
are both running a February 26 snapshot with ipsec-tools 0.6.6. I
wanted to ask here before I go and upgrade the main office to a more
recent snapshot with the newer ipsec-tools.
The home office is running 2.0RC1 built Mon May 2 17:19:57 EDT 2011
The main office is running 2.0RC1 built Sat Feb 26 16:00:14 EST 2011
On my home office firewall:
May 4 10:35:08 racoon: [KCI Main Office (rapiddsl)]: INFO: IPsec-SA
established: ESP 68.50.28.223[500]->69.46.251.130[500]
spi=10457326(0x9f90ee)
May 4 10:35:08 racoon: [KCI Main Office (rapiddsl)]: INFO: IPsec-SA
established: ESP 68.50.28.223[500]->69.46.251.130[500]
spi=145364656(0x8aa16b0)
May 4 10:35:08 racoon: [KCI Main Office (rapiddsl)]: INFO: initiate
new phase 2 negotiation: 68.50.28.223[500]<=>69.46.251.130[500]
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: INFO: ISAKMP-SA
established 68.50.28.223[500]-69.46.251.130[500]
spi:f65fa84c8cfe61c9:e816613c9a0d6c33
May 4 10:35:07 racoon: [Self]: [68.50.28.223] INFO: Hashing
68.50.28.223[500] with algo #2
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130]
INFO: Hashing 69.46.251.130[500] with algo #2
May 4 10:35:07 racoon: INFO: Adding remote and local NAT-D payloads.
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130]
NOTIFY: couldn't find the proper pskey, try to get one by the peer's
address.
May 4 10:35:07 racoon: INFO: NAT not detected
May 4 10:35:07 racoon: INFO: NAT-D payload #0 verified
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130]
INFO: Hashing 69.46.251.130[500] with algo #2
May 4 10:35:07 racoon: INFO: NAT-D payload #-1 verified
May 4 10:35:07 racoon: [Self]: [68.50.28.223] INFO: Hashing
68.50.28.223[500] with algo #2
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130]
INFO: Selected NAT-T version: RFC 3947
May 4 10:35:07 racoon: INFO: received Vendor ID: DPD
May 4 10:35:07 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 4 10:35:07 racoon: INFO: received Vendor ID: RFC 3947
May 4 10:35:07 racoon: INFO: begin Aggressive mode.
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: INFO: initiate
new phase 1 negotiation: 68.50.28.223[500]<=>69.46.251.130[500]
May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: INFO: IPsec-SA
request for 69.46.251.130 queued due to no phase1 found.
May 4 10:35:06 racoon: INFO: unsupported PF_KEY message REGISTER
On the main office firewall:
May 4 10:35:58 racoon: ERROR: failed to begin ipsec sa negotication.
May 4 10:35:58 racoon: ERROR: no configuration found for 68.50.28.223.
May 4 10:35:11 racoon: ERROR: failed to begin ipsec sa negotication.
May 4 10:35:11 racoon: ERROR: no configuration found for 68.50.28.223.
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy
does not already exist: "192.168.7.0/24[0] 192.168.135.0/24[0]
proto=any dir=out"
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy
does not already exist: "192.168.135.0/24[0] 192.168.7.0/24[0]
proto=any dir=in"
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA
established: ESP 69.46.251.130[500]->68.50.28.223[500]
spi=145364656(0x8aa16b0)
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA
established: ESP 69.46.251.130[500]->68.50.28.223[500]
spi=10457326(0x9f90ee)
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:AES peer:3DES
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: INFO: no policy
found, try to generate the policy : 192.168.135.0/24[0]
192.168.7.0/24[0] proto=any dir=in
May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: INFO: respond new
phase 2 negotiation: 69.46.251.130[500]<=>68.50.28.223[500]
May 4 10:35:07 racoon: [68.50.28.223] INFO: received INITIAL-CONTACT
May 4 10:35:07 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA
established 69.46.251.130[500]-68.50.28.223[500]
spi:f65fa84c8cfe61c9:e816613c9a0d6c33
May 4 10:35:07 racoon: INFO: NAT not detected
May 4 10:35:07 racoon: INFO: NAT-D payload #1 verified
May 4 10:35:07 racoon: [68.50.28.223] INFO: Hashing 68.50.28.223[500]
with algo #2
May 4 10:35:07 racoon: INFO: NAT-D payload #0 verified
May 4 10:35:07 racoon: [69.46.251.130] INFO: Hashing
69.46.251.130[500] with algo #2
May 4 10:35:07 racoon: [69.46.251.130] INFO: Hashing
69.46.251.130[500] with algo #2
May 4 10:35:07 racoon: [68.50.28.223] INFO: Hashing 68.50.28.223[500]
with algo #2
May 4 10:35:07 racoon: INFO: Adding remote and local NAT-D payloads.
May 4 10:35:07 racoon: [68.50.28.223] INFO: Selected NAT-T version: RFC 3947
May 4 10:35:07 racoon: INFO: received Vendor ID: DPD
May 4 10:35:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
May 4 10:35:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 4 10:35:07 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 4 10:35:07 racoon: INFO: received Vendor ID: RFC 3947
May 4 10:35:07 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 4 10:35:07 racoon: INFO: begin Aggressive mode.
May 4 10:35:07 racoon: [Unknown Gateway/Dynamic]: INFO: respond new
phase 1 negotiation: 69.46.251.130[500]<=>68.50.28.223[500]
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org
Commercial support available - https://portal.pfsense.org