IPSec Tunnel between UTM 9 and Pfsense 2.4.1

Hi Guys

 

I'd be appreciate if someone help me with this crazy (yet should be well easy) IPSec Tunnel between two FWs. I followed this dude's vlog, but i got no luck yet..

This is what I see from IPSEC VPN* log from Webadmin portal of UTM9 ...

 

Office1" #320503: max number of retransmissions (2) reached STATE_MAIN_I2
2017:11:14-08:53:55 89 pluto[5611]: "Office1" #320503: starting keying attempt 2 of an unlimited number
2017:11:14-08:53:55 89 pluto[5611]: "Office1" #320506: initiating Main Mode to replace #320503
2017:11:14-08:53:55 89 pluto[5611]: "Office1" #320506: received Vendor ID payload [XAUTH]
2017:11:14-08:53:55 89 pluto[5611]: "Office1" #320506: received Vendor ID payload [Dead Peer Detection]
2017:11:14-08:53:55 89 pluto[5611]: "Office1" #320506: received Vendor ID payload [RFC 3947]
2017:11:14-08:53:55 89 pluto[5611]: "Office1" #320506: enabling possible NAT-traversal with method 3
2017:11:14-08:53:55 89 pluto[5611]: "Office1" #320506: Informational Exchange message must be encrypted
 
I have other 3 active IPSec tunnels which are between other UTMs. On PFsense i have another 3 active mainly from AWS VPN.
From the pfsense this is what i see
 
 
ov 14 08:17:42 charon 11[IKE] <con8000|1055> initiating Main Mode IKE_SA con8000[1055] to 10.254.254.126
Nov 14 08:17:42 charon 11[ENC] <con8000|1055> generating ID_PROT request 0 [ SA V V V V V ]
Nov 14 08:17:42 charon 11[NET] <con8000|1055> sending packet: from 77.75.101.166[500] to 10.254.254.126[500] (180 bytes)
 
PFSense is on Connecting mode and then disconnects..
 
  • That's not enough of the logs to see what's happening.

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Show us about 60 lines from enabling through the error.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob

     

    Debug tab all the checks are 'unchecked'

    Disabled the IPSec Connections

    Started the IPSec Live Log

    Enabled the only one that is not working..

    here are the lines from the log. had to trim some of them lines because other calls were happening from other UTMs.

    Live Log: IPsec VPN
    Filter:
    Autoscroll
    Reload
    Live Log: IPsec VPN
    Filter:
    Autoscroll
    Reload
    2017:11:23-09:20:08 89 pluto[5611]: forgetting secrets
    2017:11:23-09:20:08 89 pluto[5611]: loading secrets from "/etc/ipsec.secrets"
    2017:11:23-09:20:08 89 pluto[5611]: loaded private key from 'Local X509 Cert.pem'
    2017:11:23-09:20:08 89 pluto[5611]: loaded PSK secret for 10.254.254.126 77.75.101.166
    2017:11:23-09:20:08 89 pluto[5611]: listening for IKE messages
    2017:11:23-09:20:08 89 pluto[5611]: forgetting secrets
    2017:11:23-09:20:08 89 pluto[5611]: loading secrets from "/etc/ipsec.secrets"
    2017:11:23-09:20:08 89 pluto[5611]: loaded private key from 'Local X509 Cert.pem'
    2017:11:23-09:20:08 89 pluto[5611]: loaded PSK secret for 10.254.254.126 77.75.101.166
    2017:11:23-09:20:08 89 pluto[5611]: loading ca certificates from '/etc/ipsec.d/cacerts'
    2017:11:23-09:20:08 89 pluto[5611]: loaded ca certificate from '/etc/ipsec.d/cacerts/snipployalty Verification CA 1.pem'
    2017:11:23-09:20:08 89 pluto[5611]: loaded ca certificate from '/etc/ipsec.d/cacerts/snipployalty Verification CA 3.pem'
    2017:11:23-09:20:08 89 pluto[5611]: loaded ca certificate from '/etc/ipsec.d/cacerts/Snipp_2017 Verification CA 1.pem'
    2017:11:23-09:20:08 89 pluto[5611]: loaded ca certificate from '/etc/ipsec.d/cacerts/snipployalty Verification CA 2.pem'
    2017:11:23-09:20:08 89 pluto[5611]: loaded ca certificate from '/etc/ipsec.d/cacerts/VPN Signing CA.pem'
    2017:11:23-09:20:08 89 pluto[5611]: loading aa certificates from '/etc/ipsec.d/aacerts'
    2017:11:23-09:20:08 89 pluto[5611]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
    2017:11:23-09:20:08 89 pluto[5611]: loading attribute certificates from '/etc/ipsec.d/acerts'
    2017:11:23-09:20:08 89 pluto[5611]: Changing to directory '/etc/ipsec.d/crls'
    2017:11:23-09:20:08 89 pluto[5611]: added connection description "Office1"
    2017:11:23-09:20:08 89 pluto[5611]: "Office1" #355978: initiating Main Mode
    2017:11:23-09:20:08 89 pluto[5611]: "Office1" #355978: received Vendor ID payload [XAUTH]
    2017:11:23-09:20:08 89 pluto[5611]: "Office1" #355978: received Vendor ID payload [Dead Peer Detection]
    2017:11:23-09:20:08 89 pluto[5611]: "Office1" #355978: received Vendor ID payload [RFC 3947]
    2017:11:23-09:20:08 89 pluto[5611]: "Office1" #355978: enabling possible NAT-traversal with method 3
    2017:11:23-09:20:09 89 pluto[5611]: "Office1" #355978: Informational Exchange message must be encrypted
    2017:11:23-09:21:18 89 pluto[5611]: "Office1" #355978: max number of retransmissions (2) reached STATE_MAIN_I2

    Thanks

  • In reply to ciwan:

    I deleted the lines after the tell-tale ones.

    My best guess is that the PSKs don't match.  Try a simple once on both sides - does it work then?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob

    I tried that before already... 

    makes no difference...

    2017:11:24-08:35:03 89 pluto[5611]: "Office1" #359563: max number of retransmissions (2) reached STATE_MAIN_I2
    2017:11:24-08:35:03 89 pluto[5611]: "Office1" #359563: starting keying attempt 2 of an unlimited number
    2017:11:24-08:35:03 89 pluto[5611]: "Office1" #359567: initiating Main Mode to replace #359563
    2017:11:24-08:35:03 89 pluto[5611]: "Office1" #359567: received Vendor ID payload [XAUTH]
    2017:11:24-08:35:03 89 pluto[5611]: "Office1" #359567: received Vendor ID payload [Dead Peer Detection]
    2017:11:24-08:35:03 89 pluto[5611]: "Office1" #359567: received Vendor ID payload [RFC 3947]
    2017:11:24-08:35:03 89 pluto[5611]: "Office1" #359567: enabling possible NAT-traversal with method 3
    2017:11:24-08:35:03 89 pluto[5611]: "Office1" #359567: Informational Exchange message must be encrypted

     

    Is there any other way i can set up IPSec Tunnel between those two FWs?

    the only i thing I haven't tried is that to reboot the UTM 9 FW. I'll do that this evening out of business hours. 

    Thanks

  • In reply to ciwan:

    Confirm that DPD and NAT-T are enabled on both sides.  If that doesn't resolve this, show pictures of the Edits of the IPsec Connection, Remote Gateway and IPsec Policy.  Also pictures of the corresponding settings in the pfSense.

    Cheers - Bob
    PS Moving this thread to the VPN forum.

  • In reply to BAlfson:

    Hi  yes they are enabled on both side. See attached secreenshots for both settings.UTM_PFSense_Settings.docx

     

    thanks hope this helps.

  • In reply to ciwan:

    In the UTM, instead of 'VPN ID type: Hostname', use "IP Address" - this is standard practice, but isn't the problem here, I think.  Same with the 'IKE SA lifetime: 3600', standard practice is to have that longer than the 'IPsec SA lifetime', but it's not the problem here.

    I'm not that familiar with the pfSense, but I bet that telling it that your public IP is 10.254.254.126 is the problem.  Change that to the public IP that's NAT'd to your UTM and 'Peer identifier' to 10.254.254.126.  If that doesn't fix this problem, then change the pfSense to 'Responser only'.  Any luck with any of that?

    If not, then we'll also need to see the Edit of the IPsec Connection and some log lines...

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Show us about 60 lines from enabling through the error.

    Cheers - Bob

  • In reply to BAlfson:

    Changed that to the public IP that's NAT'd to my UTM'sUTM_PFSense_Settings2.docx and 'Peer identifier' to 10.254.254.126. still no joy, see attached.

  • In reply to ciwan:

    "Possible authentication failure: no acceptable response to our first encrypted message"

    The easiest is to put the pfSense into a "respond only" mode.  Any better luck with that?

    Cheers - Bob

  • In reply to BAlfson:

    UTM is initiator and pfsense is already respond only? or am I missing something?

    Cheers

  • In reply to ciwan:

    The 'Responder only' checkbox was not selected in the pfSense in the document you attached above.

    Cheers - Bob

  • In reply to BAlfson:

    Yeah tried that too, same error message i am getting... so no joy.. i believe this is something to do with UTM nat'd and somehow it can't communicate with pfsense.

  • In reply to ciwan:

    One last thing to try.  On the 'Advanced' tab of 'IPsec', select 'VPN ID type: IP address' and use the public IP of the router in front of the UTM as the VPN ID.  Any luck with that?

    Cheers - Bob

  • In reply to BAlfson:

    Cheers Bob. If i do that then other IPSecs stops working. Anyway I guess the issue is how we set up the UTM by the look of it. I'll try your suggestion sometime and will post the result.

    Thanks