Multiple IPSEC Tunnels with Combination of RSA and Preshared Keys.

Question

Been using 1 same preshared keys for over 10 sites that backhaul back to our HQ till now.
However eversince v18 onwards, it's getting more and more unstable. After restarting our HQ Firewall, at least 3-4 sites tunnels wouldn't up.
Ticked the create firewall policy rule for each ipsec to enable me to monitor each tunnel separately.
Seems it creates more unstability then doing anything good.

I'm thinking of switching like 4 sites that couldn't up automatically to rsa while some still retain preshared keys.
I wonder will it cause unstability across all 10 sites ?

This thread was automatically locked due to age.

Sreenivasulu Naidu · Answer

If you are sure that both IPsec peers has same/matching Phase1 and Phase2 policy, it is unlikely that no proposal chosen error is pointing to mismatched proposals; some of the errors seen with IKEv1 are not quite intuitive; tcpdump of ike negotiation packets gives encrypted packets, a relatively lengthy procedure to be used to decrypt the packets in wireshark (as below): 
 On SFOS, from the Advanced shell cli, enter below to increase the log level of charon process 
 SF01V_SO01_SFOS 17.5.15 MR-15# ipsec stroke loglevel ike 4 
 - Establish the IPSec tunnel 
 SF01V_SO01_SFOS # tcpdump -vvni Port1 port 500 or port 4500 -w /usr/share/userportal/tcpdump.pcap 
 If the above path is readable, do this from the cli ' mount -no remount,rw / ' 
 
 ipsec stausall //get the ikev1 spi id ex: 59188f30249888da_i // here 'i' is Initiator 
 In /log/charon.log look for 32 bytes, this is the Encryption key 
 encryption key Ka => 32 bytes @ 0x7f76140135e0 
 0: 82 09 85 BA B7 FE 11 AC F3 E4 BB 17 51 C2 68 7A 
 16: 88 3F 18 A5 00 62 64 18 CB 8E B6 79 20 62 E8 45 
 
 Open tcpdump.pcap file in wireshark; Go to Preferences &rarr; Protocols; search for ISAKMP; enter UDP port, it could be port 500 (no NAT scenario) or 4500 (NAT'ed scenario) as the case may be. 
 Click on 'IKEv1 Decryption Table' Edit button, hit on + sign and enter Cookie and Encryption Key noted earlier. 
 Now wireshark shows decrypted packets.

LuCar Toni · Answer

Try to update the PSK on both peers everywhere again. Likely it is not correct. Because this is likely the problem here. Or do you use Ipsec Remote access as well? This will also override the PSK.

LuCar Toni · Answer

You could do the change now, it will not affect the tunnels and then update. 
 You are using those two values in IPsec: 
 This will define what peer we are expecting and what we introduce ourself. 
 On utm you do the same:

You can define there whatever you want, as long as it matches: 
 SFOS: DNS sfos // Remote: DNS utm1 
 UTM1: DNS: utm1 // Remote: DNS sfos 
 Just suggestions. But this will give the wildcard tunnel the option to separate the tunnels.

apijnappels · Answer

If you are able to use dyndns names, you could use those instead of * as peer. Dyndns doesn't have to break the bank and it seems it will get you rid of all your current trouble.

Multiple IPSEC Tunnels with Combination of RSA and Preshared Keys.

Top Replies