[Openswan Users] Problems with 2nd phase IPsec between Openswan and pfSense racoon

beheer at topdesk.com beheer at topdesk.com
Tue Feb 3 05:40:52 EST 2009 

Hi,

I'm trying to set a VPN tunnel between a Debian GNU/Linux machine with Openswan 2.4.6 and a box with pfSense 1.2.2. I'm using X.509 certificates and my configuration is:

linux:
conn pfsense2linux
        left=192.168.251.3
        leftnexthop=192.168.1.1
        leftid="@pfsense.foo.bar"
        leftsubnet=10.5.0.0/22
        right=192.168.250.2
        rightid="C=NL, L=Spook, O=Foo, CN=linux.foo.bar"
        rightcert=linux.crt
        rightsubnet=10.0.0.0/22
        rightnexthop=192.168.250.1
        type=tunnel
        ## Automatic keying
        keyexchange=ike
        rekey=yes
        keylife=12h
        auth=esp
        keyingtries=3
        ## RSA authentication
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        leftca=%same
        rightca=%same
        auto=start

pfsense:
MyIdentifier: Domain = pfsense.foo.bar
Authentication method: RSA signature
Certificate: pasted PEM pfsense.crt
Private key: pasted PEM pfsense.key

There is a machine in the middle, with networks 192.168.250.0/24 and 192.168.251.0/24 , acting as a WAN emulator. No packets are lost. I get a ISAKMP SA established, but the pfsense box don't answer the 2nd phase request:

104 "pfsense2linux" #31: STATE_MAIN_I1: initiate
003 "pfsense2linux" #31: received Vendor ID payload [Dead Peer Detection]
106 "pfsense2linux" #31: STATE_MAIN_I2: sent MI2, expecting MR2
108 "pfsense2linux" #31: STATE_MAIN_I3: sent MI3, expecting MR3
004 "pfsense2linux" #31: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "pfsense2linux" #32: STATE_QUICK_I1: initiate
010 "pfsense2linux" #32: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "pfsense2linux" #32: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "pfsense2linux" #32: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "pfsense2linux" #32: starting keying attempt 2 of at most 3, but releasing whack

On the pfSense machine logs I've found:

Feb 3 10:53:04 	racoon: ERROR: failed to pre-process packet.
Feb 3 10:53:04 	racoon: ERROR: failed to get sainfo.
Feb 3 10:53:04 	racoon: ERROR: failed to get sainfo.
Feb 3 10:53:04 	racoon: [NL Spook]: INFO: respond new phase 2 negotiation: 192.168.251.3[0]<=>192.168.250.2[0]
Feb 3 10:53:04 	racoon: [NL Spook]: INFO: ISAKMP-SA established 192.168.251.3[500]-192.168.250.2[500] spi:82d506c13c91ba76:d13128841f0c0f60
Feb 3 10:53:04 	racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/DC=bar/DC=foo/CN=rootca.foo.bar
Feb 3 10:53:04 	racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=NL/L=Spook/O=Foo/CN=linux.foo.bar
Feb 3 10:53:04 	racoon: WARNING: No ID match.
Feb 3 10:53:04 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Feb 3 10:53:04 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 3 10:53:04 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 3 10:53:04 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 3 10:53:04 	racoon: INFO: received Vendor ID: RFC 3947
Feb 3 10:53:04 	racoon: INFO: received Vendor ID: DPD
Feb 3 10:53:04 	racoon: INFO: begin Identity Protection mode.
Feb 3 10:53:04 	racoon: [NL Spook]: INFO: respond new phase 1 negotiation: 192.168.251.3[500]<=>192.168.250.2[500]

I've searched in several forums, but I didn't found a solution. Pfsense machine doesn't send any packet in response. How can I get more detailed logs from racoon? Any ideas?

Thank you very much!

Best regards,

--
Xesc Arbona

More information about the Users mailing list