<div dir="ltr"><div><div><div><div><div><div>Good day Guys<br><br></div><div>I asked this previously, but I only got back to work today, so as sometime has passed, I thought I would ask again in a new thread, as I made some advancement, but still having issues.<br></div><div><br></div>As per the subject, Im trying to connect to a Pfsense device.<br><br></div></div><div></div>If someone could take alook at my setup it would be very much appreciated.<br><br></div><div>Here is my configuration:<br><br>root@sql01 ~ # ipsec start --debug-all --nofork<br>Starting strongSwan 5.1.2 IPsec [starter]...<br>Loading config setup<br>Loading conn %default<br> keyexchange=ikev1<br> authby=secret<br>Loading conn 'pfsense'<br> left=my_ip_removed<br> leftsourceip=%config<br> leftfirewall=no<br> right=my_vendor_removed<br> rightsubnet=<a href="http://10.4.128.6/32">10.4.128.6/32</a><br> ike=3des-sha1-modp1024!<br> esp=3des-sha1!<br> ikelifetime=86400s<br> keylife=3600s<br> auto=add<br>found netkey IPsec stack<br>Attempting to start charon...<br>00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-77-generic, x86_64)<br>00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>00[CFG] loading crls from '/etc/ipsec.d/crls'<br>00[CFG] loading secrets from '/etc/ipsec.secrets'<br>00[CFG] loaded IKE secret for my_ip_removed my_vendor_removed<br>00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock<br>00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)<br>00[LIB] dropped capabilities, running as uid 0, gid 0<br>00[JOB] spawning 16 worker threads<br>charon (19750) started after 20 ms<br>06[CFG] received stroke: add connection 'pfsense'<br>06[CFG] added configuration 'pfsense'<br><br></div><div><br></div>The
vendor gave me the following information. (This is a copy and paste
from an excel spreadsheet. The first column is what my setting must be,
and the second is what their settings are)
<pre>Phase I Settings "IPSec Phase 1 Settings MUST match on both sides"
Diffie-Helman Group 2 (Mod1024) 2 (Mod1024)
Encryption Algorithm 3DES 3DES
Hash Algorithm SHA-1 SHA-1
NAT-T Disable Disable
Lifetime (In Seconds) 86400 86400
Phase II Settings "IPSec Phase 2 Settings.MUST match on both sides"
Encapsulation ESP (encrypted) ESP (encrypted)
Perfect Forward Secrecy (PFS) NO PFS NO PFS
Encryption Algorithm 3DES 3DES
Hash Algorithm SHA-1 SHA-1
Lifetime (In Seconds) 3 3600
Lifetime (In Kbytes) N/A N/A</pre><pre><br>Here is some additional information.<br><br>root@sql01 ~ # ipsec up pfsense <br>initiating Main Mode IKE_SA pfsense[1] to my_vendor_removed<br>generating ID_PROT request 0 [ SA V V V V ]<br>sending packet: from my_ip_removed[500] to my_vendor_removed[500] (156 bytes)<br>received packet: from my_vendor_removed[500] to my_ip_removed[500] (156 bytes)<br>parsed ID_PROT response 0 [ SA V V V V ]<br>received XAuth vendor ID<br>received DPD vendor ID<br>received Cisco Unity vendor ID<br>received NAT-T (RFC 3947) vendor ID<br>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]<br>sending packet: from my_ip_removed[500] to my_vendor_removed[500] (244 bytes)<br>received packet: from my_vendor_removed[500] to my_ip_removed[500] (244 bytes)<br>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]<br>remote host is behind NAT<br>generating ID_PROT request 0 [ ID HASH ]<br>sending packet: from my_ip_removed[4500] to my_vendor_removed[4500] (68 bytes)<br>received packet: from my_vendor_removed[500] to my_ip_removed[500] (68 bytes)<br>invalid HASH_V1 payload length, decryption failed?<br>could not decrypt payloads<br>message parsing failed<br>ignore malformed INFORMATIONAL request<br>INFORMATIONAL_V1 request with message ID 2508402058 processing failed<br>sending retransmit 1 of request message ID 0, seq 3<br>sending packet: from my_ip_removed[4500] to my_vendor_removed[4500] (68 bytes)<br>received packet: from my_vendor_removed[500] to my_ip_removed[500] (68 bytes)<br>invalid HASH_V1 payload length, decryption failed?<br>could not decrypt payloads<br>message parsing failed<br>ignore malformed INFORMATIONAL request<br><br> -----------------------------------------------------------------------------
root@removed ~ # tcpdump -i eth0 -n -s 0 -vv \(port 500 or port 4500\) and host remote_ip<br>11:10:23.854742 IP (tos 0x0, ttl 64, id 23908, offset 0, flags [DF], proto UDP (17), length 100)<br> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xed53!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->a302dd331922e192: phase 1 ? ident[E]: [encrypted id]<br>11:11:05.845035 IP (tos 0x0, ttl 64, id 26186, offset 0, flags [DF], proto UDP (17), length 100)<br> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xed53!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->a302dd331922e192: phase 1 ? ident[E]: [encrypted id]<br>11:12:21.427910 IP (tos 0x0, ttl 64, id 37217, offset 0, flags [DF], proto UDP (17), length 184)<br> my_ip_removed.500 > my_vendor_removed.500: [bad udp cksum 0x1b19 -> 0x256f!] isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->0000000000000000: phase 1 I ident:<br> (sa: doi=ipsec situation=identity<br> (p: #0 protoid=isakmp transform=1<br> (t: #1 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))))<br> (vid: len=8)<br> (vid: len=16)<br> (vid: len=16)<br> (vid: len=16)<br>11:12:21.618104 IP (tos 0x28, ttl 50, id 48062, offset 0, flags [none], proto UDP (17), length 184)<br> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 R ident:<br> (sa: doi=ipsec situation=identity<br> (p: #0 protoid=isakmp transform=1<br> (t: #1 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))))<br> (vid: len=8)<br> (vid: len=16)<br> (vid: len=16)<br> (vid: len=16)<br>11:12:21.620911 IP (tos 0x0, ttl 64, id 37227, offset 0, flags [DF], proto UDP (17), length 272)<br> my_ip_removed.500 > my_vendor_removed.500: [bad udp cksum 0x1b71 -> 0x77bb!] isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident:<br> (ke: key len=128)<br> (nonce: n len=32 data=(81292b820fbcb8983077...49d69c7dccb7e8909caa4592110487911f8c5bad))<br> (pay20)<br> (pay20)<br>11:12:21.811858 IP (tos 0x28, ttl 50, id 25607, offset 0, flags [none], proto UDP (17), length 272)<br> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 R ident:<br> (ke: key len=128)<br> (nonce: n len=32 data=(2f28c612791a99888ef3...a8a7c8b340152057bcefe35b50e7d7ad768cdae7))<br> (pay20)<br> (pay20)<br>11:12:21.814561 IP (tos 0x0, ttl 64, id 37263, offset 0, flags [DF], proto UDP (17), length 100)<br> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]<br>11:12:22.004213 IP (tos 0x28, ttl 50, id 33638, offset 0, flags [none], proto UDP (17), length 96)<br> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid 72fe0776 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: [encrypted hash]<br>11:12:25.814848 IP (tos 0x0, ttl 64, id 38072, offset 0, flags [DF], proto UDP (17), length 100)<br> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]<br>11:12:26.004450 IP (tos 0x28, ttl 50, id 24130, offset 0, flags [none], proto UDP (17), length 96)<br> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid c81c162f cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: [encrypted hash]<br>11:12:33.015106 IP (tos 0x0, ttl 64, id 39418, offset 0, flags [DF], proto UDP (17), length 100)<br> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]<br>11:12:33.204540 IP (tos 0x28, ttl 50, id 57519, offset 0, flags [none], proto UDP (17), length 96)<br> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid 6144b96e cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: [encrypted hash]<br>11:12:45.975394 IP (tos 0x0, ttl 64, id 40707, offset 0, flags [DF], proto UDP (17), length 100)<br> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]<br>11:12:46.164873 IP (tos 0x28, ttl 50, id 34443, offset 0, flags [none], proto UDP (17), length 96)<br> my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid 775b2adc cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: [encrypted hash]<br>11:13:09.303694 IP (tos 0x0, ttl 64, id 43955, offset 0, flags [DF], proto UDP (17), length 100)<br> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]<br>11:13:51.294091 IP (tos 0x0, ttl 64, id 44938, offset 0, flags [DF], proto UDP (17), length 100)<br> my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id]<br>^C<br>16 packets captured<br>16 packets received by filter<br>0 packets dropped by kernel<br><br></pre><br></div>Thanks if you can help me.<br><br></div>Regards</div>