[pfSense] IPSec phase2 network match clarification

Wed, 29 Nov 2017 07:14:12 -0800 

Hello everybody, this is my first post to the list. I'm looking for help to 
understand what I think
is a strange behavior which results in intermittent malfunctioning on a VPN.

I have a VPN between a pfsense 2.4.2  (today) and checkpoint (latest available 
version). I'm told that on checkpoint side 
they cannot change the encryption domain and basically I suppose they have all 
networks on their side as encryption domain.

I have multiple phase2 networks (the ones to which I need to talk), and split 
connections enabled on pfsense side.


I end in this situation 

Shunted Connections:
  bypasslan:  172.16.199.0/24|/0 === 172.16.199.0/24|/0 PASS
Routed Connections:
    con1004{5}:  ROUTED, TUNNEL, reqid 5
    con1004{5}:   172.16.199.0/24|/0 === 10.128.30.0/24|/0
    con1003{4}:  ROUTED, TUNNEL, reqid 4
    con1003{4}:   172.16.199.0/24|/0 === 10.128.210.0/24|/0
    con1002{3}:  ROUTED, TUNNEL, reqid 3
    con1002{3}:   172.16.199.0/24|/0 === 10.15.1.0/24|/0
    con1001{2}:  ROUTED, TUNNEL, reqid 2
    con1001{2}:   172.16.199.0/24|/0 === 192.168.3.0/24|/0
    con1000{1}:  ROUTED, TUNNEL, reqid 1
    con1000{1}:   172.16.199.0/24|/0 === 10.128.200.0/24|/0
Security Associations (1 up, 0 connecting):
    con1000[37]: ESTABLISHED 27 minutes ago, A.B.C.D[A.B.C.D]...X.Y.Z.W[X.Y.Z.W]
    con1000{181}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf75c2be_i f6da2a6b_o
    con1000{181}:   172.16.199.0/24|/0 === 10.128.200.0/24|/0
    con1001{182}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: ca07fa2a_i b78a80ad_o
    con1001{182}:   172.16.199.0/24|/0 === 192.168.3.0/24|/0
    con1002{183}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: cf85518c_i 6b4605e6_o
    con1002{183}:   172.16.199.0/24|/0 === 10.15.1.0/24|/0
    con1000{184}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8d4d22e_i a7e330d0_o
    con1000{184}:   172.16.199.0/24|/0 === 10.128.200.0/24|/0
    con1001{185}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c4d1b604_i 91a8d9d5_o
    con1001{185}:   172.16.199.0/24|/0 === 192.168.3.0/24|/0


where tunnel  con1000{184}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8d4d22e_i 
a7e330d0_o

prevents traffic between my 172.16.199.0/24 and remote 10.128.200.0/24

(killing this single tunnel everything works as expected)


What I do not perfectly understand is why the second tunnel goes up. 

In particular this is the apparent reason

Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 
10.128.200.0/24|/0, received: 10.128.0.0/16|/0 => match: 10.128.200.0/24|/0

I would have expected a phase2 mismatch 

Now I suppose that adding a 10.128.0.0/16 I will get matches with this network 
and hopefully I will solve the issue.

BUT: is this an expected feature ? is it just me not understanding IPSec phase2 
? is it me not understanding pfsense implementation? 

Thank you very much for your help!


Enrico.

below complete log for the unexpected tunnel coming up (at least unexpected by 
me)


Nov 29 10:57:33 iulm03 charon: 15[NET] <con1000|37> received packet: from 
X.Y.Z.W[500] to A.B.C.D[500] (236 bytes)
Nov 29 10:57:33 iulm03 charon: 15[ENC] <con1000|37> parsed CREATE_CHILD_SA 
request 0 [ SA No TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Nov 29 10:57:33 iulm03 charon: 15[IKE] <con1000|37> received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> looking for a child config 
for 172.16.199.98/32|/0[tcp/http] 172.16.199.0/24|/0 === 
10.128.132.198/32|/0[tcp/49179] 10.128.0.0/16|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.128.200.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   candidate "con1000" with 
prio 7+1
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  192.168.3.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.15.1.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.128.210.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   candidate "con1003" with 
prio 7+1
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> proposing traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  10.128.30.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   candidate "con1004" with 
prio 7+1
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> found matching child config 
"con1000" with prio 8
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selecting proposal:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>   proposal matches
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> received proposals: 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> configured proposals: 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selected proposal: 
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selecting traffic selectors 
for us:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 
172.16.199.0/24|/0, received: 172.16.199.98/32|/0[tcp/http] => match: 
172.16.199.98/32|/0[tcp/http]
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 
172.16.199.0/24|/0, received: 172.16.199.0/24|/0 => match: 172.16.199.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37> selecting traffic selectors 
for other:
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 
10.128.200.0/24|/0, received: 10.128.132.198/32|/0[tcp/49179] => no match
Nov 29 10:57:33 iulm03 charon: 15[CFG] <con1000|37>  config: 
10.128.200.0/24|/0, received: 10.128.0.0/16|/0 => match: 10.128.200.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CHD] <con1000|37> CHILD_SA con1000{184} state 
change: CREATED => INSTALLING
Nov 29 10:57:33 iulm03 charon: 15[CHD] <con1000|37>   using 3DES_CBC for 
encryption
Nov 29 10:57:33 iulm03 charon: 15[CHD] <con1000|37>   using HMAC_SHA1_96 for 
integrity
Nov 29 10:57:33 iulm03 charon: 15[CHD] <con1000|37> adding inbound ESP SA
Nov 29 10:57:33 iulm03 charon: 15[CHD] <con1000|37>   SPI 0xc8d4d22e, src 
X.Y.Z.W dst A.B.C.D
Nov 29 10:57:33 iulm03 charon: 15[CHD] <con1000|37> adding outbound ESP SA
Nov 29 10:57:33 iulm03 charon: 15[CHD] <con1000|37>   SPI 0xa7e330d0, src 
A.B.C.D dst X.Y.Z.W
Nov 29 10:57:33 iulm03 charon: 15[IKE] <con1000|37> CHILD_SA con1000{184} 
established with SPIs c8d4d22e_i a7e330d0_o and TS 172.16.199.0/24|/0 === 
10.128.200.0/24|/0
Nov 29 10:57:33 iulm03 charon: 15[CHD] <con1000|37> CHILD_SA con1000{184} state 
change: INSTALLING => INSTALLED
Nov 29 10:57:33 iulm03 charon: 15[ENC] <con1000|37> generating CREATE_CHILD_SA 
response 0 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Nov 29 10:57:33 iulm03 charon: 15[NET] <con1000|37> sending packet: from 
A.B.C.D[500] to X.Y.Z.W[500] (204 bytes)

-- 
Enrico Cavalli - [email protected]
jabber: [email protected] skype: enricocavalli
PGP Fingerprint: 3762 7B1B 743E 029C 8F94  8ADE BC4B 43A7 0485 30E5

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to