subject:"Re\: \[pfSense\] IPSec Bug\?"

Re: [pfSense] IPSec Bug?

2017-02-03 Thread Eero Volotinen

how about disabling pfs?

Eero

2017-02-03 13:25 GMT+02:00 Roland Giesler :

> On Fri, Feb 3, 2017 at 1:19 PM, Eero Volotinen 
> wrote:
>
>> It's a bit antique selection of ciphers.
>>
>
> It is indeed.  We were experimenting for a long time with many others and
> got similar result (no matches).  So I opted to check what pfSense offers
> and set Sonicwall to ask for that, but Sonicwall can't do MODP_3072,
> which is the only combination of what pfSense offers and what Sonicwall
> supports.
>
> We gave up in the end and opted to use SSH tunnels to work through, rather
> than set up a VPN.  In the end we may have to set up OpenVPN, which mobile
> clients rather that site-to-site...  :-(  Not what we had in mind.
>
> Roland
>
>
>>
>> Problem is in DH group. try enabling same DH also in pfsense.
>>
>> --
>> Eero
>>
>> 2017-02-03 13:17 GMT+02:00 Roland Giesler :
>>
>>> On Tue, Jan 24, 2017 at 8:16 PM, Eero Volotinen 
>>> wrote:
>>>
 What hardware is other side running? Why you are trying to use 3des?

>>>
>>> The other side is Sonicwall.  I'm using 3DES because it's enabled by
>>> default and seeming a simple place to start.
>>>
>>> However, regardless of what I select (by ticking the boxes - net very
>>> difficult), that is then not offered.  So if I select 3DES, it is not
>>> offered.  If I select SHA256 it's not offered, and so on.
>>>
>>> Roland
>>>
>>>
>>>

 Eero

 2017-01-17 16:36 GMT+02:00 Roland Giesler :

> We've battled all afternoon to establish an IPSec site-to-site
> connection.
> Here's what happens:
>
> TimeProcessPIDMessage
> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1
> request
> 2809641300 [ N(NO_PROP) ]
> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAM
> ELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HM
> AC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/A
> ES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/P
> RF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD
> 5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_B
> P/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_20
> 48_256/MODP_1024,
> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_19
> 2/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC
> _SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_H
> MAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_5
> 12_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
> Aggressive Mode IKE_SA
>
> The strange thing is that I have set 3DES and SHA1 to in my setup, yet
> it
> is not being offered.  I have also test quite a few other like AES 265
> and
> SHA2, but they are also not offered.  The other side (SonicWall) is
> offering what we set mutually.
>
> Is this a bug?  If now, how to I force pfSense to behave and start
> using
> the settings I set.
>
> IPSec IKE V2 with pre-shared key.
>
> I'm running 2.3.2_1
>
> Anyone that has seen this?
>
> regards
>
>
> Roland Giesler
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>


>>>
>>
>
>
>
>
> Sent
> with Mailtrack
> 
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec Bug?

2017-02-03 Thread Roland Giesler

 On Fri, Feb 3, 2017 at 1:19 PM, Eero Volotinen 
wrote:

> It's a bit antique selection of ciphers.
>

It is indeed.  We were experimenting for a long time with many others and
got similar result (no matches).  So I opted to check what pfSense offers
and set Sonicwall to ask for that, but Sonicwall can't do MODP_3072, which
is the only combination of what pfSense offers and what Sonicwall supports.

We gave up in the end and opted to use SSH tunnels to work through, rather
than set up a VPN.  In the end we may have to set up OpenVPN, which mobile
clients rather that site-to-site...  :-(  Not what we had in mind.

Roland

>
> Problem is in DH group. try enabling same DH also in pfsense.
>
> --
> Eero
>
> 2017-02-03 13:17 GMT+02:00 Roland Giesler :
>
>> On Tue, Jan 24, 2017 at 8:16 PM, Eero Volotinen 
>> wrote:
>>
>>> What hardware is other side running? Why you are trying to use 3des?
>>>
>>
>> The other side is Sonicwall.  I'm using 3DES because it's enabled by
>> default and seeming a simple place to start.
>>
>> However, regardless of what I select (by ticking the boxes - net very
>> difficult), that is then not offered.  So if I select 3DES, it is not
>> offered.  If I select SHA256 it's not offered, and so on.
>>
>> Roland
>>
>>
>>
>>>
>>> Eero
>>>
>>> 2017-01-17 16:36 GMT+02:00 Roland Giesler :
>>>
 We've battled all afternoon to establish an IPSec site-to-site
 connection.
 Here's what happens:

 TimeProcessPIDMessage
 Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
 Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request
 2809641300 [ N(NO_PROP) ]
 Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
 Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
 IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
 IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAM
 ELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HM
 AC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/A
 ES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/P
 RF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD
 5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_
 BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_
 2048_256/MODP_1024,
 IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_19
 2/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC
 _SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_H
 MAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_5
 12_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
 Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
 IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
 Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
 Aggressive Mode IKE_SA

 The strange thing is that I have set 3DES and SHA1 to in my setup, yet
 it
 is not being offered.  I have also test quite a few other like AES 265
 and
 SHA2, but they are also not offered.  The other side (SonicWall) is
 offering what we set mutually.

 Is this a bug?  If now, how to I force pfSense to behave and start using
 the settings I set.

 IPSec IKE V2 with pre-shared key.

 I'm running 2.3.2_1

 Anyone that has seen this?

 regards

 Roland Giesler
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

>>>
>>>
>>
>

Sent
with Mailtrack

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec Bug?

2017-02-03 Thread Eero Volotinen

It's a bit antique selection of ciphers.

Problem is in DH group. try enabling same DH also in pfsense.

--
Eero

2017-02-03 13:17 GMT+02:00 Roland Giesler :

> On Tue, Jan 24, 2017 at 8:16 PM, Eero Volotinen 
> wrote:
>
>> What hardware is other side running? Why you are trying to use 3des?
>>
>
> The other side is Sonicwall.  I'm using 3DES because it's enabled by
> default and seeming a simple place to start.
>
> However, regardless of what I select (by ticking the boxes - net very
> difficult), that is then not offered.  So if I select 3DES, it is not
> offered.  If I select SHA256 it's not offered, and so on.
>
> Roland
>
>
>
>>
>> Eero
>>
>> 2017-01-17 16:36 GMT+02:00 Roland Giesler :
>>
>>> We've battled all afternoon to establish an IPSec site-to-site
>>> connection.
>>> Here's what happens:
>>>
>>> TimeProcessPIDMessage
>>> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
>>> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
>>> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request
>>> 2809641300 [ N(NO_PROP) ]
>>> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
>>> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAM
>>> ELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HM
>>> AC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/
>>> AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_
>>> 384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_
>>> HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_
>>> BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_
>>> 2048/MODP_2048_256/MODP_1024,
>>> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
>>> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_19
>>> 2/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC
>>> _SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_
>>> HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_
>>> 512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
>>> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>>> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
>>> Aggressive Mode IKE_SA
>>>
>>> The strange thing is that I have set 3DES and SHA1 to in my setup, yet it
>>> is not being offered.  I have also test quite a few other like AES 265
>>> and
>>> SHA2, but they are also not offered.  The other side (SonicWall) is
>>> offering what we set mutually.
>>>
>>> Is this a bug?  If now, how to I force pfSense to behave and start using
>>> the settings I set.
>>>
>>> IPSec IKE V2 with pre-shared key.
>>>
>>> I'm running 2.3.2_1
>>>
>>> Anyone that has seen this?
>>>
>>> regards
>>>
>>>
>>> Roland Giesler
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>>
>>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec Bug?

2017-02-03 Thread Roland Giesler

 On Tue, Jan 24, 2017 at 8:16 PM, Eero Volotinen 
wrote:

> What hardware is other side running? Why you are trying to use 3des?
>

The other side is Sonicwall.  I'm using 3DES because it's enabled by
default and seeming a simple place to start.

However, regardless of what I select (by ticking the boxes - net very
difficult), that is then not offered.  So if I select 3DES, it is not
offered.  If I select SHA256 it's not offered, and so on.

Roland



>
> Eero
>
> 2017-01-17 16:36 GMT+02:00 Roland Giesler :
>
>> We've battled all afternoon to establish an IPSec site-to-site connection.
>> Here's what happens:
>>
>> TimeProcessPIDMessage
>> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
>> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
>> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request
>> 2809641300 [ N(NO_PROP) ]
>> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
>> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAM
>> ELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/
>> HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_
>> 96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA
>> 2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/
>> PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_
>> 256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/
>> MODP_2048/MODP_2048_256/MODP_1024,
>> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
>> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_19
>> 2/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_
>> HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/
>> PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/
>> ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_
>> 2048_256/MODP_1024
>> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
>> Aggressive Mode IKE_SA
>>
>> The strange thing is that I have set 3DES and SHA1 to in my setup, yet it
>> is not being offered.  I have also test quite a few other like AES 265 and
>> SHA2, but they are also not offered.  The other side (SonicWall) is
>> offering what we set mutually.
>>
>> Is this a bug?  If now, how to I force pfSense to behave and start using
>> the settings I set.
>>
>> IPSec IKE V2 with pre-shared key.
>>
>> I'm running 2.3.2_1
>>
>> Anyone that has seen this?
>>
>> regards
>>
>>
>> Roland Giesler
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec Bug?

2017-02-03 Thread Roland Giesler

On Tue, Jan 24, 2017 at 9:56 PM, Jim Thompson  wrote:

> On Tue, Jan 24, 2017 at 12:16 PM, Eero Volotinen 
> wrote:
> > What hardware is other side running? Why you are trying to use 3des?
> >
> > Eero
> >
> > 2017-01-17 16:36 GMT+02:00 Roland Giesler :
> >
> >> We've battled all afternoon to establish an IPSec site-to-site
> connection.
> >> Here's what happens:
> >>
> >> TimeProcessPIDMessage
> >> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
> >> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
> >> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request
> >> 2809641300 [ N(NO_PROP) ]
> >> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
> >> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
> >> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
> >> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/
> >> CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_
> >> 128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_
> >> SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_
> >> SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_
> >> CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/
> >> ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_
> >> 8192/MODP_2048/MODP_2048_256/MODP_1024,
> >> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
> >> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_
> >> 192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/
> >> PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_
> >> MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_
> >> 384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/
> >> MODP_2048_256/MODP_1024
> >> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
> >> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> >> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
> >> Aggressive Mode IKE_SA
> >>
> >> The strange thing is that I have set 3DES and SHA1 to in my setup, yet
> it
> >> is not being offered.  I have also test quite a few other like AES 265
> and
> >> SHA2, but they are also not offered.  The other side (SonicWall) is
> >> offering what we set mutually.
>
> The other side proposed 3DES-CBC/HMAC-SHA1/MODP_1536.
> Your side didn't propose same (search for MODP_1536)
>
> Search for "Phase 1 DH Group Mismatch" in
> https://doc.pfsense.org/index.php/IPsec_Troubleshooting
>
> not a bug.
>

If I select 3DES, SHA1 MODP1536 in the pfSense interface and I try to
connect and pfSense doesn't offer what I selected, then surely something's
wrong?

How is setting something to offer ABC and then ABC not being offered not a
bug?

Roland


>
> Jim
>
> >>
> >> Is this a bug?  If now, how to I force pfSense to behave and start using
> >> the settings I set.
> >>
> >> IPSec IKE V2 with pre-shared key.
> >>
> >> I'm running 2.3.2_1
> >>
> >> Anyone that has seen this?
> >>
> >> regards
> >>
> >>
> >> Roland Giesler
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec Bug?

2017-01-24 Thread Jim Thompson

On Tue, Jan 24, 2017 at 12:16 PM, Eero Volotinen  wrote:
> What hardware is other side running? Why you are trying to use 3des?
>
> Eero
>
> 2017-01-17 16:36 GMT+02:00 Roland Giesler :
>
>> We've battled all afternoon to establish an IPSec site-to-site connection.
>> Here's what happens:
>>
>> TimeProcessPIDMessage
>> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
>> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
>> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request
>> 2809641300 [ N(NO_PROP) ]
>> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
>> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/
>> CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_
>> 128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_
>> SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_
>> SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_
>> CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/
>> ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_
>> 8192/MODP_2048/MODP_2048_256/MODP_1024,
>> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
>> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_
>> 192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/
>> PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_
>> MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_
>> 384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/
>> MODP_2048_256/MODP_1024
>> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
>> Aggressive Mode IKE_SA
>>
>> The strange thing is that I have set 3DES and SHA1 to in my setup, yet it
>> is not being offered.  I have also test quite a few other like AES 265 and
>> SHA2, but they are also not offered.  The other side (SonicWall) is
>> offering what we set mutually.

The other side proposed 3DES-CBC/HMAC-SHA1/MODP_1536.
Your side didn't propose same (search for MODP_1536)

Search for "Phase 1 DH Group Mismatch" in
https://doc.pfsense.org/index.php/IPsec_Troubleshooting

not a bug.

Jim

>>
>> Is this a bug?  If now, how to I force pfSense to behave and start using
>> the settings I set.
>>
>> IPSec IKE V2 with pre-shared key.
>>
>> I'm running 2.3.2_1
>>
>> Anyone that has seen this?
>>
>> regards
>>
>>
>> Roland Giesler
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec Bug?

2017-01-24 Thread Eero Volotinen

What hardware is other side running? Why you are trying to use 3des?

Eero

2017-01-17 16:36 GMT+02:00 Roland Giesler :

> We've battled all afternoon to establish an IPSec site-to-site connection.
> Here's what happens:
>
> TimeProcessPIDMessage
> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request
> 2809641300 [ N(NO_PROP) ]
> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/
> CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_
> 128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_
> SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_
> SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_
> CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/
> ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_
> 8192/MODP_2048/MODP_2048_256/MODP_1024,
> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_
> 192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/
> PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_
> MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_
> 384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/
> MODP_2048_256/MODP_1024
> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
> Aggressive Mode IKE_SA
>
> The strange thing is that I have set 3DES and SHA1 to in my setup, yet it
> is not being offered.  I have also test quite a few other like AES 265 and
> SHA2, but they are also not offered.  The other side (SonicWall) is
> offering what we set mutually.
>
> Is this a bug?  If now, how to I force pfSense to behave and start using
> the settings I set.
>
> IPSec IKE V2 with pre-shared key.
>
> I'm running 2.3.2_1
>
> Anyone that has seen this?
>
> regards
>
>
> Roland Giesler
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec Bug?

2017-01-24 Thread Roland Giesler

Am I still on this list?  I'm not getting any mail from there.  Could
someone just tell me if you see my mail please?

On Tue, Jan 17, 2017 at 4:36 PM, Roland Giesler 
wrote:

> We've battled all afternoon to establish an IPSec site-to-site
> connection.  Here's what happens:
>
> TimeProcessPIDMessage
> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request
> 2809641300 [ N(NO_PROP) ]
> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/
> CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_
> 128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_
> SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_
> SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_
> CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/
> ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_
> 8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_
> 192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_
> 256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_
> SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_
> XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_
> 384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/
> MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
> Aggressive Mode IKE_SA
>
> The strange thing is that I have set 3DES and SHA1 to in my setup, yet it
> is not being offered.  I have also test quite a few other like AES 265 and
> SHA2, but they are also not offered.  The other side (SonicWall) is
> offering what we set mutually.
>
> Is this a bug?  If now, how to I force pfSense to behave and start using
> the settings I set.
>
> IPSec IKE V2 with pre-shared key.
>
> I'm running 2.3.2_1
>
> Anyone that has seen this?
>
> regards
>
>
> Roland Giesler
>
>
>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSEC bug in 2.1

2013-12-13 Thread Christian Borchert

I added the new line to /etc/rc.newipsecdns and restarted the pfsense box.
The tunnel came up as normal, but after restarting the modem the tunnel
failed to come back up.

The tunnel is terminating to a Linksys RV082.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPSEC bug in 2.1

2013-12-12 Thread Jon Gerdes

 
 There exists an IPSEC bug in pfSense 2.1
 
 When the router's modem is restarted, the IPSEC tunnel fails to come back
 up.
 
 This bug is documented in the following places by numerous people:
 
 https://redmine.pfsense.org/issues/3321 
 http://forum.pfsense.org/index.php/topic,69235.0.html 
 http://forum.pfsense.org/index.php/topic,68776.0.html 
 http://forum.pfsense.org/index.php/topic,67929.0.html 
 http://forum.pfsense.org/index.php/topic,67625.0.html 
 
 Regards,
 Christian Borchert

Christian

I run an awful lot of IPSEC tunnels and I generally don't get the problem you 
describe in your trouble ticket which is not the same as the fault that is 
barely described in the first forum posting you link.  The rest are TL;DR for 
me.

Please try disabling DPD at both ends and set the address that you ping to any 
address other than those on the other end's router  - that address doesn't even 
have to exist, it just has to be within the remote subnet but not one that is 
bound to the router doing the IPSEC.

Incidentally your report in Redmine does not describe what the other end 
actually is - is it another pfSense box or something else?

Cheers
Jon

Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA
Registered England  Wales - 3981322

CONFIDENTIAL INFORMATION
This e-mail and any files attached with it are confidential and for the sole 
use of the intended recipient(s).  If you are not the intended recipient(s) you 
are prohibited from using, copying or distributing this or any information 
contained in it and should immediately notify the sender and delete the message 
from your system.

Internet communications are not secure and Blueloop Limited is not responsible 
for unauthorised use by third parties nor for alteration or corruption in 
transmission.  Furthermore, while Blueloop Limited have taken reasonable 
precautions to minimise the risk of software viruses, it cannot accept 
liability for any damage which you may suffer as a result of such viruses, and 
we therefore recommend you carry out your own virus checks on receipt of any 
e-mail.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPSEC bug in 2.1

2013-12-12 Thread Seth Mos

On 12-12-2013 10:48, Jon Gerdes wrote:

 There exists an IPSEC bug in pfSense 2.1

 When the router's modem is restarted, the IPSEC tunnel fails to come back
 up.

The problem exists if you have IPsec tunnels with the hostname, the
reload process fails to reload the firewall filters so IPsec never
negotiates.

edit /etc/rc.newipsecdns and add the line:

filter_configure();

near the end, this causes firewall rules to reload properly. We had this
issue too on 2 seperate clusters with about 300 tunnels.

Kind regards,

Seth


 This bug is documented in the following places by numerous people:

 https://redmine.pfsense.org/issues/3321 
 http://forum.pfsense.org/index.php/topic,69235.0.html 
 http://forum.pfsense.org/index.php/topic,68776.0.html 
 http://forum.pfsense.org/index.php/topic,67929.0.html 
 http://forum.pfsense.org/index.php/topic,67625.0.html 

 Regards,
 Christian Borchert
 
 Christian
 
 I run an awful lot of IPSEC tunnels and I generally don't get the problem you 
 describe in your trouble ticket which is not the same as the fault that is 
 barely described in the first forum posting you link.  The rest are TL;DR for 
 me.
 
 Please try disabling DPD at both ends and set the address that you ping to 
 any address other than those on the other end's router  - that address 
 doesn't even have to exist, it just has to be within the remote subnet but 
 not one that is bound to the router doing the IPSEC.
 
 Incidentally your report in Redmine does not describe what the other end 
 actually is - is it another pfSense box or something else?
 
 Cheers
 Jon
 
 Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA
 Registered England  Wales - 3981322
 
 CONFIDENTIAL INFORMATION
 This e-mail and any files attached with it are confidential and for the sole 
 use of the intended recipient(s).  If you are not the intended recipient(s) 
 you are prohibited from using, copying or distributing this or any 
 information contained in it and should immediately notify the sender and 
 delete the message from your system.
 
 Internet communications are not secure and Blueloop Limited is not 
 responsible for unauthorised use by third parties nor for alteration or 
 corruption in transmission.  Furthermore, while Blueloop Limited have taken 
 reasonable precautions to minimise the risk of software viruses, it cannot 
 accept liability for any damage which you may suffer as a result of such 
 viruses, and we therefore recommend you carry out your own virus checks on 
 receipt of any e-mail.
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list
 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPSec Bug?

Re: [pfSense] IPSec Bug?

Re: [pfSense] IPSec Bug?

Re: [pfSense] IPSec Bug?

Re: [pfSense] IPSec Bug?

Re: [pfSense] IPSec Bug?

Re: [pfSense] IPSec Bug?

Re: [pfSense] IPSec Bug?

Re: [pfSense] IPSEC bug in 2.1

Re: [pfSense] IPSEC bug in 2.1

Re: [pfSense] IPSEC bug in 2.1

11 matches

Site Navigation

Mail list logo

Footer information