Dear all,
After trying to solve this for some time, I now turn to the all-mighty list. :)
We have a problem with an IPsec tunnel... Or rather the tunnel works, but it
spews a lot of errors in the log, thereby all "real" errors drowns in this
noise.
Endoint is a CheckPoint 500WP (Check Point s...@office 500 appliance), pfsense
is a server class machine running pfsense 1.2-release.
Sample log output:
xxx.xxx.xxx.xxx is the pfsense WAN IP.
yyy.yyy.yyy.yyy is the IPsec endpoint WAN IP.
Dec 17 14:27:25 racoon: [IPsec tunnel name]: INFO: respond new phase
2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]
Dec 17 14:27:23 racoon: ERROR: failed to pre-process packet.
Dec 17 14:27:23 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:23 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:23 racoon: [IPsec tunnel name]: INFO: respond new phase
2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]
Dec 17 14:27:21 racoon: ERROR: failed to pre-process packet.
Dec 17 14:27:21 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:21 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:21 racoon: [IPsec tunnel name]: INFO: respond new phase
2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]
Dec 17 14:27:19 racoon: ERROR: failed to pre-process packet.
Dec 17 14:27:19 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:19 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:19 racoon: [IPsec tunnel name]: INFO: respond new phase
2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]
Dec 17 14:27:17 racoon: ERROR: failed to pre-process packet.
Dec 17 14:27:17 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:17 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:17 racoon: [IPsec tunnel name]: INFO: respond new phase
2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]
Dec 17 14:27:15 racoon: ERROR: failed to pre-process packet.
Dec 17 14:27:15 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:15 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:15 racoon: [IPsec tunnel name]: INFO: respond new phase
2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]
Dec 17 14:27:15 racoon: [IPsec tunnel name]: NOTIFY: the packet is
retransmitted by yyy.yyy.yyy.yyy[500].
Dec 17 14:27:15 racoon: [IPsec tunnel name]: INFO: ISAKMP-SA
established xxx.xxx.xxx.xxx[500]-yyy.yyy.yyy.yyy[500]
spi:499c5b4cb0be6294:ab61d5509437137a
Dec 17 14:27:12 racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Dec 17 14:27:12 racoon: INFO: begin Identity Protection mode.
Dec 17 14:27:12 racoon: [IPsec tunnel name]: INFO: respond new phase
1 negotiation: xxx.xxx.xxx.xxx[500]<=>yyy.yyy.yyy.yyy[500]
Dec 17 14:27:08 racoon: ERROR: failed to pre-process packet.
Dec 17 14:27:08 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:08 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:08 racoon: [IPsec tunnel name]: INFO: respond new phase
2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]
Dec 17 14:27:04 racoon: ERROR: failed to pre-process packet.
Dec 17 14:27:04 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:04 racoon: ERROR: failed to get sainfo.
Dec 17 14:27:04 racoon: [IPsec tunnel name]: INFO: respond new phase
2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]
Dec 17 14:26:59 racoon: ERROR: failed to pre-process packet.
Dec 17 14:26:59 racoon: ERROR: failed to get sainfo.
Dec 17 14:26:59 racoon: ERROR: failed to get sainfo.
IPsec paramaters is as follows:
Phase 1:
Negotiation mode: Aggressive
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 5
Lifetime: 1440
Authentication method: PSK
Phase 2:
Protocol: ESP
Encryption algorithms:
Disables: DES
Enabled: 3DES, Blowfish, CAST128, Rijndael (AES), Rijndael 256
Hash algorithms:
Enabled: SHA1, MD5
PFS key group: off
Lifetime: 3600
All of this is verified to be set to the same values at the endpoint. I have
tried to change the Phase 2 hash algorithm to MD5 on the endpoint, but the
result is the same.
We have another working IPsec tunnel with a Linksys router as a endpoint, but
are not that keen on switching hardware... Config is almost the same, but we
are running PFS on that tunnel. Could that be it?
Does any of you have any ideas or pointers regarding this?
Thanks a lot!
Regards,
Peter von Weisz
