Thanks guys It was the PSK.
Now to get the routing working. :) Thanks Brent On Mon, Jun 6, 2016 at 11:21 AM, Brent Clark <[email protected]> wrote: > Good day Guys > > I asked this previously, but I only got back to work today, so as sometime > has passed, I thought I would ask again in a new thread, as I made some > advancement, but still having issues. > > As per the subject, Im trying to connect to a Pfsense device. > > If someone could take alook at my setup it would be very much appreciated. > > Here is my configuration: > > root@sql01 ~ # ipsec start --debug-all --nofork > Starting strongSwan 5.1.2 IPsec [starter]... > Loading config setup > Loading conn %default > keyexchange=ikev1 > authby=secret > Loading conn 'pfsense' > left=my_ip_removed > leftsourceip=%config > leftfirewall=no > right=my_vendor_removed > rightsubnet=10.4.128.6/32 > ike=3des-sha1-modp1024! > esp=3des-sha1! > ikelifetime=86400s > keylife=3600s > auto=add > found netkey IPsec stack > Attempting to start charon... > 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux > 3.13.0-77-generic, x86_64) > 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' > 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' > 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' > 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' > 00[CFG] loading crls from '/etc/ipsec.d/crls' > 00[CFG] loading secrets from '/etc/ipsec.secrets' > 00[CFG] loaded IKE secret for my_ip_removed my_vendor_removed > 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 > rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 > pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve > socket-default stroke updown eap-identity addrblock > 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies) > 00[LIB] dropped capabilities, running as uid 0, gid 0 > 00[JOB] spawning 16 worker threads > charon (19750) started after 20 ms > 06[CFG] received stroke: add connection 'pfsense' > 06[CFG] added configuration 'pfsense' > > > The vendor gave me the following information. (This is a copy and paste > from an excel spreadsheet. The first column is what my setting must be, and > the second is what their settings are) > > Phase I Settings "IPSec Phase 1 Settings MUST match on > both sides" > Diffie-Helman Group 2 (Mod1024) 2 (Mod1024) > Encryption Algorithm 3DES 3DES > Hash Algorithm SHA-1 SHA-1 > NAT-T Disable Disable > Lifetime (In Seconds) 86400 86400 > Phase II Settings "IPSec Phase 2 Settings.MUST match on > both sides" > Encapsulation ESP (encrypted) ESP (encrypted) > Perfect Forward Secrecy (PFS) NO PFS NO PFS > Encryption Algorithm 3DES 3DES > Hash Algorithm SHA-1 SHA-1 > Lifetime (In Seconds) 3 3600 > Lifetime (In Kbytes) N/A N/A > > > Here is some additional information. > > root@sql01 ~ # ipsec up pfsense > initiating Main Mode IKE_SA pfsense[1] to my_vendor_removed > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from my_ip_removed[500] to my_vendor_removed[500] (156 bytes) > received packet: from my_vendor_removed[500] to my_ip_removed[500] (156 bytes) > parsed ID_PROT response 0 [ SA V V V V ] > received XAuth vendor ID > received DPD vendor ID > received Cisco Unity vendor ID > received NAT-T (RFC 3947) vendor ID > generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > sending packet: from my_ip_removed[500] to my_vendor_removed[500] (244 bytes) > received packet: from my_vendor_removed[500] to my_ip_removed[500] (244 bytes) > parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] > remote host is behind NAT > generating ID_PROT request 0 [ ID HASH ] > sending packet: from my_ip_removed[4500] to my_vendor_removed[4500] (68 bytes) > received packet: from my_vendor_removed[500] to my_ip_removed[500] (68 bytes) > invalid HASH_V1 payload length, decryption failed? > could not decrypt payloads > message parsing failed > ignore malformed INFORMATIONAL request > INFORMATIONAL_V1 request with message ID 2508402058 processing failed > sending retransmit 1 of request message ID 0, seq 3 > sending packet: from my_ip_removed[4500] to my_vendor_removed[4500] (68 bytes) > received packet: from my_vendor_removed[500] to my_ip_removed[500] (68 bytes) > invalid HASH_V1 payload length, decryption failed? > could not decrypt payloads > message parsing failed > ignore malformed INFORMATIONAL request > > ----------------------------------------------------------------------------- > > root@removed ~ # tcpdump -i eth0 -n -s 0 -vv \(port 500 or port 4500\) and > host remote_ip > 11:10:23.854742 IP (tos 0x0, ttl 64, id 23908, offset 0, flags [DF], proto > UDP (17), length 100) > my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> > 0xed53!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie > dad9f5e5d2979fdb->a302dd331922e192: phase 1 ? ident[E]: [encrypted id] > 11:11:05.845035 IP (tos 0x0, ttl 64, id 26186, offset 0, flags [DF], proto > UDP (17), length 100) > my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> > 0xed53!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie > dad9f5e5d2979fdb->a302dd331922e192: phase 1 ? ident[E]: [encrypted id] > 11:12:21.427910 IP (tos 0x0, ttl 64, id 37217, offset 0, flags [DF], proto > UDP (17), length 184) > my_ip_removed.500 > my_vendor_removed.500: [bad udp cksum 0x1b19 -> > 0x256f!] isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->0000000000000000: > phase 1 I ident: > (sa: doi=ipsec situation=identity > (p: #0 protoid=isakmp transform=1 > (t: #1 id=ike (type=enc value=3des)(type=hash > value=sha1)(type=group desc value=modp1024)(type=auth > value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 > value=00015180)))) > (vid: len=8) > (vid: len=16) > (vid: len=16) > (vid: len=16) > 11:12:21.618104 IP (tos 0x28, ttl 50, id 48062, offset 0, flags [none], proto > UDP (17), length 184) > my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid > 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 R ident: > (sa: doi=ipsec situation=identity > (p: #0 protoid=isakmp transform=1 > (t: #1 id=ike (type=enc value=3des)(type=hash > value=sha1)(type=group desc value=modp1024)(type=auth > value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 > value=00015180)))) > (vid: len=8) > (vid: len=16) > (vid: len=16) > (vid: len=16) > 11:12:21.620911 IP (tos 0x0, ttl 64, id 37227, offset 0, flags [DF], proto > UDP (17), length 272) > my_ip_removed.500 > my_vendor_removed.500: [bad udp cksum 0x1b71 -> > 0x77bb!] isakmp 1.0 msgid 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: > phase 1 I ident: > (ke: key len=128) > (nonce: n len=32 > data=(81292b820fbcb8983077...49d69c7dccb7e8909caa4592110487911f8c5bad)) > (pay20) > (pay20) > 11:12:21.811858 IP (tos 0x28, ttl 50, id 25607, offset 0, flags [none], proto > UDP (17), length 272) > my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid > 00000000 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 R ident: > (ke: key len=128) > (nonce: n len=32 > data=(2f28c612791a99888ef3...a8a7c8b340152057bcefe35b50e7d7ad768cdae7)) > (pay20) > (pay20) > 11:12:21.814561 IP (tos 0x0, ttl 64, id 37263, offset 0, flags [DF], proto > UDP (17), length 100) > my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> > 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie > dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id] > 11:12:22.004213 IP (tos 0x28, ttl 50, id 33638, offset 0, flags [none], proto > UDP (17), length 96) > my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid > 72fe0776 cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: > [encrypted hash] > 11:12:25.814848 IP (tos 0x0, ttl 64, id 38072, offset 0, flags [DF], proto > UDP (17), length 100) > my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> > 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie > dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id] > 11:12:26.004450 IP (tos 0x28, ttl 50, id 24130, offset 0, flags [none], proto > UDP (17), length 96) > my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid > c81c162f cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: > [encrypted hash] > 11:12:33.015106 IP (tos 0x0, ttl 64, id 39418, offset 0, flags [DF], proto > UDP (17), length 100) > my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> > 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie > dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id] > 11:12:33.204540 IP (tos 0x28, ttl 50, id 57519, offset 0, flags [none], proto > UDP (17), length 96) > my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid > 6144b96e cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: > [encrypted hash] > 11:12:45.975394 IP (tos 0x0, ttl 64, id 40707, offset 0, flags [DF], proto > UDP (17), length 100) > my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> > 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie > dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id] > 11:12:46.164873 IP (tos 0x28, ttl 50, id 34443, offset 0, flags [none], proto > UDP (17), length 96) > my_vendor_removed.500 > my_ip_removed.500: [udp sum ok] isakmp 1.0 msgid > 775b2adc cookie dad9f5e5d2979fdb->6eb7b1d308885823: phase 2/others R inf[E]: > [encrypted hash] > 11:13:09.303694 IP (tos 0x0, ttl 64, id 43955, offset 0, flags [DF], proto > UDP (17), length 100) > my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> > 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie > dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id] > 11:13:51.294091 IP (tos 0x0, ttl 64, id 44938, offset 0, flags [DF], proto > UDP (17), length 100) > my_ip_removed.4500 > my_vendor_removed.4500: [bad udp cksum 0x1ac5 -> > 0xde02!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie > dad9f5e5d2979fdb->6eb7b1d308885823: phase 1 I ident[E]: [encrypted id] > ^C > 16 packets captured > 16 packets received by filter > 0 packets dropped by kernel > > > Thanks if you can help me. > > Regards >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
