Re: [pfSense] pfsense 2.2 Strongswan rekeying issues

Tue, 24 Feb 2015 12:36:14 -0800 

On Tue, Feb 24, 2015 at 8:02 AM, Brian Candler <b.cand...@pobox.com> wrote:

> We appear to have the same problem here after upgrading a box from pfSense
> 2.1.5 to 2.2.  The other side is a Cisco ASA5505.
>
> X.X.X.219 = pfSense, internal subnet 10.19.0.0/16
> Y.Y.Y.155 = Cisco, internal subnet 10.26.0.0/16
>
> Here is the log we get from the Cisco:
>
> 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, Error: dynamic map
> SYSTEM_DEFAULT_CRYPTO_MAP: * to any not permitted.
> 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, Rejecting IPSec
> tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0
> local proxy 10.26.0.0/255.255.0.0/0/0 on interface outside
> 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, QM FSM error (P2
> struct &0xcc9648f8, mess id 0x4c6e71f9)!
> 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, Removing peer from
> correlator table failed, no match!
>
> From this, it looks pretty clear that the phase 2 request from pfSense is
> wrong: it is requesting 0.0.0.0/0 <-> 10.26.0.0/16, instead of
> 10.19.0.0/16 <-> 10.26.0.0/16
>
> Here is the log from the pfSense side:
>
> Feb 24 13:20:03    charon: 08[IKE] received INVALID_ID_INFORMATION error
> notify
> Feb 24 13:20:03    charon: 08[IKE] <con1000|42> received
> INVALID_ID_INFORMATION error notify
> Feb 24 13:20:03    charon: 08[ENC] parsed INFORMATIONAL_V1 request
> 3283507075 [ HASH N(INVAL_ID) ]
> Feb 24 13:20:03    charon: 08[NET] received packet: from Y.Y.Y.155[500] to
> X.X.X.219[500] (260 bytes)
> Feb 24 13:20:03    charon: 08[NET] sending packet: from X.X.X.219[500] to
> Y.Y.Y.155[500] (204 bytes)
> Feb 24 13:20:03    charon: 08[ENC] generating QUICK_MODE request
> 1282306553 [ HASH SA No ID ID ]
> Feb 24 13:20:03    charon: 14[KNL] creating acquire job for policy
> X.X.X.219/32|/0 === Y.Y.Y.155/32|/0 with reqid {1}
>

That's this:
https://redmine.pfsense.org/issues/4178

disabling Unity on the Advanced tab, followed by a manual stop and start
(not just restart) of strongswan may resolve that. There was one person
reporting that wasn't adequate, the plugin had to be not loaded at all, not
just disabled like that. I haven't yet had a chance to try to duplicate
that circumstance.

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to