Cloud VPN with PFSENSE

1,868 views
Skip to first unread message

rey Trevino

unread,
Jun 16, 2017, 12:09:40 PM6/16/17
to gce-discussion
Hi, hope somebody can help me, I am trying to set up a VPN between Google CLoud VPN and my PFSense appliance any help will be appreciated. Here is my log:

11:06:05.700sending packet: from 35.188.161.192[500] to 148.244.147.210[500] (320 bytes)

11:06:08.391creating acquire job for policy with reqid {1}

11:06:08.490initiating IKE_SA vpn_148.244.147.210[151] to 148.244.147.210

11:06:08.490generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]

11:06:08.491sending packet: from 35.188.161.192[500] to 148.244.147.210[500] (1012 bytes)

11:06:08.691received packet: from 148.244.147.210[500] to 35.188.161.192[500] (584 bytes)

11:06:08.783received packet: from 148.244.147.210[500] to 35.188.161.192[500] (80 bytes)

11:06:08.783parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

11:06:08.784received AUTHENTICATION_FAILED notify error

11:06:11.391initiating IKE_SA vpn_148.244.147.210[152] to 148.244.147.210

11:06:11.397generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]

11:06:11.398sending packet: from 35.188.161.192[500] to 148.244.147.210[500] (884 bytes)

11:06:11.677received packet: from 148.244.147.210[500] to 35.188.161.192[500] (584 bytes)

11:06:14.391initiating IKE_SA vpn_148.244.147.210[153] to 148.244.147.210

11:06:14.400generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]

11:06:14.401sending packet: from 35.188.161.192[500] to 148.244.147.210[500] (884 bytes)

11:06:14.491received packet: from 148.244.147.210[500] to 35.188.161.192[500] (38 bytes)

11:06:14.491parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]

11:06:14.491peer didn't accept DH group MODP_2048, it requested MODP_3072

11:06:14.510initiating IKE_SA vpn_148.244.147.210[153] to 148.244.147.210

11:06:14.511generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]

11:06:14.512sending packet: from 35.188.161.192[500] to 148.244.147.210[500] (1012 bytes)

11:06:14.729received packet: from 148.244.147.210[500] to 35.188.161.192[500] (584 bytes)

11:06:14.836received packet: from 148.244.147.210[500] to 35.188.161.192[500] (80 bytes)

11:06:14.837parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

11:06:17.677received packet: from 148.244.147.210[500] to 35.188.161.192[500] (584 bytes)

11:06:17.678parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]

11:06:17.698authentication of '35.188.161.192' (myself) with pre-shared key

11:06:17.698establishing CHILD_SA vpn_148.244.147.210

11:06:17.698generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]

11:06:17.699sending packet: from 35.188.161.192[500] to 148.244.147.210[500] (320 bytes)

11:06:17.766received packet: from 148.244.147.210[500] to 35.188.161.192[500] (80 bytes)

11:06:17.766parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

11:06:17.766received AUTHENTICATION_FAILED notify error





Irina (Google Cloud Support)

unread,
Jun 16, 2017, 2:37:18 PM6/16/17
to gce-discussion
“11:06:14.491peer didn't accept DH group MODP_2048, it requested MODP_3072”
 
Verify that you’ve configured Diffie-Hellman Group 14 - 2048 bit modulus, as it seems that your peer device has currently Group 14 (MODP_3072). There are multiple issues might be involved here, I suggest you to confirm that the parameters of your peer VPN  gateway are set up according to this public document.
 
Also, you might find to be useful the advanced Cloud VPN configurations and troubleshooting guide.

Pat Weichel

unread,
Sep 26, 2017, 12:22:33 PM9/26/17
to gce-discussion
Ray did you ever get this working?  Look at the possibility of doing the same thing.  Thanks, Pat

Pat Weichel

unread,
Oct 5, 2017, 2:06:56 PM10/5/17
to gce-discussion
If been able to establish the IPsec tunnels, but they fail to maintain. Sometimes they will stay up for 5-6 hours, then unepectedly close. On the PFSense I see this in the logs:
Oct 5 18:01:40charon01[IKE] <con1|7> failed to establish CHILD_SA, keeping IKE_SA
Oct 5 18:01:40charon01[IKE] <con1|7> no acceptable proposal found
Oct 5 18:01:40charon01[CFG] <con1|7> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct 5 18:01:40charon01[CFG] <con1|7> received proposals: ESP:AES_GCM_16_128/AES_GCM_12_128/AES_GCM_8_128/AES_CBC_128/AES_CBC_256/AES_CBC_192/HMAC_SHA1_96/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/NO_EXT_SEQ
Oct 5 18:01:40charon01[ENC] <con1|7> parsed CREATE_CHILD_SA request 576 [ SA No KE TSi TSr ]
Oct 5 18:01:40charon01[NET] <con1|7> received packet: from y.y.y.y[500] to x.x.x.x[500] (596 bytes)
Oct 5 18:01:37charon01[NET] <con1|7> sending packet: from x.x.x.x[500] to y.y.y.y[500] (68 bytes)
Oct 5 18:01:37charon01[ENC] <con1|7> generating CREATE_CHILD_SA response 575 [ N(NO_PROP) ]

While in the GCE log I see:
D  failed to establish CHILD_SA, keeping IKE_SA 
  undefined
D  received TS_UNACCEPTABLE notify, no CHILD_SA built 
D  parsed CREATE_CHILD_SA response 1384 [ N(TS_UNACCEPT) ] 
D  received packet: from x.x.x.x[500] to y.y.y.y[500] (68 bytes) 
D  sending packet: from y.y.y.y[500] to x.x.x.x[500] (580 bytes) 
D  generating CREATE_CHILD_SA request 1384 [ SA No KE TSi TSr ] 
I  establishing CHILD_SA vpn_x.x.x.x{1}


I'm not a VPN expert..but heading to look at Irna's troubleshooting and advanced config guide.

Any suggestions?

Thanks, Pat W
Reply all
Reply to author
Forward
0 new messages