PFSense IPSec VPN PFS Phase 2 Mismatch

Just a quick one that will hopefully help someone else out. This evening I decided to setup a new IPSec VPN into an Amazon EC2 instance running OpenSwan. After the usual VPN fun I started seeing a strange Phase 2 error on my PFSense configuration:

racoon: ERROR: pfs group mismatched: my:2 peer:0

This was strange as the remote end had PFS disabled for Phase 2 and my PFSense instance did.

After some digging it appears PFSense incorrectly generates the IPSec config file phase 2 entries if you have “Provide the Phase2 PFS group to clients ( overrides all mobile phase2 settings )” enabled. In my case I had this checked and set to 1024-bit (PFS group 2).

To fix the problem uncheck this box and manually set the phase 2 entries for your mobile VPN connection to match. My system then correctly honoured the PFS I’d configured for my new link.

Interestingly this only seemed to effect connections created after my mobile IPSec entries. This definitely seems like a bug in PFSense but hopefully it will help someone else out in the future.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s