Ipsec Configuration not Working!

gabacho4

@ibnkamala can you disable the other ipsec connection and see if the one we're working on comes up? What version of PfSense is the S2S-VPN device running?

Also would like to see the ipsec logs for both sides. You can get them at Status - System Logs - then click on IPsec.

ibnkamala

@gabacho4 I have disabled the other connection however no change, I really don't know what our partner uses in the other side of the tunnel but I know they are in Ukraine.

Here are logs for both sites:

SiteA Logs

Last 500 IPsec Log Entries. (Maximum 500)
Time Process PID Message
Jun 11 12:17:38 charon 69927 10[CFG] <con1|17> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 11 12:17:38 charon 69927 10[ENC] <con1|17> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 12:17:38 charon 69927 10[NET] <con1|17> sending packet: from 192.168.1.27[500] to SiteB[500] (304 bytes)
Jun 11 12:17:41 charon 69927 14[CFG] vici client 213 connected
Jun 11 12:17:41 charon 69927 14[CFG] vici client 213 registered for: list-sa
Jun 11 12:17:41 charon 69927 15[CFG] vici client 213 requests: list-sas
Jun 11 12:17:41 charon 69927 08[CFG] vici client 213 disconnected
Jun 11 12:17:42 charon 69927 15[IKE] <con1|17> retransmit 1 of request with message ID 0
Jun 11 12:17:42 charon 69927 15[NET] <con1|17> sending packet: from 192.168.1.27[500] to SiteB[500] (304 bytes)
Jun 11 12:17:43 charon 69927 14[CFG] vici client 212 disconnected
Jun 11 12:17:46 charon 69927 13[CFG] vici client 214 connected
Jun 11 12:17:46 charon 69927 16[CFG] vici client 214 registered for: list-sa
Jun 11 12:17:46 charon 69927 16[CFG] vici client 214 requests: list-sas
Jun 11 12:17:46 charon 69927 14[CFG] vici client 214 disconnected
Jun 11 12:17:46 charon 69927 13[JOB] <16> deleting half open IKE_SA with SiteB after timeout
Jun 11 12:17:46 charon 69927 13[IKE] <16> IKE_SA (unnamed)[16] state change: CONNECTING => DESTROYING
Jun 11 12:17:50 charon 69927 14[IKE] <con1|17> retransmit 2 of request with message ID 0
Jun 11 12:17:50 charon 69927 14[NET] <con1|17> sending packet: from 192.168.1.27[500] to SiteB[500] (304 bytes)
Jun 11 12:17:51 charon 69927 14[CFG] vici client 215 connected
Jun 11 12:17:51 charon 69927 11[CFG] vici client 215 registered for: list-sa
Jun 11 12:17:51 charon 69927 11[CFG] vici client 215 requests: list-sas
Jun 11 12:17:51 charon 69927 05[CFG] vici client 215 disconnected
Jun 11 12:17:56 charon 69927 06[CFG] vici client 216 connected
Jun 11 12:17:56 charon 69927 12[CFG] vici client 216 registered for: list-sa
Jun 11 12:17:56 charon 69927 12[CFG] vici client 216 requests: list-sas
Jun 11 12:17:56 charon 69927 06[CFG] vici client 216 disconnected
Jun 11 12:18:01 charon 69927 14[CFG] vici client 217 connected
Jun 11 12:18:01 charon 69927 12[CFG] vici client 217 registered for: list-sa
Jun 11 12:18:01 charon 69927 07[CFG] vici client 217 requests: list-sas
Jun 11 12:18:01 charon 69927 14[CFG] vici client 217 disconnected
Jun 11 12:18:03 charon 69927 07[IKE] <con1|17> retransmit 3 of request with message ID 0
Jun 11 12:18:03 charon 69927 07[NET] <con1|17> sending packet: from 192.168.1.27[500] to SiteB[500] (304 bytes)
Jun 11 12:18:06 charon 69927 09[CFG] vici client 218 connected
Jun 11 12:18:06 charon 69927 07[CFG] vici client 218 registered for: list-sa
Jun 11 12:18:06 charon 69927 07[CFG] vici client 218 requests: list-sas
Jun 11 12:18:06 charon 69927 07[CFG] vici client 218 disconnected
Jun 11 12:18:11 charon 69927 08[CFG] vici client 219 connected
Jun 11 12:18:11 charon 69927 10[CFG] vici client 219 registered for: list-sa
Jun 11 12:18:11 charon 69927 15[CFG] vici client 219 requests: list-sas
Jun 11 12:18:11 charon 69927 08[CFG] vici client 219 disconnected
Jun 11 12:18:16 charon 69927 16[CFG] vici client 220 connected
Jun 11 12:18:16 charon 69927 16[CFG] vici client 220 registered for: list-sa
Jun 11 12:18:16 charon 69927 10[CFG] vici client 220 requests: list-sas
Jun 11 12:18:16 charon 69927 16[CFG] vici client 220 disconnected
Jun 11 12:18:21 charon 69927 10[CFG] vici client 221 connected
Jun 11 12:18:21 charon 69927 10[CFG] vici client 221 registered for: list-sa
Jun 11 12:18:21 charon 69927 05[CFG] vici client 221 requests: list-sas
Jun 11 12:18:21 charon 69927 10[CFG] vici client 221 disconnected
Jun 11 12:18:26 charon 69927 11[CFG] vici client 222 connected
Jun 11 12:18:26 charon 69927 11[CFG] vici client 222 registered for: list-sa

SiteB Logs

Last 50 IPsec Log Entries. (Maximum 50)
Time Process PID Message
Jun 11 15:35:14 charon 05[CFG] ignoring acquire, connection attempt pending
Jun 11 15:35:14 charon 08[KNL] creating acquire job for policy 10.10.0.5/32|/0 === SiteA/32|/0 with reqid {1}
Jun 11 15:35:08 charon 08[CFG] ignoring acquire, connection attempt pending
Jun 11 15:35:08 charon 05[KNL] creating acquire job for policy 10.10.0.5/32|/0 === SiteA/32|/0 with reqid {1}
Jun 11 15:35:07 charon 07[NET] <con2000|1> sending packet: from 10.10.0.5[4500] to SiteA[4500] (272 bytes)
Jun 11 15:35:07 charon 07[IKE] <con2000|1> retransmit 3 of request with message ID 1
Jun 11 15:35:01 charon 07[CFG] ignoring acquire, connection attempt pending
Jun 11 15:35:01 charon 05[KNL] creating acquire job for policy 10.10.0.5/32|/0 === SiteA/32|/0 with reqid {1}
Jun 11 15:34:55 charon 06[CFG] ignoring acquire, connection attempt pending
Jun 11 15:34:55 charon 05[KNL] creating acquire job for policy 10.10.0.5/32|/0 === SiteA/32|/0 with reqid {1}
Jun 11 15:34:54 charon 11[CFG] vici client 1 disconnected
Jun 11 15:34:54 charon 11[CFG] vici client 1 requests: list-sas
Jun 11 15:34:54 charon 11[CFG] vici client 1 registered for: list-sa
Jun 11 15:34:54 charon 11[CFG] vici client 1 connected
Jun 11 15:34:54 charon 11[NET] <con2000|1> sending packet: from 10.10.0.5[4500] to SiteA[4500] (272 bytes)
Jun 11 15:34:54 charon 11[IKE] <con2000|1> retransmit 2 of request with message ID 1
Jun 11 15:34:49 charon 13[CFG] ignoring acquire, connection attempt pending
Jun 11 15:34:49 charon 13[KNL] creating acquire job for policy 10.10.0.5/32|/0 === SiteA/32|/0 with reqid {1}
Jun 11 15:34:46 charon 13[NET] <con2000|1> sending packet: from 10.10.0.5[4500] to SiteA[4500] (272 bytes)
Jun 11 15:34:46 charon 13[IKE] <con2000|1> retransmit 1 of request with message ID 1
Jun 11 15:34:42 charon 15[NET] <con2000|1> sending packet: from 10.10.0.5[4500] to SiteA[4500] (272 bytes)
Jun 11 15:34:42 charon 15[ENC] <con2000|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 11 15:34:42 charon 15[IKE] <con2000|1> establishing CHILD_SA con2000{2} reqid 1
Jun 11 15:34:42 charon 15[CFG] <con2000|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Jun 11 15:34:42 charon 15[CFG] <con2000|1> 192.168.1.0/24|/0
Jun 11 15:34:42 charon 15[CFG] <con2000|1> proposing traffic selectors for other:
Jun 11 15:34:42 charon 15[CFG] <con2000|1> 10.10.0.0/24|/0
Jun 11 15:34:42 charon 15[CFG] <con2000|1> proposing traffic selectors for us:
Jun 11 15:34:42 charon 15[IKE] <con2000|1> successfully created shared key MAC
Jun 11 15:34:42 charon 15[IKE] <con2000|1> authentication of 'SiteB' (myself) with pre-shared key
Jun 11 15:34:42 charon 15[IKE] <con2000|1> IKE_AUTH task
Jun 11 15:34:42 charon 15[IKE] <con2000|1> IKE_CERT_PRE task
Jun 11 15:34:42 charon 15[IKE] <con2000|1> reinitiating already active tasks
Jun 11 15:34:42 charon 15[IKE] <con2000|1> remote host is behind NAT
Jun 11 15:34:42 charon 15[IKE] <con2000|1> local host is behind NAT, sending keep alives
Jun 11 15:34:42 charon 15[CFG] <con2000|1> received supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 11 15:34:42 charon 15[CFG] <con2000|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Jun 11 15:34:42 charon 15[CFG] <con2000|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Jun 11 15:34:42 charon 15[CFG] <con2000|1> received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Jun 11 15:34:42 charon 15[CFG] <con2000|1> proposal matches
Jun 11 15:34:42 charon 15[CFG] <con2000|1> selecting proposal:
Jun 11 15:34:42 charon 15[IKE] <con2000|1> received CHILDLESS_IKEV2_SUPPORTED notify
Jun 11 15:34:42 charon 15[IKE] <con2000|1> received SIGNATURE_HASH_ALGORITHMS notify
Jun 11 15:34:42 charon 15[IKE] <con2000|1> received FRAGMENTATION_SUPPORTED notify
Jun 11 15:34:42 charon 15[ENC] <con2000|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 11 15:34:42 charon 15[NET] <con2000|1> received packet: from SiteA[500] to 10.10.0.5[500] (312 bytes)
Jun 11 15:34:42 charon 15[NET] <con2000|1> sending packet: from 10.10.0.5[500] to SiteA[500] (304 bytes)
Jun 11 15:34:42 charon 15[ENC] <con2000|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 15:34:42 charon 15[CFG] <con2000|1> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 11 15:34:42 charon 15[CFG] <con2000|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384

gabacho4

@ibnkamala so, the logs should match up. I understand that site A and site B might be in different places geographically and thus the logs will show a different hour, but the minutes:seconds should match. Really can't follow the connection activities when you've given me logs with timestamps that are like 15 minutes apart.

gabacho4

@ibnkamala also, have you created firewall rules on the ipsec tab on both site? Preferably just a simple allow any protocol from any source to any destination rule?

ibnkamala

@gabacho4 Yes, Any to Any rule is applied on both sites within IPsec interface

gabacho4

@ibnkamala OK so now is about the point at which I say, update the 2.4.5 box to 2.6 before we can do any more troubleshooting. I don't want to spend any more time trying to force this and hope that both versions are speaking the same ipsec language. Please update and then let us know where things stand.

ibnkamala

@gabacho4 I wanted to post you the logs while time is matched but couldn't it says it's a SPAM. I don't know if there is a way to upload them as a PDF?

but Monday I will update 2.4.5 to 2.6 and for sure will update you of the outcome

ibnkamala

@gabacho4 SiteA and SiteB Logs.zip

Here are the logs if you have some time please let me know if you get something from !

ibnkamala

Thank you so much for your great help, have nice weekend @gabacho4

luckman212

I'm tuning in and grabbing popcorn for this one.

@ibnkamala you say here that "both sides are behind NAT". I'm trying to wrap my head around how this is expected to work. IPsec uses static outbound ports so having >1 Phase1 behind a single NAT shouldn't really be possible without some crazy configuration involving port forwarding and outbound NAT on both sides. Later on you state "I really don't know what our partner uses in the other side of the tunnel" ... so

And then on top of it you're running a 2+ year old version on one end...

gabacho4

@luckman212 having both routers behind NAT should work fine. I believe I’ve done it in the past. The key however is you have to set that identifier to a KeyID instead of IP address. Googling produces a hit that supports my belief/understanding.

https://networkengineering.stackexchange.com/questions/70626/is-an-ipsec-connection-between-2-devices-behind-nat-possible

I’m strongly inclined to believe the OP has an interoperability issue due to the different pfsense versions. More than happy play with @ibnkamala more once we are comparing apples to apples.

luckman212

@gabacho4 I can see how a single IPsec P1 could be made to work where both sides are using NAT-T but I am failing to understand how you could have multiple working P1s like that. I admit I haven't seen the KeyID method you linked to used in the wild so maybe I'm just unaware of that. Anyway, curious how this ends up.

gabacho4

@luckman212 I am as well. Enjoy the show! Either we emerge victorious or I lose my sanity.

ibnkamala

@gabacho4 and @luckman212 since you spoke about NAT and port forwarding I decided to share with you my infra. in both sides to have a clear picture of what I have.

@gabacho4 I hope I did not give you wrong information, if so I apologize in advance

luckman212

@ibnkamala why are you making things harder than they need to be? why not replace the "simple internet box" with the pfsense VM and connect IPSEC directly to the Sonicwall on the other end (no NAT required)

Am I missing something?

ibnkamala

@luckman212 how can I replace internetBox by Pfsense/vm? your point was siteA right?

luckman212

@ibnkamala just unplug "simple internet box" and enable dhcp on your pfsense VM. You will need 2 NICs on there so you can have LAN/WAN or you'll need to use VLANs and have a VLAN-capable switch (I'm guessing you may not have this)

Yes I am talking about SiteA. I assume you have no direct control over SiteB but I hope that you are at least able to coordinate with whoever controls the Sonicwall to have them set up the tunnel and provide you with the P1/P2 settings.

ibnkamala

@luckman212 sadly I only have one NIC on the workstation that I have pfsense on. (However in reality siteA will be behind NAT)

Yes I do have direct access to the SiteB, you want me to use SonicWall for the IPsec instead pfsense?

ibnkamala

@gabacho4 and @luckman212 also for your information when I check the port with the Public IPs:

SiteB is open,

But SiteA is closed! do you think this is what makes the problem? and since it's a simple internetBox I do not have a firewall to ope the ports at all.

ibnkamala

This post is deleted!