Can Not Establish IPSEC Connection – PFSense Behind Cisco Router
-
Hello Community,
I have been looking through documentation, and tried a few, but I am still stuck on trying to establish an IPSEC connection from a client (IOS or Windows). The setup that I have is: WAN Connection –> Cisco 4431 Router --> PF Sense --> LAN
I have created the Phase 1 + 2 settings with
Phase 1:
Interface: WAN
Authentication Method: PSK + Xauth
Negotiation Mode: Aggressive
My Identifier: My IP Address
Peer Identifier: Distinguished NameProposal: AES / 128-bit
Hash: SHA1
DH Group: 2 - 1024 bit
Checked Responder Only
Nat Traversal: ForcePhase 2:
Local Network: LAN subnet
Protocol: ESP
Encryption Algorithm: Checked AES / 128-bit
Hash: SHA1
PFS Key Group: Grayed Out
Lifetime: 3600Router settings and log messages are as follows:
interface GigabitEthernet0/0/0
description WAN side
ip address x.x.208.170 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip verify unicast reverse-path
ip access-group 110 in
load-interval 30
media-type sfp
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
shutdown
!
interface GigabitEthernet0/0/2
description LAN Side
ip address 10.20.0.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source list 111 interface GigabitEthernet0/0/0 overload
ip nat inside source static udp 10.20.0.2 500 interface GigabitEthernet0/0/0 500
ip nat inside source static esp 10.20.0.2 interface GigabitEthernet0/0/0
ip nat inside source static tcp 10.20.0.2 22 x.x.208.170 1022 extendable
ip forward-protocol nd
ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 x.x.208.169
ip route 10.30.0.0 255.255.255.224 10.20.0.2
!
!
access-list 110 permit udp any any
access-list 110 permit ip any any
access-list 111 permit ip any any log
!Feb 18 13:09:00 charon 08[NET] <17> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
Feb 18 13:09:00 charon 08[ENC] <17> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Feb 18 13:09:00 charon 08[IKE] <17> received FRAGMENTATION vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received NAT-T (RFC 3947) vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received XAuth vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received Cisco Unity vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> received DPD vendor ID
Feb 18 13:09:00 charon 08[IKE] <17> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
Feb 18 13:09:00 charon 08[CFG] <17> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Feb 18 13:09:00 charon 08[CFG] <17> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 18 13:09:00 charon 08[IKE] <17> no proposal found
Feb 18 13:09:00 charon 08[ENC] <17> generating INFORMATIONAL_V1 request 3836950386 [ N(NO_PROP) ]
Feb 18 13:09:00 charon 08[NET] <17> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
Feb 18 13:09:00 charon 08[NET] <18> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
Feb 18 13:09:00 charon 08[ENC] <18> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Feb 18 13:09:00 charon 08[IKE] <18> received FRAGMENTATION vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received NAT-T (RFC 3947) vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received XAuth vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received Cisco Unity vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> received DPD vendor ID
Feb 18 13:09:00 charon 08[IKE] <18> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
Feb 18 13:09:00 charon 08[CFG] <18> looking for XAuthInitPSK peer configs matching 10.20.0.2…103.46.209.154[cisco]
Feb 18 13:09:00 charon 08[CFG] <18> selected peer config "con1"
Feb 18 13:09:00 charon 08[ENC] <con1|18>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Feb 18 13:09:00 charon 08[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
Feb 18 13:09:04 charon 08[IKE] <con1|18>sending retransmit 1 of response message ID 0, seq 1
Feb 18 13:09:04 charon 08[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
Feb 18 13:09:09 charon 10[CFG] received stroke: terminate 'con1000'
Feb 18 13:09:09 charon 10[CFG] no IKE_SA named 'con1000' found
Feb 18 13:09:09 charon 08[CFG] received stroke: initiate 'con1000'
Feb 18 13:09:09 charon 08[CFG] no config named 'con1000'
Feb 18 13:09:11 charon 10[IKE] <con1|18>sending retransmit 2 of response message ID 0, seq 1
Feb 18 13:09:11 charon 10[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
Feb 18 13:09:24 charon 13[IKE] <con1|18>sending retransmit 3 of response message ID 0, seq 1
Feb 18 13:09:24 charon 13[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
Feb 18 13:09:30 charon 14[JOB] <con1|18>deleting half open IKE_SA after timeout
Feb 18 14:22:14 charon 10[NET] <19> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
Feb 18 14:22:14 charon 10[ENC] <19> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Feb 18 14:22:14 charon 10[IKE] <19> received FRAGMENTATION vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received NAT-T (RFC 3947) vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received XAuth vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received Cisco Unity vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> received DPD vendor ID
Feb 18 14:22:14 charon 10[IKE] <19> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
Feb 18 14:22:14 charon 10[CFG] <19> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
Feb 18 14:22:14 charon 10[CFG] <19> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 18 14:22:14 charon 10[IKE] <19> no proposal found
Feb 18 14:22:14 charon 10[ENC] <19> generating INFORMATIONAL_V1 request 3476172714 [ N(NO_PROP) ]
Feb 18 14:22:14 charon 10[NET] <19> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
Feb 18 14:22:14 charon 10[NET] <20> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
Feb 18 14:22:14 charon 10[ENC] <20> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
Feb 18 14:22:14 charon 10[IKE] <20> received FRAGMENTATION vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received NAT-T (RFC 3947) vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received XAuth vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received Cisco Unity vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> received DPD vendor ID
Feb 18 14:22:14 charon 10[IKE] <20> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
Feb 18 14:22:14 charon 10[CFG] <20> looking for XAuthInitPSK peer configs matching 10.20.0.2…103.46.209.154[cisco]
Feb 18 14:22:14 charon 10[CFG] <20> selected peer config "con1"
Feb 18 14:22:14 charon 10[ENC] <con1|20>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Feb 18 14:22:14 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
Feb 18 14:22:18 charon 10[IKE] <con1|20>sending retransmit 1 of response message ID 0, seq 1
Feb 18 14:22:18 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
Feb 18 14:22:25 charon 10[IKE] <con1|20>sending retransmit 2 of response message ID 0, seq 1
Feb 18 14:22:25 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
Feb 18 14:22:38 charon 10[IKE] <con1|20>sending retransmit 3 of response message ID 0, seq 1
Feb 18 14:22:38 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
Feb 18 14:22:44 charon 10[JOB] <con1|20>deleting half open IKE_SA after timeoutPlease Help!!!</con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18>
-
Now seeing the attempted connection under Status –> IPSEC:
Time Process PID Message
Feb 19 15:12:25 charon 07[NET] received packet: from 103.46.209.154[500] to 10.20.0.2[500]
Feb 19 15:12:25 charon 07[NET] waiting for data on sockets
Feb 19 15:12:25 charon 12[MGR] checkout IKEv1 SA by message with SPIs 7ba7c04f2b6e9753_i 0000000000000000_r
Feb 19 15:12:25 charon 12[MGR] created IKE_SA (unnamed)[3]
Feb 19 15:12:25 charon 12[NET] <3> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (771 bytes)
Feb 19 15:12:25 charon 12[IKE] <3> received FRAGMENTATION vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received NAT-T (RFC 3947) vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received XAuth vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received Cisco Unity vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> received DPD vendor ID
Feb 19 15:12:25 charon 12[IKE] <3> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
Feb 19 15:12:25 charon 12[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
Feb 19 15:12:25 charon 12[IKE] <3> no proposal found
Feb 19 15:12:25 charon 12[IKE] <3> queueing INFORMATIONAL task
Feb 19 15:12:25 charon 12[IKE] <3> activating new tasks
Feb 19 15:12:25 charon 12[IKE] <3> activating INFORMATIONAL task
Feb 19 15:12:25 charon 12[NET] <3> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
Feb 19 15:12:25 charon 12[MGR] <3> checkin and destroy IKE_SA (unnamed)[3]
Feb 19 15:12:25 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
Feb 19 15:12:25 charon 12[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
Feb 19 15:12:25 charon 12[MGR] checkin and destroy of IKE_SA successful
Feb 19 15:12:25 charon 07[NET] received packet: from 103.46.209.154[500] to 10.20.0.2[500]
Feb 19 15:12:25 charon 07[NET] waiting for data on sockets
Feb 19 15:12:25 charon 12[MGR] checkout IKEv1 SA by message with SPIs c24d4bc5c9ba68b2_i 0000000000000000_r
Feb 19 15:12:25 charon 12[MGR] created IKE_SA (unnamed)[4]
Feb 19 15:12:25 charon 12[NET] <4> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (771 bytes)
Feb 19 15:12:25 charon 12[IKE] <4> received FRAGMENTATION vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received NAT-T (RFC 3947) vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received XAuth vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received Cisco Unity vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> received DPD vendor ID
Feb 19 15:12:25 charon 12[IKE] <4> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
Feb 19 15:12:25 charon 12[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
Feb 19 15:12:25 charon 12[LIB] <4> size of DH secret exponent: 1023 bits
Feb 19 15:12:25 charon 12[IKE] <con1|4>sending XAuth vendor ID
Feb 19 15:12:25 charon 12[IKE] <con1|4>sending DPD vendor ID
Feb 19 15:12:25 charon 12[IKE] <con1|4>sending Cisco Unity vendor ID
Feb 19 15:12:25 charon 12[IKE] <con1|4>sending FRAGMENTATION vendor ID
Feb 19 15:12:25 charon 12[IKE] <con1|4>sending NAT-T (RFC 3947) vendor ID
Feb 19 15:12:25 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
Feb 19 15:12:25 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
Feb 19 15:12:25 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
Feb 19 15:12:25 charon 12[MGR] <con1|4>checkin of IKE_SA successful
Feb 19 15:12:29 charon 12[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
Feb 19 15:12:29 charon 12[MGR] IKE_SA con1[4] successfully checked out
Feb 19 15:12:29 charon 12[IKE] <con1|4>sending retransmit 1 of response message ID 0, seq 1
Feb 19 15:12:29 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
Feb 19 15:12:29 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
Feb 19 15:12:29 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
Feb 19 15:12:29 charon 12[MGR] <con1|4>checkin of IKE_SA successful
Feb 19 15:12:36 charon 12[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
Feb 19 15:12:36 charon 12[MGR] IKE_SA con1[4] successfully checked out
Feb 19 15:12:36 charon 12[IKE] <con1|4>sending retransmit 2 of response message ID 0, seq 1
Feb 19 15:12:36 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
Feb 19 15:12:36 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
Feb 19 15:12:36 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
Feb 19 15:12:36 charon 12[MGR] <con1|4>checkin of IKE_SA successful
Feb 19 15:12:49 charon 02[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
Feb 19 15:12:49 charon 02[MGR] IKE_SA con1[4] successfully checked out
Feb 19 15:12:49 charon 02[IKE] <con1|4>sending retransmit 3 of response message ID 0, seq 1
Feb 19 15:12:49 charon 02[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
Feb 19 15:12:49 charon 02[MGR] <con1|4>checkin IKE_SA con1[4]
Feb 19 15:12:49 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
Feb 19 15:12:49 charon 02[MGR] <con1|4>checkin of IKE_SA successful
Feb 19 15:12:55 charon 02[MGR] checkout IKEv1 SA with SPIs 7ba7c04f2b6e9753_i b49a71955a2f7a35_r
Feb 19 15:12:55 charon 02[MGR] IKE_SA checkout not successful
Feb 19 15:12:55 charon 06[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
Feb 19 15:12:55 charon 06[MGR] IKE_SA con1[4] successfully checked out
Feb 19 15:12:55 charon 06[MGR] <con1|4>checkin and destroy IKE_SA con1[4]
Feb 19 15:12:55 charon 06[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => DESTROYING
Feb 19 15:12:55 charon 06[MGR] checkin and destroy of IKE_SA successful
Feb 19 15:13:12 charon 06[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
Feb 19 15:13:12 charon 06[MGR] IKE_SA checkout not successful
Feb 19 15:25:04 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
Feb 19 15:25:04 charon 07[NET] waiting for data on sockets
Feb 19 15:25:04 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
Feb 19 15:25:04 charon 11[MGR] created IKE_SA (unnamed)[5]
Feb 19 15:25:04 charon 11[NET] <5> received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
Feb 19 15:25:04 charon 11[IKE] <5> received XAuth vendor ID
Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 19 15:25:04 charon 11[IKE] <5> received NAT-T (RFC 3947) vendor ID
Feb 19 15:25:04 charon 11[IKE] <5> received FRAGMENTATION vendor ID
Feb 19 15:25:04 charon 11[IKE] <5> received DPD vendor ID
Feb 19 15:25:04 charon 11[IKE] <5> received Cisco Unity vendor ID
Feb 19 15:25:04 charon 11[IKE] <5> 172.30.3.163 is initiating a Aggressive Mode IKE_SA
Feb 19 15:25:04 charon 11[IKE] <5> IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Feb 19 15:25:04 charon 11[LIB] <5> size of DH secret exponent: 1023 bits
Feb 19 15:25:04 charon 11[IKE] <con1|5>sending XAuth vendor ID
Feb 19 15:25:04 charon 11[IKE] <con1|5>sending DPD vendor ID
Feb 19 15:25:04 charon 11[IKE] <con1|5>sending Cisco Unity vendor ID
Feb 19 15:25:04 charon 11[IKE] <con1|5>sending FRAGMENTATION vendor ID
Feb 19 15:25:04 charon 11[IKE] <con1|5>sending NAT-T (RFC 3947) vendor ID
Feb 19 15:25:04 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
Feb 19 15:25:04 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
Feb 19 15:25:04 charon 11[MGR] <con1|5>checkin of IKE_SA successful
Feb 19 15:25:04 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
Feb 19 15:25:08 charon 11[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
Feb 19 15:25:08 charon 11[MGR] IKE_SA con1[5] successfully checked out
Feb 19 15:25:08 charon 11[IKE] <con1|5>sending retransmit 1 of response message ID 0, seq 1
Feb 19 15:25:08 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
Feb 19 15:25:08 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
Feb 19 15:25:08 charon 11[MGR] <con1|5>checkin of IKE_SA successful
Feb 19 15:25:08 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
Feb 19 15:25:09 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
Feb 19 15:25:09 charon 07[NET] waiting for data on sockets
Feb 19 15:25:09 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
Feb 19 15:25:09 charon 11[MGR] IKE_SA con1[5] successfully checked out
Feb 19 15:25:09 charon 11[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
Feb 19 15:25:09 charon 11[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
Feb 19 15:25:09 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
Feb 19 15:25:09 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
Feb 19 15:25:09 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
Feb 19 15:25:09 charon 11[MGR] <con1|5>checkin of IKE_SA successful
Feb 19 15:25:14 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
Feb 19 15:25:14 charon 07[NET] waiting for data on sockets
Feb 19 15:25:14 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
Feb 19 15:25:14 charon 11[MGR] IKE_SA con1[5] successfully checked out
Feb 19 15:25:14 charon 11[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
Feb 19 15:25:14 charon 11[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
Feb 19 15:25:14 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
Feb 19 15:25:14 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
Feb 19 15:25:14 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
Feb 19 15:25:14 charon 11[MGR] <con1|5>checkin of IKE_SA successful
Feb 19 15:25:15 charon 11[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
Feb 19 15:25:15 charon 11[MGR] IKE_SA con1[5] successfully checked out
Feb 19 15:25:15 charon 11[IKE] <con1|5>sending retransmit 2 of response message ID 0, seq 1
Feb 19 15:25:15 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
Feb 19 15:25:15 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
Feb 19 15:25:15 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
Feb 19 15:25:15 charon 11[MGR] <con1|5>checkin of IKE_SA successful
Feb 19 15:25:19 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
Feb 19 15:25:19 charon 07[NET] waiting for data on sockets
Feb 19 15:25:19 charon 12[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
Feb 19 15:25:19 charon 12[MGR] IKE_SA con1[5] successfully checked out
Feb 19 15:25:19 charon 12[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
Feb 19 15:25:19 charon 12[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
Feb 19 15:25:19 charon 12[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
Feb 19 15:25:19 charon 12[MGR] <con1|5>checkin IKE_SA con1[5]
Feb 19 15:25:19 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
Feb 19 15:25:19 charon 12[MGR] <con1|5>checkin of IKE_SA successful
Feb 19 15:25:28 charon 12[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
Feb 19 15:25:28 charon 12[MGR] IKE_SA con1[5] successfully checked out
Feb 19 15:25:28 charon 12[IKE] <con1|5>sending retransmit 3 of response message ID 0, seq 1
Feb 19 15:25:28 charon 12[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
Feb 19 15:25:28 charon 12[MGR] <con1|5>checkin IKE_SA con1[5]
Feb 19 15:25:28 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
Feb 19 15:25:28 charon 12[MGR] <con1|5>checkin of IKE_SA successful
Feb 19 15:25:34 charon 12[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
Feb 19 15:25:34 charon 12[MGR] IKE_SA con1[5] successfully checked out
Feb 19 15:25:34 charon 12[MGR] <con1|5>checkin and destroy IKE_SA con1[5]
Feb 19 15:25:34 charon 12[IKE] <con1|5>IKE_SA con1[5] state change: CONNECTING => DESTROYING
Feb 19 15:25:34 charon 12[MGR] checkin and destroy of IKE_SA successful</con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4> -
Have you fix this problem? It seems that I have exact the same problem as you.
My config is almost the same as yours. I hope someone could give the right answer.