Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Have trouble to access Office pfsense IPsec setup, please help

    Scheduled Pinned Locked Moved
    IPsec
    2
    5
    507
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      HKFEVER
      last edited by

      Not able to access, anyone can help?
      Keep showing up:
      charon 16883 06[ENC] <54> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      charon 16883 06[IKE] <54> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      charon 16883 06[CFG] <54> no matching peer config found
      charon 16883 06[CFG] <54> looking for peer configs matching 59.148.36.162[59.148.36.162]...138.19.96.68[138.19.96.68]

      Not sure why shows generating IKE_AUTH response 1 [ N(AUTH_FAILED) ], as I am sure the name and password are correct!
      Not sure how to fix: no matching peer config found

      The following is the log:

      Aug 27 02:19:44 charon 16883 06[IKE] <54> IKE_SA (unnamed)[54] state change: CONNECTING => DESTROYING
      Aug 27 02:19:44 charon 16883 06[NET] <54> sending packet: from 59.148.36.162[4500] to 138.19.96.68[4500] (80 bytes)
      Aug 27 02:19:44 charon 16883 06[ENC] <54> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Aug 27 02:19:44 charon 16883 06[IKE] <54> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Aug 27 02:19:44 charon 16883 06[CFG] <54> no matching peer config found
      Aug 27 02:19:44 charon 16883 06[CFG] <54> looking for peer configs matching 59.148.36.162[59.148.36.162]...138.19.96.68[138.19.96.68]
      Aug 27 02:19:44 charon 16883 06[IKE] <54> remote endpoint changed from 138.19.96.68[500] to 138.19.96.68[4500]
      Aug 27 02:19:44 charon 16883 06[IKE] <54> local endpoint changed from 59.148.36.162[500] to 59.148.36.162[4500]
      Aug 27 02:19:44 charon 16883 06[ENC] <54> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Aug 27 02:19:44 charon 16883 06[NET] <54> received packet: from 138.19.96.68[4500] to 59.148.36.162[4500] (272 bytes)
      Aug 27 02:19:44 charon 16883 06[NET] <54> sending packet: from 59.148.36.162[500] to 138.19.96.68[500] (472 bytes)
      Aug 27 02:19:44 charon 16883 06[ENC] <54> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
      Aug 27 02:19:44 charon 16883 06[CFG] <54> sending supported signature hash algorithms: sha256 sha384 sha512 identity
      Aug 27 02:19:44 charon 16883 06[IKE] <54> faking NAT situation to enforce UDP encapsulation
      Aug 27 02:19:44 charon 16883 06[CFG] <54> received supported signature hash algorithms: sha256 sha384 sha512 identity
      Aug 27 02:19:44 charon 16883 06[CFG] <54> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      Aug 27 02:19:44 charon 16883 06[CFG] <54> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      Aug 27 02:19:44 charon 16883 06[CFG] <54> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      Aug 27 02:19:44 charon 16883 06[CFG] <54> proposal matches
      Aug 27 02:19:44 charon 16883 06[CFG] <54> selecting proposal:
      Aug 27 02:19:44 charon 16883 06[IKE] <54> IKE_SA (unnamed)[54] state change: CREATED => CONNECTING
      Aug 27 02:19:44 charon 16883 06[IKE] <54> 138.19.96.68 is initiating an IKE_SA
      Aug 27 02:19:44 charon 16883 06[IKE] <54> remote endpoint changed from 0.0.0.0 to 138.19.96.68[500]
      Aug 27 02:19:44 charon 16883 06[IKE] <54> local endpoint changed from 0.0.0.0[500] to 59.148.36.162[500]
      Aug 27 02:19:44 charon 16883 06[CFG] <54> found matching ike config: 59.148.36.162...0.0.0.0/0, ::/0 with prio 1052
      Aug 27 02:19:44 charon 16883 06[CFG] <54> candidate: 59.148.36.162...0.0.0.0/0, ::/0, prio 1052
      Aug 27 02:19:44 charon 16883 06[CFG] <54> looking for an IKEv2 config for 59.148.36.162...138.19.96.68
      Aug 27 02:19:44 charon 16883 06[ENC] <54> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Aug 27 02:19:44 charon 16883 06[NET] <54> received packet: from 138.19.96.68[500] to 59.148.36.162[500] (464 bytes)

      H 1 Reply Last reply Reply Quote 0
      • H
        HKFEVER @HKFEVER
        last edited by

        @HKFEVER

        I changed to to cert. But still can't connect:

        **Aug 27 22:07:32 charon 84011 12[IKE] <221> received proposals unacceptable
        Aug 27 22:07:32 charon 84011 12[CFG] <221> received supported signature hash algorithms: sha256 sha384 sha512 identity

        Aug 27 22:07:32 charon 84011 12[CFG] <221> no acceptable ENCRYPTION_ALGORITHM found**

        The following is the log:
        Aug 27 22:07:32 charon 84011 12[IKE] <221> IKE_SA (unnamed)[221] state change: CONNECTING => DESTROYING
        Aug 27 22:07:32 charon 84011 12[NET] <221> sending packet: from 59.148.36.162[500] to 138.19.96.68[500] (36 bytes)
        Aug 27 22:07:32 charon 84011 12[ENC] <221> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
        Aug 27 22:07:32 charon 84011 12[IKE] <221> received proposals unacceptable
        Aug 27 22:07:32 charon 84011 12[CFG] <221> received supported signature hash algorithms: sha256 sha384 sha512 identity
        Aug 27 22:07:32 charon 84011 12[CFG] <221> candidate: 59.148.36.162...0.0.0.0/0, ::/0, prio 1052
        Aug 27 22:07:32 charon 84011 12[CFG] <221> looking for IKEv2 configs for 59.148.36.162...138.19.96.68
        Aug 27 22:07:32 charon 84011 12[CFG] <221> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024
        Aug 27 22:07:32 charon 84011 12[CFG] <221> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
        Aug 27 22:07:32 charon 84011 12[CFG] <221> no acceptable ENCRYPTION_ALGORITHM found
        Aug 27 22:07:32 charon 84011 12[CFG] <221> selecting proposal:
        Aug 27 22:07:32 charon 84011 12[IKE] <221> IKE_SA (unnamed)[221] state change: CREATED => CONNECTING
        Aug 27 22:07:32 charon 84011 12[IKE] <221> 138.19.96.68 is initiating an IKE_SA
        Aug 27 22:07:32 charon 84011 12[IKE] <221> remote endpoint changed from 0.0.0.0 to 138.19.96.68[500]
        Aug 27 22:07:32 charon 84011 12[IKE] <221> local endpoint changed from 0.0.0.0[500] to 59.148.36.162[500]
        Aug 27 22:07:32 charon 84011 12[CFG] <221> found matching ike config: 59.148.36.162...0.0.0.0/0, ::/0 with prio 1052
        Aug 27 22:07:32 charon 84011 12[CFG] <221> candidate: 59.148.36.162...0.0.0.0/0, ::/0, prio 1052
        Aug 27 22:07:32 charon 84011 12[CFG] <221> looking for an IKEv2 config for 59.148.36.162...138.19.96.68
        Aug 27 22:07:32 charon 84011 12[ENC] <221> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
        Aug 27 22:07:32 charon 84011 12[NET] <221> received packet: from 138.19.96.68[500] to 59.148.36.162[500] (464 bytes)
        Aug 27 22:07:10 charon 84011 12[IKE] <220> IKE_SA (unnamed)[220] state change: CONNECTING => DESTROYING
        Aug 27 22:07:10 charon 84011 12[NET] <220> sending packet: from 59.148.36.162[500] to 138.19.96.68[500] (36 bytes)
        Aug 27 22:07:10 charon 84011 12[ENC] <220> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
        Aug 27 22:07:10 charon 84011 12[IKE] <220> received proposals unacceptable
        Aug 27 22:07:10 charon 84011 12[CFG] <220> received supported signature hash algorithms: sha256 sha384 sha512 identity
        Aug 27 22:07:10 charon 84011 12[CFG] <220> candidate: 59.148.36.162...0.0.0.0/0, ::/0, prio 1052
        Aug 27 22:07:10 charon 84011 12[CFG] <220> looking for IKEv2 configs for 59.148.36.162...138.19.96.68
        Aug 27 22:07:10 charon 84011 12[CFG] <220> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024
        Aug 27 22:07:10 charon 84011 12[CFG] <220> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
        Aug 27 22:07:10 charon 84011 12[CFG] <220> no acceptable ENCRYPTION_ALGORITHM found
        Aug 27 22:07:10 charon 84011 12[CFG] <220> selecting proposal:
        Aug 27 22:07:10 charon 84011 12[IKE] <220> IKE_SA (unnamed)[220] state change: CREATED => CONNECTING
        Aug 27 22:07:10 charon 84011 12[IKE] <220> 138.19.96.68 is initiating an IKE_SA
        Aug 27 22:07:10 charon 84011 12[IKE] <220> remote endpoint changed from 0.0.0.0 to 138.19.96.68[500]
        Aug 27 22:07:10 charon 84011 12[IKE] <220> local endpoint changed from 0.0.0.0[500] to 59.148.36.162[500]
        Aug 27 22:07:10 charon 84011 12[CFG] <220> found matching ike config: 59.148.36.162...0.0.0.0/0, ::/0 with prio 1052
        Aug 27 22:07:10 charon 84011 12[CFG] <220> candidate: 59.148.36.162...0.0.0.0/0, ::/0, prio 1052
        Aug 27 22:07:10 charon 84011 12[CFG] <220> looking for an IKEv2 config for 59.148.36.162...138.19.96.68
        Aug 27 22:07:10 charon 84011 12[ENC] <220> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
        Aug 27 22:07:10 charon 84011 12[NET] <220> received packet: from 138.19.96.68[500] to 59.148.36.162[500] (464 bytes)

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @HKFEVER
          last edited by

          @HKFEVER
          Seems your encryption settings of both sites do not match.

          H 1 Reply Last reply Reply Quote 0
          • H
            HKFEVER @viragomann
            last edited by

            @viragomann

            Solved :) Thx

            H 1 Reply Last reply Reply Quote 0
            • H
              HKFEVER @HKFEVER
              last edited by

              @HKFEVER
              Fail, if I try to connect Office's pfsense IPsec from WIN11 through Home router gateway with NordVPN on!
              OK, if I connect Office's pfsense IPsec from WIN11 through Home router gateway with NordVPN off :)

              But then after connected:

              1. WIN11's gateway becomes Office's pfsense default gateway. which don't exit out through Office's pfSense's NordVPN setup!
              2. If I un-checked "Use default gateway on remote network" in WIN11's ADVANCE TCP/IP Setting, then the gateway will become WIN11's NIC gateway. Which in theory, I can use NordVPN app in WIN11. I didn't try yet, as too busy :(

              Here is the new question:
              How can I set the WIN11's Internet request to go through "home or some cafeshop's" gateway to Office's pfSense and exit out to internet through Office pfsense's NordVPN setup?

              I have send too long to figure out the rules in pfSense and still no go. May be need to find professional help :(

              1 Reply Last reply Reply Quote 0
              • First post
                Last post