IPSec restarting and not working - log show multiple "queueing QUICK_MODE task" entries
-
Hello!
I am trying to establish an IPSec tunnel between my site, which does not have public IP, and a remote site that does have it.
It seems to keep resetting, and does not work.
"swanctl --list-sas" shows:
con2: #1160, CONNECTING, IKEv1, 554723062153bfbe_i* 0000000000000000_r
local 'BDD-2' @ 192.168.1.113[500]
remote '%any' @ pu.bli.c.ip[500]
queued: QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE
active: ISAKMP_VENDOR ISAKMP_CERT_PRE AGGRESSIVE_MODE ISAKMP_CERT_POST ISAKMP_NATDAny ideas? I have a netgate 6100 running the latest firmware release, my IPSec is configured for IKE v1, aggressive.
The status page is basically hung in this state, with SPIs changing every few seconds:
The remote site is from a third party, I don't know which firewall they use. They sent me a print that may help identify it:
They say that they are receiving two phase 2 connection requests, and are getting hung on the second one, something like that.
-
Adding a wireshark capture of the WAN interface, showing that there is some sort of loop: the same messages keep being transmitted periodically.
-
Just for information to everyone, the problem was solved by changing (on both sides, of course) from IKE v1 to IKE v2.