Help with IPSEC VPN tunnel issue!
-
I am in urgent need for advice on why my pfSense IPSEC VPN tunnel is not working. The remote end is an IPCop firewall, the other end pfSense 2 BETA snapshot dated 10 June. I tested this before on another pfSense box to the same IPCop server, using exactly the same settings and it worked just fine. However on this pfSense box, the only difference is I am not using DHCP for my WAN interface but a static configuration for DSL, with a static GW. This is my log:
Jun 15 11:28:33 racoon: [Saskatoon VPN Tunnel]: INFO: ISAKMP-SA expired <localip>[500]-<remoteip>[500] spi:87430816108d2467:04b5777e921a8d59 Jun 15 11:28:34 racoon: [Saskatoon VPN Tunnel]: INFO: respond new phase 1 negotiation: <localip>[500]<=><remoteip>[500] Jun 15 11:28:34 racoon: INFO: begin Identity Protection mode. Jun 15 11:28:34 racoon: INFO: received Vendor ID: RFC 3947 Jun 15 11:28:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Jun 15 11:28:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Jun 15 11:28:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 Jun 15 11:28:34 racoon: INFO: received Vendor ID: DPD Jun 15 11:28:34 racoon: INFO: Selected NAT-T version: RFC 3947 Jun 15 11:28:34 racoon: INFO: Hashing <localip>[500] with algo #1 Jun 15 11:28:34 racoon: INFO: NAT-D payload #0 verified Jun 15 11:28:34 racoon: [Saskatoon VPN Tunnel]: INFO: Hashing <remoteip>[500] with algo #1 Jun 15 11:28:34 racoon: INFO: NAT-D payload #1 verified Jun 15 11:28:34 racoon: INFO: NAT not detected Jun 15 11:28:34 racoon: [Saskatoon VPN Tunnel]: INFO: Hashing <remoteip>[500] with algo #1 Jun 15 11:28:34 racoon: INFO: Hashing <localip>[500] with algo #1 Jun 15 11:28:34 racoon: INFO: Adding remote and local NAT-D payloads. Jun 15 11:28:34 racoon: [Saskatoon VPN Tunnel]: INFO: ISAKMP-SA established <localip>[500]-<remoteip>[500] spi:952fd72dd9ae4008:583c1e8444dfe45b Jun 15 11:28:34 racoon: [Saskatoon VPN Tunnel]: INFO: respond new phase 2 negotiation: <localip>[500]<=><remoteip>[500] Jun 15 11:28:34 racoon: ERROR: not matched Jun 15 11:28:34 racoon: ERROR: no suitable policy found. Jun 15 11:28:34 racoon: ERROR: failed to pre-process packet. Jun 15 11:28:35 racoon: [Saskatoon VPN Tunnel]: INFO: ISAKMP-SA deleted <localip>[500]-<remoteip>[500] spi:87490816508e2467:04b5727e921a8f59 Jun 15 11:28:44 racoon: [Saskatoon VPN Tunnel]: INFO: respond new phase 2 negotiation: <localip>[500]<=><remoteip>[500] Jun 15 11:28:44 racoon: ERROR: not matched Jun 15 11:28:44 racoon: ERROR: no suitable policy found. Jun 15 11:28:44 racoon: ERROR: failed to pre-process packet.</remoteip></localip></remoteip></localip></remoteip></localip></remoteip></localip></localip></remoteip></remoteip></localip></remoteip></localip></remoteip></localip> -
Jun 15 11:28:44 racoon: ERROR: no suitable policy found.That means that the settings did not match. Check them all again, particularly the phase 2 encryption settings.
-
Yep I figured as much. All settings matched. The one that broke it was "Negotiate compression" on the IPCop. When I disabled that it worked.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.