Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Phase 2 issue on 2.2 beta

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    14 Posts 6 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      charliem
      last edited by

      @cmb:

      I'm not aware of any issues related to that. There aren't any open bugs along those lines,

      Isn't this what Karl has been reporting for some time, asking for the cisco unity plugin?
      https://forum.pfsense.org/index.php?topic=79737.msg452796#msg452796

      1 Reply Last reply Reply Quote 0
      • valnarV
        valnar
        last edited by

        Well, in light of that, I'm moving back to 2.15.  It's just a home firewall, but I do like my VPN to work.  :)

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          there is something going on there.
          https://redmine.pfsense.org/issues/3961

          1 Reply Last reply Reply Quote 0
          • C
            charliem
            last edited by

            Looks like there are a number of useful fixes in strongswan 5.2.1 (https://wiki.strongswan.org/versions/53):

            • kernel-pfroute fixes

            • kernel-pfkey fixes

            • cisco unity fixes

            • IKEv1 re-keying fixes

            1 Reply Last reply Reply Quote 0
            • K
              karl23
              last edited by

              Looking forward to any updates on this - basically it's a problem interoperating with an IPSec tunnel with multiple subnets against a Sonicwall NSA 3600.

              1 Reply Last reply Reply Quote 0
              • valnarV
                valnar
                last edited by

                @karl23:

                Looking forward to any updates on this - basically it's a problem interoperating with an IPSec tunnel with multiple subnets against a Sonicwall NSA 3600.

                It's against any device as far as I can tell.

                1 Reply Last reply Reply Quote 0
                • A
                  ankaerith
                  last edited by

                  I'm seeing issues similar to those described in this thread–and possibly some differences.  I thought I'd share what I'm seeing.

                  Running the snapshot from OCT 27.

                  IPSec tunnel between PFSense and Cisco ASA 9.1.5.

                  Two phase 2 networks configured.

                  If I initiate traffic from behind the PFSense system, I get an Phase 1 SA, and no phase 2-regardless of which network I'm trying to hit in the P2.

                  If I initiate traffic from the behind the ASA, it builds the Phase 1 and the Phase 2 for any network in the Phase 2.

                  If that network is the first network in the Phase 2 list--I can pass traffic without issue.  If that network is not first, I can't pass any traffic regardless.

                  If I switch the order of the Phase 2 and restart the tunnel from the ASA side, I can now pass traffic on the new 1st entry.

                  Here is the log data for initiating traffic from behind PFSense and only getting a P1 SA:

                  Oct 27 21:22:26	charon: 16[MGR] check-in of IKE_SA successful.
Oct 27 21:22:26	charon: 16[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:26	charon: 16[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:26	charon: 16[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:26	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:26	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:26	charon: 16[IKE] nothing to initiate
Oct 27 21:22:26	charon: 16[IKE] <con1|9> nothing to initiate
Oct 27 21:22:26	charon: 16[IKE] activating new tasks
Oct 27 21:22:26	charon: 16[IKE] <con1|9> activating new tasks
Oct 27 21:22:26	charon: 16[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (92 bytes)
Oct 27 21:22:26	charon: 16[NET] <con1|9> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (92 bytes)
Oct 27 21:22:26	charon: 16[IKE] activating ISAKMP_DPD task
Oct 27 21:22:26	charon: 16[IKE] <con1|9> activating ISAKMP_DPD task
Oct 27 21:22:26	charon: 16[IKE] activating new tasks
Oct 27 21:22:26	charon: 16[IKE] <con1|9> activating new tasks
Oct 27 21:22:26	charon: 16[IKE] queueing ISAKMP_DPD task
Oct 27 21:22:26	charon: 16[IKE] <con1|9> queueing ISAKMP_DPD task
Oct 27 21:22:26	charon: 16[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:22:26	charon: 16[NET] <con1|9> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:22:26	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:26	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:26	charon: 16[MGR] checkout IKE_SA by message
Oct 27 21:22:26	charon: 16[MGR] checkout IKE_SA by message
Oct 27 21:22:26	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:26	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:26	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:26	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:13	charon: 16[MGR] check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 16[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 16[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 16[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 16[MGR] checkout IKE_SA
Oct 27 21:22:13	charon: 16[MGR] checkout IKE_SA
Oct 27 21:22:13	charon: 16[MGR] check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 16[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 16[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 16[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 16[MGR] checkout IKE_SA
Oct 27 21:22:13	charon: 16[MGR] checkout IKE_SA
Oct 27 21:22:13	charon: 03[MGR] check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 03[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 03[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 03[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 03[MGR] checkout IKE_SA
Oct 27 21:22:13	charon: 03[MGR] checkout IKE_SA
Oct 27 21:22:09	charon: 03[MGR] check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 03[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 03[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[IKE] nothing to initiate
Oct 27 21:22:09	charon: 03[IKE] <con1|9> nothing to initiate
Oct 27 21:22:09	charon: 03[IKE] activating new tasks
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating new tasks
Oct 27 21:22:09	charon: 03[IKE] maximum IKE_SA lifetime 28622s
Oct 27 21:22:09	charon: 03[IKE] <con1|9> maximum IKE_SA lifetime 28622s
Oct 27 21:22:09	charon: 03[IKE] scheduling reauthentication in 28082s
Oct 27 21:22:09	charon: 03[IKE] <con1|9> scheduling reauthentication in 28082s
Oct 27 21:22:09	charon: 03[IKE] IKE_SA con1[9] state change: CONNECTING => ESTABLISHED
Oct 27 21:22:09	charon: 03[IKE] <con1|9> IKE_SA con1[9] state change: CONNECTING => ESTABLISHED
Oct 27 21:22:09	charon: 03[IKE] IKE_SA con1[9] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Oct 27 21:22:09	charon: 03[IKE] <con1|9> IKE_SA con1[9] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Oct 27 21:22:09	charon: 03[IKE] received DPD vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> received DPD vendor ID
Oct 27 21:22:09	charon: 03[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 03[MGR] check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 03[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 03[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Oct 27 21:22:09	charon: 03[IKE] MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] reinitiating already active tasks
Oct 27 21:22:09	charon: 03[IKE] <con1|9> reinitiating already active tasks
Oct 27 21:22:09	charon: 03[IKE] received XAuth vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> received XAuth vendor ID
Oct 27 21:22:09	charon: 03[IKE] received Cisco Unity vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> received Cisco Unity vendor ID
Oct 27 21:22:09	charon: 03[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (304 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (304 bytes)
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 03[MGR] check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 03[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 03[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (244 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (244 bytes)
Oct 27 21:22:09	charon: 03[LIB] size of DH secret exponent: 1023 bits
Oct 27 21:22:09	charon: 03[LIB] <con1|9> size of DH secret exponent: 1023 bits
Oct 27 21:22:09	charon: 03[IKE] MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] reinitiating already active tasks
Oct 27 21:22:09	charon: 03[IKE] <con1|9> reinitiating already active tasks
Oct 27 21:22:09	charon: 03[IKE] received FRAGMENTATION vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> received FRAGMENTATION vendor ID
Oct 27 21:22:09	charon: 03[IKE] received NAT-T (RFC 3947) vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> received NAT-T (RFC 3947) vendor ID
Oct 27 21:22:09	charon: 03[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (128 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (128 bytes)
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 03[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (200 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (200 bytes)
Oct 27 21:22:09	charon: 03[IKE] IKE_SA con1[9] state change: CREATED => CONNECTING
Oct 27 21:22:09	charon: 03[IKE] <con1|9> IKE_SA con1[9] state change: CREATED => CONNECTING
Oct 27 21:22:09	charon: 03[IKE] initiating Main Mode IKE_SA con1[9] to 2.2.2.2
Oct 27 21:22:09	charon: 03[IKE] <con1|9> initiating Main Mode IKE_SA con1[9] to 2.2.2.2
Oct 27 21:22:09	charon: 03[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 21:22:09	charon: 03[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending NAT-T (RFC 3947) vendor ID
Oct 27 21:22:09	charon: 03[IKE] sending FRAGMENTATION vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending FRAGMENTATION vendor ID
Oct 27 21:22:09	charon: 03[IKE] sending Cisco Unity vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending Cisco Unity vendor ID
Oct 27 21:22:09	charon: 03[IKE] sending DPD vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending DPD vendor ID
Oct 27 21:22:09	charon: 03[IKE] sending XAuth vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending XAuth vendor ID
Oct 27 21:22:09	charon: 03[IKE] activating ISAKMP_NATD task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating ISAKMP_NATD task
Oct 27 21:22:09	charon: 03[IKE] activating ISAKMP_CERT_POST task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating ISAKMP_CERT_POST task
Oct 27 21:22:09	charon: 03[IKE] activating MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] activating ISAKMP_CERT_PRE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating ISAKMP_CERT_PRE task
Oct 27 21:22:09	charon: 03[IKE] activating ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] activating new tasks
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating new tasks
Oct 27 21:22:09	charon: 03[IKE] queueing QUICK_MODE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing QUICK_MODE task
Oct 27 21:22:09	charon: 03[IKE] queueing ISAKMP_NATD task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing ISAKMP_NATD task
Oct 27 21:22:09	charon: 03[IKE] queueing ISAKMP_CERT_POST task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing ISAKMP_CERT_POST task
Oct 27 21:22:09	charon: 03[IKE] queueing MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] queueing ISAKMP_CERT_PRE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing ISAKMP_CERT_PRE task
Oct 27 21:22:09	charon: 03[IKE] queueing ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[MGR] created IKE_SA (unnamed)[9]
Oct 27 21:22:09	charon: 03[MGR] created IKE_SA (unnamed)[9]
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by config</con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9>

                  Here is the log if I initiate traffic from behind ASA:

                  Oct 27 21:24:24	charon: 11[MGR] check-in of IKE_SA successful.
Oct 27 21:24:24	charon: 11[MGR] <con1|10> check-in of IKE_SA successful.
Oct 27 21:24:24	charon: 11[MGR] checkin IKE_SA con1[10]
Oct 27 21:24:24	charon: 11[MGR] <con1|10> checkin IKE_SA con1[10]
Oct 27 21:24:24	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:24	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:24	charon: 11[MGR] checkout IKE_SA
Oct 27 21:24:24	charon: 11[MGR] checkout IKE_SA
Oct 27 21:24:20	charon: 11[MGR] check-in of IKE_SA successful.
Oct 27 21:24:20	charon: 11[MGR] <con1|10> check-in of IKE_SA successful.
Oct 27 21:24:20	charon: 11[MGR] checkin IKE_SA con1[10]
Oct 27 21:24:20	charon: 11[MGR] <con1|10> checkin IKE_SA con1[10]
Oct 27 21:24:20	charon: 11[IKE] CHILD_SA con1{1} established with SPIs c50da63c_i 1496d46b_o and TS 172.22.22.0/24|/0 === 10.100.20.0/24|/0
Oct 27 21:24:20	charon: 11[IKE] <con1|10> CHILD_SA con1{1} established with SPIs c50da63c_i 1496d46b_o and TS 172.22.22.0/24|/0 === 10.100.20.0/24|/0
Oct 27 21:24:20	charon: 11[CHD] SPI 0x1496d46b, src 1.1.1.1 dst 2.2.2.2
Oct 27 21:24:20	charon: 11[CHD] <con1|10> SPI 0x1496d46b, src 1.1.1.1 dst 2.2.2.2
Oct 27 21:24:20	charon: 11[CHD] adding outbound ESP SA
Oct 27 21:24:20	charon: 11[CHD] <con1|10> adding outbound ESP SA
Oct 27 21:24:20	charon: 11[CHD] SPI 0xc50da63c, src 2.2.2.2 dst 1.1.1.1
Oct 27 21:24:20	charon: 11[CHD] <con1|10> SPI 0xc50da63c, src 2.2.2.2 dst 1.1.1.1
Oct 27 21:24:20	charon: 11[CHD] adding inbound ESP SA
Oct 27 21:24:20	charon: 11[CHD] <con1|10> adding inbound ESP SA
Oct 27 21:24:20	charon: 11[CHD] using HMAC_SHA1_96 for integrity
Oct 27 21:24:20	charon: 11[CHD] <con1|10> using HMAC_SHA1_96 for integrity
Oct 27 21:24:20	charon: 11[CHD] using AES_CBC for encryption
Oct 27 21:24:20	charon: 11[CHD] <con1|10> using AES_CBC for encryption
Oct 27 21:24:20	charon: 11[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (76 bytes)
Oct 27 21:24:20	charon: 11[NET] <con1|10> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (76 bytes)
Oct 27 21:24:20	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:20	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:20	charon: 11[MGR] checkout IKE_SA by message
Oct 27 21:24:20	charon: 11[MGR] checkout IKE_SA by message
Oct 27 21:24:20	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:20	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:20	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:20	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:20	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:20	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:20	charon: 11[MGR] check-in of IKE_SA successful.
Oct 27 21:24:20	charon: 11[MGR] <con1|10> check-in of IKE_SA successful.
Oct 27 21:24:20	charon: 11[MGR] checkin IKE_SA con1[10]
Oct 27 21:24:20	charon: 11[MGR] <con1|10> checkin IKE_SA con1[10]
Oct 27 21:24:20	charon: 11[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (332 bytes)
Oct 27 21:24:20	charon: 11[NET] <con1|10> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (332 bytes)
Oct 27 21:24:19	charon: 11[LIB] size of DH secret exponent: 1023 bits
Oct 27 21:24:19	charon: 11[LIB] <con1|10> size of DH secret exponent: 1023 bits
Oct 27 21:24:19	charon: 11[IKE] received 4608000000 lifebytes, configured 0
Oct 27 21:24:19	charon: 11[IKE] <con1|10> received 4608000000 lifebytes, configured 0
Oct 27 21:24:19	charon: 11[IKE] received 28800s lifetime, configured 3600s
Oct 27 21:24:19	charon: 11[IKE] <con1|10> received 28800s lifetime, configured 3600s
Oct 27 21:24:19	charon: 11[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (348 bytes)
Oct 27 21:24:19	charon: 11[NET] <con1|10> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (348 bytes)
Oct 27 21:24:19	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:19	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:19	charon: 11[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 11[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 11[MGR] check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 11[MGR] <con1|10> check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 11[MGR] checkin IKE_SA con1[10]
Oct 27 21:24:19	charon: 11[MGR] <con1|10> checkin IKE_SA con1[10]
Oct 27 21:24:19	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:19	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:19	charon: 15[MGR] check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 15[MGR] <con1|10> check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] checkin IKE_SA con1[10]
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] <con1|10> checkin IKE_SA con1[10]
Oct 27 21:24:19	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Oct 27 21:24:19	charon: 15[NET] <con1|10> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Oct 27 21:24:19	charon: 11[MGR] checkout IKE_SA
Oct 27 21:24:19	charon: 11[MGR] checkout IKE_SA
Oct 27 21:24:19	charon: 15[IKE] maximum IKE_SA lifetime 28798s
Oct 27 21:24:19	charon: 15[IKE] <con1|10> maximum IKE_SA lifetime 28798s
Oct 27 21:24:19	charon: 15[IKE] scheduling reauthentication in 28258s
Oct 27 21:24:19	charon: 15[IKE] <con1|10> scheduling reauthentication in 28258s
Oct 27 21:24:19	charon: 15[IKE] IKE_SA con1[10] state change: CONNECTING => ESTABLISHED
Oct 27 21:24:19	charon: 15[IKE] <con1|10> IKE_SA con1[10] state change: CONNECTING => ESTABLISHED
Oct 27 21:24:19	charon: 15[IKE] IKE_SA con1[10] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Oct 27 21:24:19	charon: 15[IKE] <con1|10> IKE_SA con1[10] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Oct 27 21:24:19	charon: 15[IKE] received DPD vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received DPD vendor ID
Oct 27 21:24:19	charon: 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:24:19	charon: 15[NET] <10> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:24:19	charon: 15[MGR] IKE_SA (unnamed)[10] successfully checked out
Oct 27 21:24:19	charon: 15[MGR] IKE_SA (unnamed)[10] successfully checked out
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 15[MGR] check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 15[MGR] <10> check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] checkin IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] <10> checkin IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (244 bytes)
Oct 27 21:24:19	charon: 15[NET] <10> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (244 bytes)
Oct 27 21:24:19	charon: 15[LIB] size of DH secret exponent: 1023 bits
Oct 27 21:24:19	charon: 15[LIB] <10> size of DH secret exponent: 1023 bits
Oct 27 21:24:19	charon: 15[IKE] received XAuth vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received XAuth vendor ID
Oct 27 21:24:19	charon: 15[IKE] received Cisco Unity vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received Cisco Unity vendor ID
Oct 27 21:24:19	charon: 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (304 bytes)
Oct 27 21:24:19	charon: 15[NET] <10> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (304 bytes)
Oct 27 21:24:19	charon: 15[MGR] IKE_SA (unnamed)[10] successfully checked out
Oct 27 21:24:19	charon: 15[MGR] IKE_SA (unnamed)[10] successfully checked out
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 15[MGR] check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 15[MGR] <10> check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] checkin IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] <10> checkin IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (184 bytes)
Oct 27 21:24:19	charon: 15[NET] <10> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (184 bytes)
Oct 27 21:24:19	charon: 15[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> sending NAT-T (RFC 3947) vendor ID
Oct 27 21:24:19	charon: 15[IKE] sending FRAGMENTATION vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> sending FRAGMENTATION vendor ID
Oct 27 21:24:19	charon: 15[IKE] sending Cisco Unity vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> sending Cisco Unity vendor ID
Oct 27 21:24:19	charon: 15[IKE] sending DPD vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> sending DPD vendor ID
Oct 27 21:24:19	charon: 15[IKE] sending XAuth vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> sending XAuth vendor ID
Oct 27 21:24:19	charon: 15[IKE] IKE_SA (unnamed)[10] state change: CREATED => CONNECTING
Oct 27 21:24:19	charon: 15[IKE] <10> IKE_SA (unnamed)[10] state change: CREATED => CONNECTING
Oct 27 21:24:19	charon: 15[IKE] 2.2.2.2 is initiating a Main Mode IKE_SA
Oct 27 21:24:19	charon: 15[IKE] <10> 2.2.2.2 is initiating a Main Mode IKE_SA
Oct 27 21:24:19	charon: 15[IKE] received FRAGMENTATION vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received FRAGMENTATION vendor ID
Oct 27 21:24:19	charon: 15[IKE] received NAT-T (RFC 3947) vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received NAT-T (RFC 3947) vendor ID
Oct 27 21:24:19	charon: 15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 27 21:24:19	charon: 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 21:24:19	charon: 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (460 bytes)
Oct 27 21:24:19	charon: 15[NET] <10> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (460 bytes)
Oct 27 21:24:19	charon: 15[MGR] created IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 15[MGR] created IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]</con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10>
                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by

                    Can you try with tomorrow snapshots?

                    1 Reply Last reply Reply Quote 0
                    • valnarV
                      valnar
                      last edited by

                      I don't have the time to take down my FW at the moment, but if ankaerith can confirm it works, I'll upgrade to 2.2beta to test.

                      1 Reply Last reply Reply Quote 0
                      • A
                        ankaerith
                        last edited by

                        I'll try to give it a shot in the next day or two.

                        1 Reply Last reply Reply Quote 0
                        • valnarV
                          valnar
                          last edited by

                          Has anyone confirmed this has been fixed?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.