IPsec Tunnel Green Local Only - No Traffic Passes

huellhowser

Hi All,

I'm having problems with an IPsec site-to-site tunnel.

My symptoms are that the "Status" indicator goes green on the local side only and no traffic passes between the sites.

I have a firewall rule on both boxes' IPsec interfaces to allow all protocols to and from "all"

My racoon.conf file is below…

Thanks!  I appreciate any help you can provide.

cat racoon.conf

This file is automatically generated. Do not edit

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp {LOCAL WAN IP} [500];
isakmp_natt {LOCAL WAN IP} [4500];
}

remote {REMOTE WAN IP}
{
ph1id 1;
exchange_mode aggressive;
my_identifier user_fqdn "pat@sj.local";
peers_identifier user_fqdn "pat@pa.local";
ike_frag on;
generate_policy = require;
initial_contact = on;
nat_traversal = on;

dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check strict;

proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}

sainfo subnet 172.16.1.0/24 any subnet 10.1.1.0/24 any
{
remoteid 1;
encryption_algorithm blowfish 128;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 86400 secs;
compression_algorithm deflate;

Here is what the IPsec log looks like on the local box when the sites connect and I'm sending ICMP:

Oct 9 17:02:41 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
Oct 9 17:02:41 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=209101818(0xc76a3fa)
Oct 9 17:02:41 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=229382563(0xdac19a3)
Oct 9 17:02:53 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
Oct 9 17:02:53 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=166867411(0x9f231d3)
Oct 9 17:02:53 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=6083078(0x5cd206)
Oct 9 17:03:05 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
Oct 9 17:03:05 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=15487077(0xec5065)
Oct 9 17:03:05 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=150453300(0x8f7bc34)
Oct 9 17:03:17 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
Oct 9 17:03:17 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=24904323(0x17c0283)
Oct 9 17:03:17 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=6897838(0x6940ae)

kapara

I use the following setup for about 30 tunnels with no issue!

Try this:

Phase 1

Auth Method: Mutual PSK
Negotiation Mode: Main
My Identifier:  My IP Address
Peer Identifier: Peer IP Address or IP address and enter the remote public IP

Preshared key:  You know the answer

Policy Generation: Default
Proposal Checking: Obey
Encryption: Blowfish
Hash SHA1
DH: 2
Lifetim: 28800
NAT-T: Disabled
DPD: No

Phase 2:

Protocol: ESP
Encryption: Blowfish (Auto)
Hash SHA1
PFS: 2
Liftime: 3600

Make sure for testing purposes to allow all on ipsec rule on both ends.

Phonebuff

Not sure if this will help –

But I had to add an address to ping on the other end to my configs before traffic would pass.

Also, if if you have multiple Gateways or a load share of some sort be sure the traffic is going to the right route / gateway.

==============