Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Phase 2 issue on 2.2 beta

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    14 Posts 6 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • valnarV
      valnar
      last edited by

      Well, in light of that, I'm moving back to 2.15.  It's just a home firewall, but I do like my VPN to work.  :)

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        there is something going on there.
        https://redmine.pfsense.org/issues/3961

        1 Reply Last reply Reply Quote 0
        • C
          charliem
          last edited by

          Looks like there are a number of useful fixes in strongswan 5.2.1 (https://wiki.strongswan.org/versions/53):

          • kernel-pfroute fixes

          • kernel-pfkey fixes

          • cisco unity fixes

          • IKEv1 re-keying fixes

          1 Reply Last reply Reply Quote 0
          • K
            karl23
            last edited by

            Looking forward to any updates on this - basically it's a problem interoperating with an IPSec tunnel with multiple subnets against a Sonicwall NSA 3600.

            1 Reply Last reply Reply Quote 0
            • valnarV
              valnar
              last edited by

              @karl23:

              Looking forward to any updates on this - basically it's a problem interoperating with an IPSec tunnel with multiple subnets against a Sonicwall NSA 3600.

              It's against any device as far as I can tell.

              1 Reply Last reply Reply Quote 0
              • A
                ankaerith
                last edited by

                I'm seeing issues similar to those described in this thread–and possibly some differences.  I thought I'd share what I'm seeing.

                Running the snapshot from OCT 27.

                IPSec tunnel between PFSense and Cisco ASA 9.1.5.

                Two phase 2 networks configured.

                If I initiate traffic from behind the PFSense system, I get an Phase 1 SA, and no phase 2-regardless of which network I'm trying to hit in the P2.

                If I initiate traffic from the behind the ASA, it builds the Phase 1 and the Phase 2 for any network in the Phase 2.

                If that network is the first network in the Phase 2 list--I can pass traffic without issue.  If that network is not first, I can't pass any traffic regardless.

                If I switch the order of the Phase 2 and restart the tunnel from the ASA side, I can now pass traffic on the new 1st entry.

                Here is the log data for initiating traffic from behind PFSense and only getting a P1 SA:

                Oct 27 21:22:26	charon: 16[MGR] check-in of IKE_SA successful.
Oct 27 21:22:26	charon: 16[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:26	charon: 16[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:26	charon: 16[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:26	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:26	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:26	charon: 16[IKE] nothing to initiate
Oct 27 21:22:26	charon: 16[IKE] <con1|9> nothing to initiate
Oct 27 21:22:26	charon: 16[IKE] activating new tasks
Oct 27 21:22:26	charon: 16[IKE] <con1|9> activating new tasks
Oct 27 21:22:26	charon: 16[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (92 bytes)
Oct 27 21:22:26	charon: 16[NET] <con1|9> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (92 bytes)
Oct 27 21:22:26	charon: 16[IKE] activating ISAKMP_DPD task
Oct 27 21:22:26	charon: 16[IKE] <con1|9> activating ISAKMP_DPD task
Oct 27 21:22:26	charon: 16[IKE] activating new tasks
Oct 27 21:22:26	charon: 16[IKE] <con1|9> activating new tasks
Oct 27 21:22:26	charon: 16[IKE] queueing ISAKMP_DPD task
Oct 27 21:22:26	charon: 16[IKE] <con1|9> queueing ISAKMP_DPD task
Oct 27 21:22:26	charon: 16[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:22:26	charon: 16[NET] <con1|9> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:22:26	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:26	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:26	charon: 16[MGR] checkout IKE_SA by message
Oct 27 21:22:26	charon: 16[MGR] checkout IKE_SA by message
Oct 27 21:22:26	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:26	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:26	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:26	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:13	charon: 16[MGR] check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 16[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 16[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 16[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 16[MGR] checkout IKE_SA
Oct 27 21:22:13	charon: 16[MGR] checkout IKE_SA
Oct 27 21:22:13	charon: 16[MGR] check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 16[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 16[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 16[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 16[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 16[MGR] checkout IKE_SA
Oct 27 21:22:13	charon: 16[MGR] checkout IKE_SA
Oct 27 21:22:13	charon: 03[MGR] check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 03[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:13	charon: 03[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 03[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:13	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:13	charon: 03[MGR] checkout IKE_SA
Oct 27 21:22:13	charon: 03[MGR] checkout IKE_SA
Oct 27 21:22:09	charon: 03[MGR] check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 03[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 03[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[IKE] nothing to initiate
Oct 27 21:22:09	charon: 03[IKE] <con1|9> nothing to initiate
Oct 27 21:22:09	charon: 03[IKE] activating new tasks
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating new tasks
Oct 27 21:22:09	charon: 03[IKE] maximum IKE_SA lifetime 28622s
Oct 27 21:22:09	charon: 03[IKE] <con1|9> maximum IKE_SA lifetime 28622s
Oct 27 21:22:09	charon: 03[IKE] scheduling reauthentication in 28082s
Oct 27 21:22:09	charon: 03[IKE] <con1|9> scheduling reauthentication in 28082s
Oct 27 21:22:09	charon: 03[IKE] IKE_SA con1[9] state change: CONNECTING => ESTABLISHED
Oct 27 21:22:09	charon: 03[IKE] <con1|9> IKE_SA con1[9] state change: CONNECTING => ESTABLISHED
Oct 27 21:22:09	charon: 03[IKE] IKE_SA con1[9] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Oct 27 21:22:09	charon: 03[IKE] <con1|9> IKE_SA con1[9] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Oct 27 21:22:09	charon: 03[IKE] received DPD vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> received DPD vendor ID
Oct 27 21:22:09	charon: 03[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 03[MGR] check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 03[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 03[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Oct 27 21:22:09	charon: 03[IKE] MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] reinitiating already active tasks
Oct 27 21:22:09	charon: 03[IKE] <con1|9> reinitiating already active tasks
Oct 27 21:22:09	charon: 03[IKE] received XAuth vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> received XAuth vendor ID
Oct 27 21:22:09	charon: 03[IKE] received Cisco Unity vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> received Cisco Unity vendor ID
Oct 27 21:22:09	charon: 03[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (304 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (304 bytes)
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 03[MGR] check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 03[MGR] <con1|9> check-in of IKE_SA successful.
Oct 27 21:22:09	charon: 03[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (244 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (244 bytes)
Oct 27 21:22:09	charon: 03[LIB] size of DH secret exponent: 1023 bits
Oct 27 21:22:09	charon: 03[LIB] <con1|9> size of DH secret exponent: 1023 bits
Oct 27 21:22:09	charon: 03[IKE] MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] reinitiating already active tasks
Oct 27 21:22:09	charon: 03[IKE] <con1|9> reinitiating already active tasks
Oct 27 21:22:09	charon: 03[IKE] received FRAGMENTATION vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> received FRAGMENTATION vendor ID
Oct 27 21:22:09	charon: 03[IKE] received NAT-T (RFC 3947) vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> received NAT-T (RFC 3947) vendor ID
Oct 27 21:22:09	charon: 03[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (128 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (128 bytes)
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] IKE_SA con1[9] successfully checked out
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by message
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] waiting for data on sockets
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:22:09	charon: 03[MGR] checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[MGR] <con1|9> checkin IKE_SA con1[9]
Oct 27 21:22:09	charon: 03[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (200 bytes)
Oct 27 21:22:09	charon: 03[NET] <con1|9> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (200 bytes)
Oct 27 21:22:09	charon: 03[IKE] IKE_SA con1[9] state change: CREATED => CONNECTING
Oct 27 21:22:09	charon: 03[IKE] <con1|9> IKE_SA con1[9] state change: CREATED => CONNECTING
Oct 27 21:22:09	charon: 03[IKE] initiating Main Mode IKE_SA con1[9] to 2.2.2.2
Oct 27 21:22:09	charon: 03[IKE] <con1|9> initiating Main Mode IKE_SA con1[9] to 2.2.2.2
Oct 27 21:22:09	charon: 03[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 21:22:09	charon: 03[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending NAT-T (RFC 3947) vendor ID
Oct 27 21:22:09	charon: 03[IKE] sending FRAGMENTATION vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending FRAGMENTATION vendor ID
Oct 27 21:22:09	charon: 03[IKE] sending Cisco Unity vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending Cisco Unity vendor ID
Oct 27 21:22:09	charon: 03[IKE] sending DPD vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending DPD vendor ID
Oct 27 21:22:09	charon: 03[IKE] sending XAuth vendor ID
Oct 27 21:22:09	charon: 03[IKE] <con1|9> sending XAuth vendor ID
Oct 27 21:22:09	charon: 03[IKE] activating ISAKMP_NATD task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating ISAKMP_NATD task
Oct 27 21:22:09	charon: 03[IKE] activating ISAKMP_CERT_POST task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating ISAKMP_CERT_POST task
Oct 27 21:22:09	charon: 03[IKE] activating MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] activating ISAKMP_CERT_PRE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating ISAKMP_CERT_PRE task
Oct 27 21:22:09	charon: 03[IKE] activating ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] activating new tasks
Oct 27 21:22:09	charon: 03[IKE] <con1|9> activating new tasks
Oct 27 21:22:09	charon: 03[IKE] queueing QUICK_MODE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing QUICK_MODE task
Oct 27 21:22:09	charon: 03[IKE] queueing ISAKMP_NATD task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing ISAKMP_NATD task
Oct 27 21:22:09	charon: 03[IKE] queueing ISAKMP_CERT_POST task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing ISAKMP_CERT_POST task
Oct 27 21:22:09	charon: 03[IKE] queueing MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing MAIN_MODE task
Oct 27 21:22:09	charon: 03[IKE] queueing ISAKMP_CERT_PRE task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing ISAKMP_CERT_PRE task
Oct 27 21:22:09	charon: 03[IKE] queueing ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[IKE] <con1|9> queueing ISAKMP_VENDOR task
Oct 27 21:22:09	charon: 03[MGR] created IKE_SA (unnamed)[9]
Oct 27 21:22:09	charon: 03[MGR] created IKE_SA (unnamed)[9]
Oct 27 21:22:09	charon: 03[MGR] checkout IKE_SA by config</con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9></con1|9>

                Here is the log if I initiate traffic from behind ASA:

                Oct 27 21:24:24	charon: 11[MGR] check-in of IKE_SA successful.
Oct 27 21:24:24	charon: 11[MGR] <con1|10> check-in of IKE_SA successful.
Oct 27 21:24:24	charon: 11[MGR] checkin IKE_SA con1[10]
Oct 27 21:24:24	charon: 11[MGR] <con1|10> checkin IKE_SA con1[10]
Oct 27 21:24:24	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:24	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:24	charon: 11[MGR] checkout IKE_SA
Oct 27 21:24:24	charon: 11[MGR] checkout IKE_SA
Oct 27 21:24:20	charon: 11[MGR] check-in of IKE_SA successful.
Oct 27 21:24:20	charon: 11[MGR] <con1|10> check-in of IKE_SA successful.
Oct 27 21:24:20	charon: 11[MGR] checkin IKE_SA con1[10]
Oct 27 21:24:20	charon: 11[MGR] <con1|10> checkin IKE_SA con1[10]
Oct 27 21:24:20	charon: 11[IKE] CHILD_SA con1{1} established with SPIs c50da63c_i 1496d46b_o and TS 172.22.22.0/24|/0 === 10.100.20.0/24|/0
Oct 27 21:24:20	charon: 11[IKE] <con1|10> CHILD_SA con1{1} established with SPIs c50da63c_i 1496d46b_o and TS 172.22.22.0/24|/0 === 10.100.20.0/24|/0
Oct 27 21:24:20	charon: 11[CHD] SPI 0x1496d46b, src 1.1.1.1 dst 2.2.2.2
Oct 27 21:24:20	charon: 11[CHD] <con1|10> SPI 0x1496d46b, src 1.1.1.1 dst 2.2.2.2
Oct 27 21:24:20	charon: 11[CHD] adding outbound ESP SA
Oct 27 21:24:20	charon: 11[CHD] <con1|10> adding outbound ESP SA
Oct 27 21:24:20	charon: 11[CHD] SPI 0xc50da63c, src 2.2.2.2 dst 1.1.1.1
Oct 27 21:24:20	charon: 11[CHD] <con1|10> SPI 0xc50da63c, src 2.2.2.2 dst 1.1.1.1
Oct 27 21:24:20	charon: 11[CHD] adding inbound ESP SA
Oct 27 21:24:20	charon: 11[CHD] <con1|10> adding inbound ESP SA
Oct 27 21:24:20	charon: 11[CHD] using HMAC_SHA1_96 for integrity
Oct 27 21:24:20	charon: 11[CHD] <con1|10> using HMAC_SHA1_96 for integrity
Oct 27 21:24:20	charon: 11[CHD] using AES_CBC for encryption
Oct 27 21:24:20	charon: 11[CHD] <con1|10> using AES_CBC for encryption
Oct 27 21:24:20	charon: 11[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (76 bytes)
Oct 27 21:24:20	charon: 11[NET] <con1|10> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (76 bytes)
Oct 27 21:24:20	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:20	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:20	charon: 11[MGR] checkout IKE_SA by message
Oct 27 21:24:20	charon: 11[MGR] checkout IKE_SA by message
Oct 27 21:24:20	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:20	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:20	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:20	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:20	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:20	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:20	charon: 11[MGR] check-in of IKE_SA successful.
Oct 27 21:24:20	charon: 11[MGR] <con1|10> check-in of IKE_SA successful.
Oct 27 21:24:20	charon: 11[MGR] checkin IKE_SA con1[10]
Oct 27 21:24:20	charon: 11[MGR] <con1|10> checkin IKE_SA con1[10]
Oct 27 21:24:20	charon: 11[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (332 bytes)
Oct 27 21:24:20	charon: 11[NET] <con1|10> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (332 bytes)
Oct 27 21:24:19	charon: 11[LIB] size of DH secret exponent: 1023 bits
Oct 27 21:24:19	charon: 11[LIB] <con1|10> size of DH secret exponent: 1023 bits
Oct 27 21:24:19	charon: 11[IKE] received 4608000000 lifebytes, configured 0
Oct 27 21:24:19	charon: 11[IKE] <con1|10> received 4608000000 lifebytes, configured 0
Oct 27 21:24:19	charon: 11[IKE] received 28800s lifetime, configured 3600s
Oct 27 21:24:19	charon: 11[IKE] <con1|10> received 28800s lifetime, configured 3600s
Oct 27 21:24:19	charon: 11[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (348 bytes)
Oct 27 21:24:19	charon: 11[NET] <con1|10> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (348 bytes)
Oct 27 21:24:19	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:19	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:19	charon: 11[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 11[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 11[MGR] check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 11[MGR] <con1|10> check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 11[MGR] checkin IKE_SA con1[10]
Oct 27 21:24:19	charon: 11[MGR] <con1|10> checkin IKE_SA con1[10]
Oct 27 21:24:19	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:19	charon: 11[MGR] IKE_SA con1[10] successfully checked out
Oct 27 21:24:19	charon: 15[MGR] check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 15[MGR] <con1|10> check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] checkin IKE_SA con1[10]
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] <con1|10> checkin IKE_SA con1[10]
Oct 27 21:24:19	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Oct 27 21:24:19	charon: 15[NET] <con1|10> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Oct 27 21:24:19	charon: 11[MGR] checkout IKE_SA
Oct 27 21:24:19	charon: 11[MGR] checkout IKE_SA
Oct 27 21:24:19	charon: 15[IKE] maximum IKE_SA lifetime 28798s
Oct 27 21:24:19	charon: 15[IKE] <con1|10> maximum IKE_SA lifetime 28798s
Oct 27 21:24:19	charon: 15[IKE] scheduling reauthentication in 28258s
Oct 27 21:24:19	charon: 15[IKE] <con1|10> scheduling reauthentication in 28258s
Oct 27 21:24:19	charon: 15[IKE] IKE_SA con1[10] state change: CONNECTING => ESTABLISHED
Oct 27 21:24:19	charon: 15[IKE] <con1|10> IKE_SA con1[10] state change: CONNECTING => ESTABLISHED
Oct 27 21:24:19	charon: 15[IKE] IKE_SA con1[10] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Oct 27 21:24:19	charon: 15[IKE] <con1|10> IKE_SA con1[10] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Oct 27 21:24:19	charon: 15[IKE] received DPD vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received DPD vendor ID
Oct 27 21:24:19	charon: 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:24:19	charon: 15[NET] <10> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (92 bytes)
Oct 27 21:24:19	charon: 15[MGR] IKE_SA (unnamed)[10] successfully checked out
Oct 27 21:24:19	charon: 15[MGR] IKE_SA (unnamed)[10] successfully checked out
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 15[MGR] check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 15[MGR] <10> check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] checkin IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] <10> checkin IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (244 bytes)
Oct 27 21:24:19	charon: 15[NET] <10> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (244 bytes)
Oct 27 21:24:19	charon: 15[LIB] size of DH secret exponent: 1023 bits
Oct 27 21:24:19	charon: 15[LIB] <10> size of DH secret exponent: 1023 bits
Oct 27 21:24:19	charon: 15[IKE] received XAuth vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received XAuth vendor ID
Oct 27 21:24:19	charon: 15[IKE] received Cisco Unity vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received Cisco Unity vendor ID
Oct 27 21:24:19	charon: 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (304 bytes)
Oct 27 21:24:19	charon: 15[NET] <10> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (304 bytes)
Oct 27 21:24:19	charon: 15[MGR] IKE_SA (unnamed)[10] successfully checked out
Oct 27 21:24:19	charon: 15[MGR] IKE_SA (unnamed)[10] successfully checked out
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]
Oct 27 21:24:19	charon: 15[MGR] check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 15[MGR] <10> check-in of IKE_SA successful.
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] checkin IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500]
Oct 27 21:24:19	charon: 15[MGR] <10> checkin IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (184 bytes)
Oct 27 21:24:19	charon: 15[NET] <10> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (184 bytes)
Oct 27 21:24:19	charon: 15[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> sending NAT-T (RFC 3947) vendor ID
Oct 27 21:24:19	charon: 15[IKE] sending FRAGMENTATION vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> sending FRAGMENTATION vendor ID
Oct 27 21:24:19	charon: 15[IKE] sending Cisco Unity vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> sending Cisco Unity vendor ID
Oct 27 21:24:19	charon: 15[IKE] sending DPD vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> sending DPD vendor ID
Oct 27 21:24:19	charon: 15[IKE] sending XAuth vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> sending XAuth vendor ID
Oct 27 21:24:19	charon: 15[IKE] IKE_SA (unnamed)[10] state change: CREATED => CONNECTING
Oct 27 21:24:19	charon: 15[IKE] <10> IKE_SA (unnamed)[10] state change: CREATED => CONNECTING
Oct 27 21:24:19	charon: 15[IKE] 2.2.2.2 is initiating a Main Mode IKE_SA
Oct 27 21:24:19	charon: 15[IKE] <10> 2.2.2.2 is initiating a Main Mode IKE_SA
Oct 27 21:24:19	charon: 15[IKE] received FRAGMENTATION vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received FRAGMENTATION vendor ID
Oct 27 21:24:19	charon: 15[IKE] received NAT-T (RFC 3947) vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received NAT-T (RFC 3947) vendor ID
Oct 27 21:24:19	charon: 15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 27 21:24:19	charon: 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 21:24:19	charon: 15[IKE] <10> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 21:24:19	charon: 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (460 bytes)
Oct 27 21:24:19	charon: 15[NET] <10> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (460 bytes)
Oct 27 21:24:19	charon: 15[MGR] created IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 15[MGR] created IKE_SA (unnamed)[10]
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 15[MGR] checkout IKE_SA by message
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] waiting for data on sockets
Oct 27 21:24:19	charon: 04[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500]</con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10>
                1 Reply Last reply Reply Quote 0
                • E
                  eri--
                  last edited by

                  Can you try with tomorrow snapshots?

                  1 Reply Last reply Reply Quote 0
                  • valnarV
                    valnar
                    last edited by

                    I don't have the time to take down my FW at the moment, but if ankaerith can confirm it works, I'll upgrade to 2.2beta to test.

                    1 Reply Last reply Reply Quote 0
                    • A
                      ankaerith
                      last edited by

                      I'll try to give it a shot in the next day or two.

                      1 Reply Last reply Reply Quote 0
                      • valnarV
                        valnar
                        last edited by

                        Has anyone confirmed this has been fixed?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.