• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPsec tunnel problem with 2.1.5 and 2.2rc

2.2 Snapshot Feedback and Problems - RETIRED
4
35
18.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tracer
    last edited by Jan 11, 2015, 11:27 AM

    Hi,
    I can't get my tunnels connected anymore since build from 7th of Jan.
    before it was working good with Aggressive Mode, but even switching to Main didn't help.
    I have 2 phase 2 policies.
    The other side of course is a pfsense 2.1.5
    I'm using Main, AES/256, with SHA, DH Key2 with NAT-T enabled.
    Phase2: ESP, AES(auto) with SHA1, MD5, PFS key2
    Additional info: I'm dual homed, already tried to switch the tunnel to other WAN, same result.

    Updated to build 11th of Jan.

    Errors on the 2.1.5:

    
Jan 10 17:17:16 	racoon: ERROR: phase1 negotiation failed due to time up. 14607675c166a280:0000000000000000
Jan 10 17:17:10 	racoon: [mchome kabel]: [9.1.176.100] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 10 17:17:07 	racoon: [mchome kabel]: [9.1.176.100] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 10 17:17:02 	racoon: INFO: delete phase 2 handler.
Jan 10 17:17:02 	racoon: [mchome kabel]: [9.1.176.100] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 9.1.176.100[0]->6.1.47.71[0]
    1 Reply Last reply Reply Quote 0
    • T
      tracer
      last edited by Jan 11, 2015, 1:02 PM Jan 11, 2015, 11:33 AM

      This is the log from 2.2build 11th of Jan:

      
Jan 11 12:29:46 	charon: 15[CFG] ignoring acquire, connection attempt pending
Jan 11 12:29:46 	charon: 16[KNL] creating acquire job for policy 9.1.188.120/32|/0 === 6.1.47.71/32|/0 with reqid {5}
Jan 11 12:29:40 	charon: 16[NET] sending packet: from 9.1.188.120[500] to 6.1.47.71[500] (184 bytes)
Jan 11 12:29:40 	charon: 16[ENC] generating ID_PROT response 0 [ SA V V V V V ]
Jan 11 12:29:40 	charon: 16[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 11 12:29:40 	charon: 16[IKE] <95> 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 11 12:29:40 	charon: 16[IKE] received DPD vendor ID
Jan 11 12:29:40 	charon: 16[IKE] <95> received DPD vendor ID
Jan 11 12:29:40 	charon: 16[IKE] received FRAGMENTATION vendor ID
Jan 11 12:29:40 	charon: 16[IKE] <95> received FRAGMENTATION vendor ID
Jan 11 12:29:40 	charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jan 11 12:29:40 	charon: 16[IKE] <95> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jan 11 12:29:40 	charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 11 12:29:40 	charon: 16[IKE] <95> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 11 12:29:40 	charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 11 12:29:40 	charon: 16[IKE] <95> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jan 11 12:29:40 	charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Jan 11 12:29:40 	charon: 16[IKE] <95> received NAT-T (RFC 3947) vendor ID
Jan 11 12:29:40 	charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
Jan 11 12:29:40 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.188.120[500] (212 bytes)

      This one is 9.1.188.120 and trying to reach the .47.71

      The ipsec status shows this:

      Any identifier 9.1.188.120
      Port: 500 Any identifier 6.1.47.71
      Port: 500 IKEv1
      responder AES_CBC:256
      HMAC_SHA1_96:0
      PRF_HMAC_SHA1
      MODP_1024

      connecting

      Connect

      inetra_LAN-DMZ Any identifier 9.1.188.120
      Port: 500 Any identifier 6.1.47.71
      Port: 500 IKEv1
      initiator

      connecting

      Any help greatly appreciated.
      Marc

      1 Reply Last reply Reply Quote 0
      • T
        tracer
        last edited by Jan 11, 2015, 1:04 PM Jan 11, 2015, 12:56 PM

        Update:
        The tunnel is defined to use IF WAN, but when I do a packetcapture with filter on IF KABEL (o pf2.2) I can see packets with WAN public ipaddess to my remote peer with port 500 (UDP).

        Either there's something wrong with the Packetcapture or chron is sending right packets on wrong if out.
        With 'right' I mean they do have the IP of the IF they should leave from but are showing on the wrong IF (KABEL).

        1 Reply Last reply Reply Quote 0
        • T
          tracer
          last edited by Jan 11, 2015, 1:21 PM

          Hmm, just found that I'm using advanced outbound NAT with these two rules:
          ( Hybrid Outbound NAT rule generation
          (Automatic Outbound NAT + rules below)

          KABELDE  192.168.24.0/24 * * * KABELDE address * NO  
          WAN  any * * * WAN address * NO

          Could this be my problem with charon ?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by Jan 12, 2015, 3:45 AM

            Your WAN NAT with source "any" is definitely a problem, that's NATing the IPsec, which you can't do.

            You'll also want to be on something newer than the 7th with IPsec and multi-WAN, there were issues there that were resolved a day or so after that.

            1 Reply Last reply Reply Quote 0
            • T
              tracer
              last edited by Jan 12, 2015, 7:45 PM

              Thanks for the hint.
              I updated to the evening build of the 11th, removed the "any" NAT rule and still get stuck.

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by Jan 12, 2015, 8:12 PM Jan 12, 2015, 8:09 PM

                You need something from today late or wait or tomorrow ones.

                1 Reply Last reply Reply Quote 0
                • T
                  tracer
                  last edited by Jan 12, 2015, 8:09 PM

                  Now seeing:

                  Jan 12 21:07:29 	racoon: [mchome kabel]: [93.104.176.148] ERROR: couldn't find the pskey for 93.104.176.148.
Jan 12 21:07:29 	racoon: INFO: Adding xauth VID payload.
Jan 12 21:07:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan 12 21:07:29 	racoon: INFO: received Vendor ID: RFC 3947
Jan 12 21:07:29 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jan 12 21:07:29 	racoon: INFO: received Vendor ID: CISCO-UNITY
Jan 12 21:07:29 	racoon: INFO: received Vendor ID: DPD
Jan 12 21:07:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 12 21:07:29 	racoon: INFO: begin Identity Protection mode.

                  
Jan 12 21:07:28 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.24.0/24[0] 10.0.48.0/24[0] proto=any dir=in
Jan 12 21:07:28 	racoon: ERROR: such policy already exists. anyway replace it: 10.0.48.0/24[0] 192.168.24.0/24[0] proto=any dir=out
Jan 12 21:07:28 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.24.0/24[0] 10.0.47.0/24[0] proto=any dir=in
Jan 12 21:07:28 	racoon: ERROR: such policy already exists. anyway replace it: 10.0.47.0/24[0] 192.168.24.0/24[0] proto=any dir=out
Jan 12 21:07:28 	racoon: INFO: unsupported PF_KEY message REGISTER
Jan 12 21:07:28 	racoon: INFO: unsupported PF_KEY message REGISTER
Jan 12 21:07:28 	racoon: INFO: unsupported PF_KEY message REGISTER
                  1 Reply Last reply Reply Quote 0
                  • T
                    tracer
                    last edited by Jan 12, 2015, 8:28 PM Jan 12, 2015, 8:11 PM

                    @Ermal:
                    I took the latest availabled thru my autoupdater 20mins ago.
                    Will check again for the next 2hours… UPDATED to todays release:
                    Still getting above errors and :

                    Jan 12 21:27:55 	racoon: INFO: delete phase 2 handler.
Jan 12 21:27:55 	racoon: [mchome kabel]: [9.1.180.217] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 9.1.180.217[0]->6.1.47.71[0]

                    Anymore ideas ?

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by Jan 13, 2015, 1:08 AM

                      You're still getting the "ERROR: couldn't find the pskey" log from your post earlier today? Likely you have a config mismatch of some sort, maybe after changing the WANs around things weren't set back to match appropriately.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tracer
                        last edited by Jan 13, 2015, 7:19 PM

                        Hi Chris,

                        yes, that's what I see on the 2.1.5 side on the 2.2 I see the log below:
                        I just updated to the todays build.

                        
Jan 13 20:16:53 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
Jan 13 20:16:53 	charon: 16[ENC] generating ID_PROT response 0 [ KE No ]
Jan 13 20:16:53 	charon: 16[ENC] parsed ID_PROT request 0 [ KE No ]
Jan 13 20:16:53 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
Jan 13 20:16:53 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
Jan 13 20:16:53 	charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
Jan 13 20:16:53 	charon: 16[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 13 20:16:53 	charon: 16[IKE] <205> 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 13 20:16:53 	charon: 16[IKE] received DPD vendor ID
Jan 13 20:16:53 	charon: 16[IKE] <205> received DPD vendor ID
Jan 13 20:16:53 	charon: 16[IKE] received FRAGMENTATION vendor ID
Jan 13 20:16:53 	charon: 16[IKE] <205> received FRAGMENTATION vendor ID
Jan 13 20:16:53 	charon: 16[ENC] parsed ID_PROT request 0 [ SA V V ]
Jan 13 20:16:53 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (132 bytes)
Jan 13 20:16:50 	charon: 16[CFG] ignoring acquire, connection attempt pending
Jan 13 20:16:50 	charon: 09[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
Jan 13 20:16:46 	charon: 09[JOB] deleting half open IKE_SA after timeout
Jan 13 20:16:45 	charon: 09[CFG] ignoring acquire, connection attempt pending
Jan 13 20:16:45 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
Jan 13 20:16:43 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
Jan 13 20:16:43 	charon: 16[IKE] sending retransmit 5 of request message ID 0, seq 3
Jan 13 20:16:43 	charon: 16[IKE] <con1000|192> sending retransmit 5 of request message ID 0, seq 3
Jan 13 20:16:29 	charon: 16[CFG] ignoring acquire, connection attempt pending
Jan 13 20:16:29 	charon: 10[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
Jan 13 20:16:16 	charon: 10[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
Jan 13 20:16:16 	charon: 10[ENC] generating ID_PROT response 0 [ KE No ]
Jan 13 20:16:16 	charon: 10[ENC] parsed ID_PROT request 0 [ KE No ]
Jan 13 20:16:16 	charon: 10[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
Jan 13 20:16:16 	charon: 10[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
Jan 13 20:16:16 	charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
Jan 13 20:16:16 	charon: 10[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 13 20:16:16 	charon: 10[IKE] <204> 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 13 20:16:16 	charon: 10[IKE] received DPD vendor ID
Jan 13 20:16:16 	charon: 10[IKE] <204> received DPD vendor ID
Jan 13 20:16:16 	charon: 10[IKE] received FRAGMENTATION vendor ID
Jan 13 20:16:16 	charon: 10[IKE] <204> received FRAGMENTATION vendor ID
Jan 13 20:16:16 	charon: 10[ENC] parsed ID_PROT request 0 [ SA V V ]
Jan 13 20:16:16 	charon: 10[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (132 bytes)
Jan 13 20:16:15 	charon: 10[JOB] deleting half open IKE_SA after timeout
Jan 13 20:16:01 	charon: 10[CFG] ignoring acquire, connection attempt pending
Jan 13 20:16:01 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
Jan 13 20:16:01 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
Jan 13 20:16:01 	charon: 16[IKE] sending retransmit 4 of request message ID 0, seq 3
Jan 13 20:16:01 	charon: 16[IKE] <con1000|192> sending retransmit 4 of request message ID 0, seq 3
Jan 13 20:15:54 	charon: 16[CFG] ignoring acquire, connection attempt pending
Jan 13 20:15:54 	charon: 10[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
Jan 13 20:15:45 	charon: 10[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
Jan 13 20:15:45 	charon: 10[ENC] generating ID_PROT response 0 [ KE No ]
Jan 13 20:15:45 	charon: 10[ENC] parsed ID_PROT request 0 [ KE No ]
Jan 13 20:15:45 	charon: 10[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
Jan 13 20:15:45 	charon: 10[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
Jan 13 20:15:45 	charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
Jan 13 20:15:45 	charon: 10[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 13 20:15:45 	charon: 10[IKE] <203> 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 13 20:15:45 	charon: 10[IKE] received DPD vendor ID
Jan 13 20:15:45 	charon: 10[IKE] <203> received DPD vendor ID
Jan 13 20:15:45 	charon: 10[IKE] received FRAGMENTATION vendor ID
Jan 13 20:15:45 	charon: 10[IKE] <203> received FRAGMENTATION vendor ID
Jan 13 20:15:45 	charon: 10[ENC] parsed ID_PROT request 0 [ SA V V ]
Jan 13 20:15:45 	charon: 10[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (132 bytes)
Jan 13 20:15:42 	charon: 10[JOB] deleting half open IKE_SA after timeout
Jan 13 20:15:39 	charon: 10[CFG] ignoring acquire, connection attempt pending
Jan 13 20:15:39 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
Jan 13 20:15:37 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
Jan 13 20:15:37 	charon: 16[IKE] sending retransmit 3 of request message ID 0, seq 3
Jan 13 20:15:37 	charon: 16[IKE] <con1000|192> sending retransmit 3 of request message ID 0, seq 3
Jan 13 20:15:33 	charon: 16[JOB] deleting half open IKE_SA after timeout
Jan 13 20:15:24 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
Jan 13 20:15:24 	charon: 12[IKE] sending retransmit 2 of request message ID 0, seq 3
Jan 13 20:15:24 	charon: 12[IKE] <con1000|192> sending retransmit 2 of request message ID 0, seq 3
Jan 13 20:15:17 	charon: 12[CFG] ignoring acquire, connection attempt pending
Jan 13 20:15:17 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
Jan 13 20:15:17 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
Jan 13 20:15:17 	charon: 16[IKE] sending retransmit 1 of request message ID 0, seq 3
Jan 13 20:15:17 	charon: 16[IKE] <con1000|192> sending retransmit 1 of request message ID 0, seq 3
Jan 13 20:15:13 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
Jan 13 20:15:13 	charon: 12[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jan 13 20:15:13 	charon: 12[ENC] parsed ID_PROT response 0 [ KE No ]
Jan 13 20:15:13 	charon: 12[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
Jan 13 20:15:13 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
Jan 13 20:15:13 	charon: 12[ENC] generating ID_PROT request 0 [ KE No ]
Jan 13 20:15:13 	charon: 12[IKE] received FRAGMENTATION vendor ID
Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> received FRAGMENTATION vendor ID
Jan 13 20:15:13 	charon: 12[IKE] received DPD vendor ID
Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> received DPD vendor ID
Jan 13 20:15:13 	charon: 12[IKE] received XAuth vendor ID
Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> received XAuth vendor ID
Jan 13 20:15:13 	charon: 12[ENC] parsed ID_PROT response 0 [ SA V V V ]
Jan 13 20:15:13 	charon: 12[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (144 bytes)
Jan 13 20:15:13 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (184 bytes)
Jan 13 20:15:13 	charon: 12[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jan 13 20:15:13 	charon: 12[IKE] initiating Main Mode IKE_SA con1000[192] to 6.1.47.71
Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> initiating Main Mode IKE_SA con1000[192] to 6.1.47.71
Jan 13 20:15:13 	charon: 12[IKE] peer not responding, trying again (3/3)
Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> peer not responding, trying again (3/3)
Jan 13 20:15:13 	charon: 12[IKE] giving up after 5 retransmits
Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> giving up after 5 retransmits
Jan 13 20:15:12 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
Jan 13 20:15:12 	charon: 12[ENC] generating ID_PROT response 0 [ KE No ]
Jan 13 20:15:12 	charon: 12[ENC] parsed ID_PROT request 0 [ KE No ]
Jan 13 20:15:12 	charon: 12[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
Jan 13 20:15:12 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
Jan 13 20:15:12 	charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
Jan 13 20:15:12 	charon: 12[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 13 20:15:12 	charon: 12[IKE] <202> 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 13 20:15:12 	charon: 12[IKE] received DPD vendor ID
Jan 13 20:15:12 	charon: 12[IKE] <202> received DPD vendor ID
Jan 13 20:15:12 	charon: 12[IKE] received FRAGMENTATION vendor ID
Jan 13 20:15:12 	charon: 12[IKE] <202> received FRAGMENTATION vendor ID
Jan 13 20:15:12 	charon: 12[ENC] parsed ID_PROT request 0 [ SA V V ]
Jan 13 20:15:12 	charon: 12[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (132 bytes)
Jan 13 20:15:08 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {22}
Jan 13 20:15:08 	charon: 16[JOB] deleting half open IKE_SA after timeout
Jan 13 20:15:03 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
Jan 13 20:15:03 	charon: 16[ENC] generating ID_PROT response 0 [ KE No ]
Jan 13 20:15:03 	charon: 16[ENC] parsed ID_PROT request 0 [ KE No ]
Jan 13 20:15:03 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
Jan 13 20:15:03 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
Jan 13 20:15:03 	charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
Jan 13 20:15:03 	charon: 16[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 13 20:15:03 	charon: 16[IKE] <201> 6.1.47.71 is initiating a Main Mode IKE_SA
Jan 13 20:15:03 	charon: 16[IKE] received DPD vendor ID
Jan 13 20:15:03 	charon: 16[IKE] <201> received DPD vendor ID
Jan 13 20:15:03 	charon: 16[IKE] received FRAGMENTATION vendor ID
Jan 13 20:15:03 	charon: 16[IKE] <201> received FRAGMENTATION vendor ID
Jan 13 20:15:03 	charon: 16[ENC] parsed ID_PROT request 0 [ SA V V ]
Jan 13 20:15:03 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (132 bytes)
Jan 13 20:15:03 	charon: 08[CFG] ignoring acquire, connection attempt pending
Jan 13 20:15:03 	charon: 08[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
Jan 13 20:14:51 	charon: 08[CFG] ignoring acquire, connection attempt pending
Jan 13 20:14:51 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
Jan 13 20:14:38 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
Jan 13 20:14:38 	charon: 16[ENC] generating ID_PROT response 0 [ KE No ]
Jan 13 20:14:38 	charon: 16[ENC] parsed ID_PROT request 0 [ KE No ]
Jan 13 20:14:38 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
Jan 13 20:14:38 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
Jan 13 20:14:38 	charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
Jan 13 20:14:38 	charon: 16[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA</con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192>

                        This is a more complete excerpt from charon.
                        But I don't know which error levels need to be set in the IPsec debug section, please advice.

                        TIA
                        Marc

                        1 Reply Last reply Reply Quote 0
                        • T
                          tracer
                          last edited by Jan 13, 2015, 7:31 PM

                          Just changed my outbound NAT to

                          In the IPsec status I continuously see

                          
inetra_LAN-DMZ 	net.dyndns.org 	9.1.180.214
Port: 500 	Any identifier 	6.1.47.71
Port: 500 	IKEv1
initiator 		AES_CBC:256
HMAC_SHA1_96:0
PRF_HMAC_SHA1
MODP_1024 	

connecting

                          but at the same time I see a another line with responder coming in…

                          And no, I checked thoroughly that the profiles match.

                          Some more questions on the settings:

                          How should they be set to ensure compatibility between 2.1.5 and 2.2 ?

                          Prefer older IPsec SAs 
                          Enable IPCompression
                          Accept unencrypted ID and HASH payloads in IKEv1 Main Mode

                          1 Reply Last reply Reply Quote 0
                          • E
                            eri--
                            last edited by Jan 13, 2015, 8:09 PM

                            Please upgrade to the next coming snapshot and re-test.

                            1 Reply Last reply Reply Quote 0
                            • T
                              tracer
                              last edited by Jan 14, 2015, 8:27 AM

                              I did:
                              2.2-RC (amd64)
                              built on Tue Jan 13 09:02:41 CST 2015

                              but still same issue.

                              1 Reply Last reply Reply Quote 0
                              • E
                                eri--
                                last edited by Jan 14, 2015, 10:12 AM

                                This is the latest one that you should be on actually.
                                built on Tue Jan 13 14:58:02 CST 2015

                                But can you be more detailed on what is not working.

                                1 Reply Last reply Reply Quote 0
                                • T
                                  tracer
                                  last edited by Jan 14, 2015, 9:41 PM

                                  It is still all the same errors as documented in the above posts.
                                  What else can I deliver you ?

                                  netstat -f inet -sp esp

                                  esp:
        0 packets shorter than header shows
        0 packets dropped; protocol family not supported
        0 packets dropped; no TDB
        0 packets dropped; bad KCR
        0 packets dropped; queue full
        0 packets dropped; no transform
        0 packets dropped; bad ilen
        0 replay counter wraps
        0 packets dropped; bad encryption detected
        0 packets dropped; bad authentication detected
        0 possible replay packets detected
        0 packets in
        0 packets out
        0 packets dropped; invalid TDB
        0 bytes in
        0 bytes out
        0 packets dropped; larger than IP_MAXPACKET
        0 packets blocked due to policy
        0 crypto processing failures
        0 tunnel sanity check failures
                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tracer
                                    last edited by Jan 15, 2015, 7:00 PM

                                    If there's nothing else I can do, I would switch back to 2.1.5  :(

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      cmb
                                      last edited by Jan 15, 2015, 7:19 PM

                                      we switched back to strongswan 5.2.1 yesterday after some issues with 5.2.2 (the change to which coincides with the date of the problems you're seeing). Upgrade to the latest available now and let us know.

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        tracer
                                        last edited by Jan 15, 2015, 8:57 PM

                                        thanks again for you hard work !
                                        Updated on:
                                        built on Thu Jan 15 12:12:32 CST 2015

                                        But still seeing half open connections deleted and no tunnels are connected.

                                        1 Reply Last reply Reply Quote 0
                                        • E
                                          eri--
                                          last edited by Jan 15, 2015, 9:08 PM

                                          Can you post your rules.debug and ipsec.conf?

                                          1 Reply Last reply Reply Quote 0
                                          10 out of 35
                                          • First post
                                            10/35
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.