Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.2.3 <–> CyberGuard SG300: Stuck to phase 1

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      corradolab
      last edited by

      Hi everybody,

      I've a site to site vpn which never goes past phase 1.
      Both sides are behind NAT.
      Remote peer ID is set on the private IP (after NAT) on both PfSense and SG300.

      Below logs with PfSense acting as initiator.
      Seems the ID_PROT request sent from PfSense on port 4500 never get replied.
      Instead it gets a late reply on port 500, but looks ignored because "next request already sent"

      I've another tunnel to an SG300 woking fine, but in this case the remote pary is not behind NAT.

      Regards,
        Corrado

      
PFSENSE 
Jul 19 11:53:35 charon: 01[CFG] received stroke: initiate 'con3000' 
Jul 19 11:53:35 charon: 11[IKE] <con3000|5>initiating Main Mode IKE_SA con3000[5] to x.x.x.x 
Jul 19 11:53:35 charon: 11[ENC] <con3000|5>generating ID_PROT request 0 [ SA V V V V V V ] 
Jul 19 11:53:35 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[500] to x.x.x.x[500] (200 bytes) 
Jul 19 11:53:35 charon: 11[NET] <con3000|5>received packet: from x.x.x.x[500] to 10.168.180.2[500] (124 bytes) 
Jul 19 11:53:35 charon: 11[ENC] <con3000|5>parsed ID_PROT response 0 [ SA V V ] 
Jul 19 11:53:35 charon: 11[IKE] <con3000|5>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
Jul 19 11:53:35 charon: 11[IKE] <con3000|5>received DPD vendor ID 
Jul 19 11:53:35 charon: 11[ENC] <con3000|5>generating ID_PROT request 0 [ KE No NAT-D NAT-D ] 
Jul 19 11:53:35 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[500] to x.x.x.x[500] (308 bytes) 
Jul 19 11:53:36 charon: 11[NET] <con3000|5>received packet: from x.x.x.x[500] to 10.168.180.2[500] (292 bytes) 
Jul 19 11:53:36 charon: 11[ENC] <con3000|5>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] 
Jul 19 11:53:36 charon: 11[IKE] <con3000|5>local host is behind NAT, sending keep alives 
Jul 19 11:53:36 charon: 11[IKE] <con3000|5>remote host is behind NAT 
Jul 19 11:53:36 charon: 11[ENC] <con3000|5>generating ID_PROT request 0 [ ID HASH ] 
Jul 19 11:53:36 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[4500] to x.x.x.x[4500] (76 bytes) 
...
Jul 19 11:53:40 charon: 11[IKE] <con3000|5>sending retransmit 1 of request message ID 0, seq 3 
Jul 19 11:53:40 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[4500] to x.x.x.x[4500] (76 bytes) 
...
Jul 19 11:53:46 charon: 06[NET] <con3000|5>received packet: from x.x.x.x[500] to 10.168.180.2[500] (292 bytes) 
Jul 19 11:53:46 charon: 06[IKE] <con3000|5>received retransmit of response with ID 0, but next request already sent 
Jul 19 11:53:47 charon: 06[IKE] <con3000|5>sending retransmit 2 of request message ID 0, seq 3 
Jul 19 11:53:47 charon: 06[NET] <con3000|5>sending packet: from 10.168.180.2[4500] to x.x.x.x[4500] (76 bytes) 

CYBERGUAD SG300
Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [XAUTH] 
Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: received Vendor ID payload [Dead Peer Detection] 
Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [Cisco-Unity] 
Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [4048b7d56ebce885...] 
Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [4a131c8107035845...] 
Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
Jul 19 11:53:38 Pluto[143]: "Vpn1" #48: responding to Main Mode 
Jul 19 11:53:38 Pluto[143]: "Vpn1" #48: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed 
Jul 19 11:54:48 Pluto[143]: "Vpn1" #48: max number of retransmissions (2) reached STATE_MAIN_R2 
...
Jul 19 11:55:05 Pluto[143]: "Vpn1" #46: max number of retransmissions (20) reached STATE_MAIN_I1.  No acceptable response to our first IKE message 
Jul 19 11:55:05 Pluto[143]: "Vpn1" #46: starting keying attempt 3 of an unlimited number 
Jul 19 11:55:05 Pluto[143]: "Vpn1" #49: initiating Main Mode to replace #46</con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5>
      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        Looks like you're missing a forward for UDP 4500 through the NAT possibly, no indication that traffic is actually making it to the other side.

        1 Reply Last reply Reply Quote 0
        • C Offline
          corradolab
          last edited by

          On both sites I've others IPSec connections working.

          These connections have both endpoints NATed, so UDP 4500 forward is working.

          Also I've installed PfSense as replacement for a broken FortiGate, which was working too.

          Meanwhile I upgraded to 2.2.4 but the issue remains.

          1 Reply Last reply Reply Quote 0
          • C Offline
            corradolab
            last edited by

            Thanks cmb,

            you were right.
            The Cyberguard is behind a Sitecom X4 N300 router.
            This home router has an "Ipsec pass through" option which sadly does not pass UDP 4500.
            Explictiy allowing it fixed the issue.

            Regards,
              Corrado

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.