Help with IPSEC not connecting
-
You have a phase 1 mismatch of some sort, no way to tell what from that. Just make sure things match up on both sides.
-
It's hard to tell what it could be because there are some different settings on the newer that aren’t there on the older version. I may just have to create a new machine up at the main office with an up to date pfsense and build it out.
-
picture 1 and 2 are the old pfsense and 3 4 5 are of the new one. any tips at this point would be appreciated
-
The ones that matter in the context of no proposal chosen are identical between them. Interface, remote gateway, identifiers. Make them main mode, you don't want aggressive. AES would be better than 3DES (faster and more secure) though that won't matter since they match.
There should be no reason you can't upgrade the 2.0x side, that's extremely dated at this point.
-
Well i changed what you suggested, and double checked the other settings, in the logs im still getting spam of delete phase 2, So I am still at a loss lol,
-
Is it possible all i need to do is delete and recreate the tunnel on the old one, i never re created it i just assumed it would work with the new one considering the ip and everything stayed the same.
-
The part above the "delete phase 2 handler" is what matters (that just indicates a P1 mismatch), is that still no proposal chosen?
Updating it after an IP change is fine, no need to re-create it.
-
Dec 5 08:20:09 racoon: ERROR: phase1 negotiation failed due to time up. 586c519806462d76:0000000000000000
Dec 5 08:20:01 racoon: []: [66.xx.xxx.xxx] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Dec 5 08:19:59 racoon: []: [66.xx.xxx.xxx] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Dec 5 08:19:50 racoon: INFO: delete phase 2 handler.
Dec 5 08:19:50 racoon: []: [66.xx.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 66.xx.xxx.xxx[0]->208.xxx.xxx.xxx[0]
Dec 5 08:19:49 racoon: []: [66.xx.xxx.xxx] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.Thats what im still getting
-
charon: 07[IKE] <2371> no IKE config found for 66.xx.xxx.xxx…208.xxx.xxx.xxx, sending NO_PROPOSAL_CHOSEN
I am getting that on the other firewall
-
I just did this last week, but I was on the same version of pfsense at both sites. (2.2.5 RELEASE)
Why can't you upgrade your 2.0.3 side?
Did you double check your settings, making sure you're entering the proper IP's in 'Remote Gateway'? On gw1 enter the remote IP of gw2 and vice versa…
Set 'Key Exchange version' to Auto
Set 'Negotiation mode' to Main mode as cmb suggestedIs there an Auto setting for 'NAT Traversal' in the old version? In 2.2.5 there's only Auto or Force
Double check your 'Pre-Shared Key' in both firewalls, they have to match!
-
Yeah I've double checked all of that, the client doesn't want to upgrade yet because he is afraid of it causing issues. But i think that may be the only choice