Ipsec phase 2 not working
-
i am tring to fix this but still can not understand how can i fix phase2 can any one please help
but not Phase 2. make sure your access list matches exactly the opposite of ours. Check your other P2 parameters.
Crypto Map IPv4 "VPN" 49 ipsec-isakmp
Description: Center
Peer = static ip address
Extended IP access list acl-vpn-NJB
access-list acl-vpn-NJB permit ip host 172.17.0.254 172.17.7.0 0.0.0.255
access-list acl-vpn-NJB permit ip host 172.17.0.4 172.17.7.0 0.0.0.255
access-list acl-vpn-NJB permit ip host 172.17.0.51 172.17.7.0 0.0.0.255
Current peer: same staic ip address as above
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group2
Mixed-mode : Disabled
Transform sets={
vpn-aes128-sha: { esp-aes esp-sha-hmac } , -
What is not working?
What is in the logs?
How is the pfSense side set up?
-
IKE Phase 1
Key Negotiation Type ISAKMP
Encryption AES (128-bit)
Authentication SHA1
Key Group Diffie_Hellman
SA Life Time 86400
Mode Exchange Main
Shared Key Prefix self generatedIPSEC Phase-2
Type ESP (encapsulating
Authentication SHA1
Encryption AES (128-bit)
Perfect Forward Diff-Hellman
SA Life 3600
SA life Kilobytes 4608000IP Netblock/Host
192.168.1.254/32 192.168.1.0/24
192.168.1.4/32
192.168.1.4.54/32in bound Ports
ALL -
Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating new tasks
Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating ISAKMP_DPD task
Jan 31 09:35:40 charon 12[ENC] <con1000|21>generating INFORMATIONAL_V1 request 71033770 [ HASH N(DPD) ]
Jan 31 09:35:40 charon 12[NET] <con1000|21>sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating new tasks
Jan 31 09:35:40 charon 12[IKE] <con1000|21>nothing to initiate
Jan 31 09:35:40 charon 12[NET] <con1000|21>received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:40 charon 12[ENC] <con1000|21>parsed INFORMATIONAL_V1 request 422502870 [ HASH N(DPD_ACK) ]
Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating new tasks
Jan 31 09:35:40 charon 12[IKE] <con1000|21>nothing to initiate
Jan 31 09:35:44 charon 06[CFG] vici client 49 connected
Jan 31 09:35:44 charon 13[CFG] vici client 49 registered for: list-sa
Jan 31 09:35:44 charon 13[CFG] vici client 49 requests: list-sas
Jan 31 09:35:44 charon 13[CFG] vici client 49 disconnected
Jan 31 09:35:49 charon 14[CFG] vici client 50 connected
Jan 31 09:35:49 charon 06[CFG] vici client 50 registered for: list-sa
Jan 31 09:35:49 charon 14[CFG] vici client 50 requests: list-sas
Jan 31 09:35:49 charon 14[CFG] vici client 50 disconnected
Jan 31 09:35:50 charon 14[IKE] <con1000|21>sending DPD request
Jan 31 09:35:50 charon 14[IKE] <con1000|21>queueing ISAKMP_DPD task
Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating new tasks
Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating ISAKMP_DPD task
Jan 31 09:35:50 charon 14[ENC] <con1000|21>generating INFORMATIONAL_V1 request 3516362738 [ HASH N(DPD) ]
Jan 31 09:35:50 charon 14[NET] <con1000|21>sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating new tasks
Jan 31 09:35:50 charon 14[IKE] <con1000|21>nothing to initiate
Jan 31 09:35:50 charon 14[NET] <con1000|21>received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:50 charon 14[ENC] <con1000|21>parsed INFORMATIONAL_V1 request 472707021 [ HASH N(DPD_ACK) ]
Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating new tasks
Jan 31 09:35:50 charon 14[IKE] <con1000|21>nothing to initiate
Jan 31 09:35:54 charon 13[CFG] vici client 51 connected
Jan 31 09:35:54 charon 13[CFG] vici client 51 registered for: list-sa
Jan 31 09:35:54 charon 05[CFG] vici client 51 requests: list-sas
Jan 31 09:35:54 charon 13[CFG] vici client 51 disconnected
Jan 31 09:35:59 charon 13[CFG] vici client 52 connected
Jan 31 09:35:59 charon 10[CFG] vici client 52 registered for: list-sa
Jan 31 09:35:59 charon 10[CFG] vici client 52 requests: list-sas
Jan 31 09:35:59 charon 10[CFG] vici client 52 disconnected
Jan 31 09:36:00 charon 10[IKE] <con1000|21>sending DPD request
Jan 31 09:36:00 charon 10[IKE] <con1000|21>queueing ISAKMP_DPD task
Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating new tasks
Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating ISAKMP_DPD task
Jan 31 09:36:00 charon 10[ENC] <con1000|21>generating INFORMATIONAL_V1 request 3870667372 [ HASH N(DPD) ]
Jan 31 09:36:00 charon 10[NET] <con1000|21>sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating new tasks
Jan 31 09:36:00 charon 10[IKE] <con1000|21>nothing to initiate
Jan 31 09:36:00 charon 10[NET] <con1000|21>received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:36:00 charon 10[ENC] <con1000|21>parsed INFORMATIONAL_V1 request 483150185 [ HASH N(DPD_ACK) ]
Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating new tasks
Jan 31 09:36:00 charon 10[IKE] <con1000|21>nothing to initiat</con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21> -
Phase 2 is not working.
-
any idea what is wrong I am doing to make phase 2 running?
-
Nothing in those logs are helpful. They have nothing to do with establishing or failed connections.
Have you looked at this?
https://doc.pfsense.org/index.php/IPsec_Troubleshooting
Be sure IKE SA, IKE Child SA, and Configuration Backend are all set to Diag in VPN > IPsec, Advanced. Everything else can be Control.
-
Thx for your kindly reply, though i read that link but still can not figure out how to NAT in ipsec to allow access to three different ip address
-
What do you mean NAT?
Based on this:
access-list acl-vpn-NJB permit ip host 172.17.0.254 172.17.7.0 0.0.0.255
access-list acl-vpn-NJB permit ip host 172.17.0.4 172.17.7.0 0.0.0.255
access-list acl-vpn-NJB permit ip host 172.17.0.51 172.17.7.0 0.0.0.255You would make three phase 2 tunnel entries:
Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.254Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.4Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.51