Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Tunnel to WIN10 behind NAT driving me crazy

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 631 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      HarryS
      last edited by

      Hello
      I try to create a IPSEC VPN according to this (https://forum.pfsense.org/index.php?topic=127457.0) howto. Unfortunately it is not working. I tried a lot, but I can not connect. The client has to be behind a NAT. I tried it on two different networks (including T-mobile LTE) but I can not connect.

      This is the log on the PFSense.

      Mar 5 16:37:22 	charon 		16[JOB] <1> deleting half open IKE_SA with 80.187.96.197 after timeout
Mar 5 16:36:52 	charon 		16[NET] <1> sending packet: from 78.94.x.x[500] to 80.187.96.197[500] (337 bytes)
Mar 5 16:36:52 	charon 		16[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 5 16:36:52 	charon 		16[IKE] <1> sending cert request for "C=DE, ST=BW, L=Tuebingen, O=Bewegte Bilder Medien GmbH, E=post@bewegtebilder.de, CN=internal-ca"
Mar 5 16:36:52 	charon 		16[IKE] <1> remote host is behind NAT
Mar 5 16:36:52 	charon 		16[IKE] <1> 80.187.96.197 is initiating an IKE_SA
Mar 5 16:36:52 	charon 		16[ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar 5 16:36:52 	charon 		16[IKE] <1> received Vid-Initial-Contact vendor ID
Mar 5 16:36:52 	charon 		16[IKE] <1> received MS-Negotiation Discovery Capable vendor ID
Mar 5 16:36:52 	charon 		16[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 5 16:36:52 	charon 		16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar 5 16:36:52 	charon 		16[NET] <1> received packet: from 80.187.96.197[500] to 78.94..x.x[500] (616 bytes)
Mar 5 16:36:25 	charon 		16[CFG] added configuration 'con2'
Mar 5 16:36:25 	charon 		16[CFG] loaded certificate "C=DE, ST=BW, L=Tuebingen, O=XXXXX, E=XXXXX, CN=XXXX" from '/var/etc/ipsec/ipsec.d/certs/cert-2.crt'
Mar 5 16:36:25 	charon 		16[CFG] adding virtual IP address pool 192.168.157.10/27
Mar 5 16:36:25 	charon 		16[CFG] received stroke: add connection 'con2'

      Please help.

      Best regards

      Harald

      1 Reply Last reply Reply Quote 0
      • Y
        yarick123
        last edited by

        Check, if the udp port 4500 is opened.

        1 Reply Last reply Reply Quote 0
        • L
          lst_hoe
          last edited by

          Double check that you are using IKEv2 on both ends. This looks like IKEv1 with UDP Port 500 :
          Mar 5 16:36:52 charon 16[NET] <1> sending packet: from 78.94.x.x[500] to 80.187.96.197[500] (337 bytes)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.