Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec PFsense 2.2 To Sonicwall timing out straight away

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swalz
      last edited by

      Hi ALL

      I had problems routing a secondary subnet on PFSense 2.1 so I decided to setup from scratch and use PFSense 2.2 and setup a IPSec tunnel to a Sonicwall NSA5600
      But it times out straight away and I can't find out from the PFSense logs what they mean.
      Scenario:
      We have 2 sites which are routed via a external service provider (Private IP)
      My Sonicwall has a WAN address of 192.168.20.253 The PFSense has a WAN address of 192.168.11.252
      I copied the exact IPSec settings from the PFSense 2.1 (the tunnel on the old Firewall works)
      IPSec settings:

      Phase1:
      Main Mode
      Identifiers: IP addresses
      Encryption: AES 128
      Hash: SHA1
      DH Key Group: 5

      Phase2:
      Protocol: ESP
      Encryption: AES 128
      Hash: SHA1
      PFS Key Group 5

      This is the exact same on PFSense 2.1 and on the 2.2 firewall, (except of the IP addresses as they are setup in parallel.
      The PFSense 2.2 just does not connect.
      Log files are below:

      Last 50 IPsec log entries
      Mar 20 10:51:33 charon: 12[IKE] <26> received NAT-T (RFC 3947) vendor ID
      Mar 20 10:51:33 charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
      Mar 20 10:51:33 charon: 12[IKE] <26> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Mar 20 10:51:33 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Mar 20 10:51:33 charon: 12[IKE] <26> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Mar 20 10:51:33 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Mar 20 10:51:33 charon: 12[IKE] <26> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      Mar 20 10:51:33 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      Mar 20 10:51:33 charon: 12[IKE] <26> 192.168.20.253 is initiating a Main Mode IKE_SA
      Mar 20 10:51:33 charon: 12[IKE] 192.168.20.253 is initiating a Main Mode IKE_SA
      Mar 20 10:51:33 charon: 12[ENC] generating ID_PROT response 0 [ SA V V V V ]

      |
      Mar 20 10:51:33 charon: 12[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)
      Mar 20 10:51:38 charon: 12[NET] received packet: from 192.168.20.253[500] to 192.168.11.252[500] (176 bytes)
      Mar 20 10:51:38 charon: 12[IKE] <26> received retransmit of request with ID 0, retransmitting response
      Mar 20 10:51:38 charon: 12[IKE] received retransmit of request with ID 0, retransmitting response
      Mar 20 10:51:38 charon: 12[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)
      Mar 20 10:51:40 charon: 12[KNL] creating acquire job for policy 192.168.11.252/32|/0 === 192.168.20.253/32|/0 with reqid {1}
      Mar 20 10:51:40 charon: 14[IKE] <con1000|27>initiating Main Mode IKE_SA con1000[27] to 192.168.20.253
      Mar 20 10:51:40 charon: 14[IKE] initiating Main Mode IKE_SA con1000[27] to 192.168.20.253
      Mar 20 10:51:40 charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
      Mar 20 10:51:40 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
      Mar 20 10:51:44 charon: 14[IKE] <con1000|27>sending retransmit 1 of request message ID 0, seq 1
      Mar 20 10:51:44 charon: 14[IKE] sending retransmit 1 of request message ID 0, seq 1
      Mar 20 10:51:44 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
      Mar 20 10:51:48 charon: 14[NET] received packet: from 192.168.20.253[500] to 192.168.11.252[500] (176 bytes)
      Mar 20 10:51:48 charon: 14[IKE] <26> received retransmit of request with ID 0, retransmitting response
      Mar 20 10:51:48 charon: 14[IKE] received retransmit of request with ID 0, retransmitting response
      Mar 20 10:51:48 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)
      Mar 20 10:51:51 charon: 14[IKE] <con1000|27>sending retransmit 2 of request message ID 0, seq 1
      Mar 20 10:51:51 charon: 14[IKE] sending retransmit 2 of request message ID 0, seq 1
      Mar 20 10:51:51 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
      Mar 20 10:52:03 charon: 14[JOB] deleting half open IKE_SA after timeout
      Mar 20 10:52:04 charon: 14[IKE] <con1000|27>sending retransmit 3 of request message ID 0, seq 1
      Mar 20 10:52:04 charon: 14[IKE] sending retransmit 3 of request message ID 0, seq 1
      Mar 20 10:52:04 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
      Mar 20 10:52:05 charon: 14[NET] received packet: from 192.168.20.253[500] to 192.168.11.252[500] (176 bytes)
      Mar 20 10:52:05 charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
      Mar 20 10:52:05 charon: 14[ENC] received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07
      Mar 20 10:52:05 charon: 14[IKE] <28> received NAT-T (RFC 3947) vendor ID
      Mar 20 10:52:05 charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
      Mar 20 10:52:05 charon: 14[IKE] <28> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Mar 20 10:52:05 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Mar 20 10:52:05 charon: 14[IKE] <28> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Mar 20 10:52:05 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Mar 20 10:52:05 charon: 14[IKE] <28> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      Mar 20 10:52:05 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      Mar 20 10:52:05 charon: 14[IKE] <28> 192.168.20.253 is initiating a Main Mode IKE_SA
      Mar 20 10:52:05 charon: 14[IKE] 192.168.20.253 is initiating a Main Mode IKE_SA
      Mar 20 10:52:05 charon: 14[ENC] generating ID_PROT response 0 [ SA V V V V ]
      Mar 20 10:52:05 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)

      I keep on seeing " deleting half open IKE_SA after timeout?
      I have also tried Aggressive mode (security is no issue for this tunnel) but I see the same behaviour that the tunnel just does not start.
      I also tried encryption AES 256 but it is the same there.
      Any help would be appreciated.

      Below is a screenshot of the config</con1000|27></con1000|27></con1000|27></con1000|27> |

      picture1.JPG
      picture1.JPG_thumb
      picture2.JPG
      picture2.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.