IPSec Site to Site from Zywall
-
I am trying to configure a Site to site VPN tunnel from our US office to the UK (locations are actually irrelevant). US end we have a Zywall USG20w connected to the users broadband modem in bridged mode.
I have created both endpoints yet I am seeing very little traffic. However, this is what I do see:charon: 16[NET] received packet: from USAIP[500] to UKIP[500] (160 bytes)
Jun 26 14:21:18 charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V ]
Jun 26 14:21:18 charon: 16[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
Jun 26 14:21:18 charon: 16[ENC] received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
Jun 26 14:21:18 charon: 16[IKE] <43> received DPD vendor ID
Jun 26 14:21:18 charon: 16[IKE] received DPD vendor ID
Jun 26 14:21:18 charon: 16[ENC] received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
Jun 26 14:21:18 charon: 16[IKE] <43> USAIP is initiating a Main Mode IKE_SA
Jun 26 14:21:18 charon: 16[IKE] USAIP is initiating a Main Mode IKE_SA
Jun 26 14:21:18 charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
Jun 26 14:21:18 charon: 16[NET] sending packet: from UK-IP[500] to USA-IP[500] (136 bytes)
Jun 26 14:21:18 charon: 16[NET] received packet: from USA-IP[500] to UK-IP[500] (180 bytes)
Jun 26 14:21:18 charon: 16[ENC] parsed ID_PROT request 0 [ KE No ]
Jun 26 14:21:18 charon: 16[ENC] generating ID_PROT response 0 [ KE No ]
Jun 26 14:21:18 charon: 16[NET] sending packet: from UK-IP[500] to USA-IP[500] (196 bytes)
Jun 26 14:21:18 charon: 16[NET] received packet: from USA-IP[500] to UK-IP[500] (92 bytes)
Jun 26 14:21:18 charon: 16[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jun 26 14:21:18 charon: 16[CFG] looking for pre-shared key peer configs matching UK-IP…USA-IP[10.0.0.15]
Jun 26 14:21:18 charon: 16[CFG] selected peer config "con6000"
Jun 26 14:21:18 charon: 16[IKE] <con6000|43>IKE_SA con6000[43] established between UK-IP[UK-IP]…USA-IP[10.0.0.15]
Jun 26 14:21:18 charon: 16[IKE] IKE_SA con6000[43] established between UK-IP[UK-IP]…USA-IP[10.0.0.15]
Jun 26 14:21:18 charon: 16[IKE] <con6000|43>scheduling reauthentication in 85677s
Jun 26 14:21:18 charon: 16[IKE] scheduling reauthentication in 85677s
Jun 26 14:21:18 charon: 16[IKE] <con6000|43>maximum IKE_SA lifetime 86217s
Jun 26 14:21:18 charon: 16[IKE] maximum IKE_SA lifetime 86217s
Jun 26 14:21:18 charon: 16[ENC] generating ID_PROT response 0 [ ID HASH ]
Jun 26 14:21:18 charon: 16[NET] sending packet: from UK-IP[500] to USA-IP[500] (68 bytes)
Jun 26 14:21:18 charon: 16[IKE] <con6000|42>destroying duplicate IKE_SA for peer '10.0.0.15', received INITIAL_CONTACT
Jun 26 14:21:18 charon: 16[IKE] destroying duplicate IKE_SA for peer '10.0.0.15', received INITIAL_CONTACT
Jun 26 14:21:19 charon: 13[NET] received packet: from USA-IP[500] to UK-IP[500] (292 bytes)
Jun 26 14:21:19 charon: 13[ENC] parsed QUICK_MODE request 1394978436 [ HASH SA No KE ID ID ]
Jun 26 14:21:19 charon: 13[IKE] <con6000|43>no matching CHILD_SA config found
Jun 26 14:21:19 charon: 13[IKE] no matching CHILD_SA config found
Jun 26 14:21:19 charon: 13[ENC] generating INFORMATIONAL_V1 request 386260058 [ HASH N(INVAL_ID) ]
Jun 26 14:21:19 charon: 13[NET] sending packet: from UK-IP[500] to USA-IP[500] (76 bytes)
Jun 26 14:21:33 charon: 13[IKE] <con4000|3>sending DPD request
Jun 26 14:21:33 charon: 13[IKE] sending DPD request
Jun 26 14:21:33 charon: 13[ENC] generating INFORMATIONAL_V1 request 2699687542 [ HASH N(DPD) ]
Jun 26 14:21:33 charon: 13[ENC] parsed INFORMATIONAL_V1 request 2282481677 [ HASH N(DPD_ACK) ]Dean
pfSense Version 2.2.1</con4000|3></con6000|43></con6000|42></con6000|43></con6000|43></con6000|43>
-
see your setting P1 My identifier, Peer identifier
-
Thanks, I checked the Peer IP and corrected and now the tunnel connects at both ends..
However, I cannot connect to any resource on the remote (USA) end and have lost my remote session to the remote end as well :(
Looking at Status > IPSec I can see that the tunnel is still established but viewing the Child SA entries I see stats of Bytes in: 0, Packets In: 0, Bytes out: 17904 and Packets out: 138:498 so something is happening one way but not both ways.
Any ideas?
Dean
-
Check your P2 entries
Have you checked your P2 entries in PFsense and Zywall ?
Stefano
-
You're sending traffic out, but the other side isn't replying. Likely the other side is blocking your requests, either on the Zywall, or on the destination host (host firewall).