Avaya VPN to Virtual PFSense using IPSec Mobile
-
I have been trying to setup the connection between an Avaya VPN handset (9641) and my PFSense.
I can see the connection getting through to the PFSense but the connection does not establish and I cannot see any reason from the logs why it does not work. I do not see any traffic blocked on the Pfsense on the external Firewall.
The settings between the phone and the PFSense match.
IP addresses have been changed in the log entries but this what I am seeing in the log file:
Sep 11 08:11:41 pfsense charon: 08[CFG] rereading secrets
Sep 11 08:11:41 pfsense charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Sep 11 08:11:41 pfsense charon: 08[CFG] loaded IKE secret for %any
Sep 11 08:11:41 pfsense charon: 08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Sep 11 08:11:41 pfsense charon: 08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Sep 11 08:11:41 pfsense charon: 08[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Sep 11 08:11:41 pfsense charon: 08[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Sep 11 08:11:41 pfsense charon: 08[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Sep 11 08:11:41 pfsense charon: 08[CFG] received stroke: unroute 'bypasslan'
Sep 11 08:11:41 pfsense charon: 08[CFG] proposing traffic selectors for us:
Sep 11 08:11:41 pfsense charon: 08[CFG] 10.10.10.0/24|/0
Sep 11 08:11:41 pfsense charon: 08[CFG] proposing traffic selectors for other:
Sep 11 08:11:41 pfsense charon: 08[CFG] 10.10.10.0/24|/0
Sep 11 08:11:41 pfsense ipsec_starter[54047]: shunt policy 'bypasslan' uninstalled
Sep 11 08:11:41 pfsense ipsec_starter[54047]:
Sep 11 08:11:41 pfsense charon: 15[CFG] received stroke: delete connection 'bypasslan'
Sep 11 08:11:41 pfsense charon: 15[CFG] deleted connection 'bypasslan'
Sep 11 08:11:41 pfsense charon: 08[CFG] received stroke: delete connection 'con1'
Sep 11 08:11:41 pfsense charon: 08[CFG] deleted connection 'con1'
Sep 11 08:11:41 pfsense charon: 15[CFG] received stroke: add connection 'bypasslan'
Sep 11 08:11:41 pfsense charon: 15[CFG] conn bypasslan
Sep 11 08:11:41 pfsense charon: 15[CFG] left=%any
Sep 11 08:11:41 pfsense charon: 15[CFG] leftsubnet=10.10.10.0/24
Sep 11 08:11:41 pfsense charon: 15[CFG] right=%any
Sep 11 08:11:41 pfsense charon: 15[CFG] rightsubnet=10.10.10.0/24
Sep 11 08:11:41 pfsense charon: 15[CFG] dpddelay=30
Sep 11 08:11:41 pfsense charon: 15[CFG] dpdtimeout=150
Sep 11 08:11:41 pfsense charon: 15[CFG] sha256_96=no
Sep 11 08:11:41 pfsense charon: 15[CFG] mediation=no
Sep 11 08:11:41 pfsense charon: 15[CFG] added configuration 'bypasslan'
Sep 11 08:11:41 pfsense charon: 16[CFG] received stroke: route 'bypasslan'
Sep 11 08:11:41 pfsense charon: 16[CFG] proposing traffic selectors for us:
Sep 11 08:11:41 pfsense charon: 16[CFG] 10.10.10.0/24|/0
Sep 11 08:11:41 pfsense charon: 16[CFG] proposing traffic selectors for other:
Sep 11 08:11:41 pfsense charon: 16[CFG] 10.10.10.0/24|/0
Sep 11 08:11:41 pfsense ipsec_starter[54047]: 'bypasslan' shunt PASS policy installed
Sep 11 08:11:41 pfsense ipsec_starter[54047]:
Sep 11 08:11:41 pfsense charon: 08[CFG] received stroke: add connection 'con1'
Sep 11 08:11:41 pfsense charon: 08[CFG] conn con1
Sep 11 08:11:41 pfsense charon: 08[CFG] left=50.50.50.50
Sep 11 08:11:41 pfsense charon: 08[CFG] leftsubnet=0.0.0.0/0
Sep 11 08:11:41 pfsense charon: 08[CFG] leftauth=psk
Sep 11 08:11:41 pfsense charon: 08[CFG] leftid=50.50.50.50
Sep 11 08:11:41 pfsense charon: 08[CFG] right=%any
Sep 11 08:11:41 pfsense charon: 08[CFG] rightsourceip=192.168.192.0/24
Sep 11 08:11:41 pfsense charon: 08[CFG] rightauth=psk
Sep 11 08:11:41 pfsense charon: 08[CFG] rightauth2=xauth-generic
Sep 11 08:11:41 pfsense charon: 08[CFG] ike=aes256-sha1-modp1024!
Sep 11 08:11:41 pfsense charon: 08[CFG] esp=aes256-sha1,aes192-sha1,aes128-sha1!
Sep 11 08:11:41 pfsense charon: 08[CFG] dpddelay=30
Sep 11 08:11:41 pfsense charon: 08[CFG] dpdtimeout=180
Sep 11 08:11:41 pfsense charon: 08[CFG] dpdaction=1
Sep 11 08:11:41 pfsense charon: 08[CFG] sha256_96=no
Sep 11 08:11:41 pfsense charon: 08[CFG] mediation=no
Sep 11 08:11:41 pfsense charon: 08[CFG] keyexchange=ikev1
Sep 11 08:11:41 pfsense charon: 08[CFG] reusing virtual IP address pool 192.168.192.0/24
Sep 11 08:11:41 pfsense charon: 08[CFG] added configuration 'con1'
Sep 11 08:12:00 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
Sep 11 08:12:00 pfsense charon: 08[MGR] created IKE_SA (unnamed)[1197]
Sep 11 08:12:00 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
Sep 11 08:12:00 pfsense charon: 08[NET] <1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
Sep 11 08:12:00 pfsense charon: 08[ENC] <1197> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> looking for an ike config for 50.50.50.50...60.60.60.60
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate: %any...%any, prio 24
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate: 50.50.50.50...%any, prio 1052
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> found matching ike config: 50.50.50.50...%any with prio 1052
Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received NAT-T (RFC 3947) vendor ID
Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep 11 08:12:00 pfsense charon: 08[ENC] <1197> received unknown vendor ID: 44:85:15:2d:18:b6:bb:cc:0b:e8:a8:46:95:79:dd:cc
Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received XAuth vendor ID
Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> 60.60.60.60 is initiating a Aggressive Mode IKE_SA
Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> IKE_SA (unnamed)[1197] state change: CREATED => CONNECTING
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> selecting proposal:
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> proposal matches
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 11 08:12:00 pfsense charon: 08[LIB] size of DH secret exponent: 1023 bits
Sep 11 08:12:00 pfsense charon: 08[LIB] <1197> size of DH secret exponent: 1023 bits
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> looking for XAuthInitPSK peer configs matching 50.50.50.50...60.60.60.60[86.80.78.80]
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate "con1", match: 1/1/1052 (me/other/ike)
Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> selected peer config "con1"
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> sending XAuth vendor ID
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> sending DPD vendor ID
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> sending NAT-T (RFC 3947) vendor ID
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> shared Diffie Hellman secret => 128 bytes @ 0x80d40f900
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: F0 76 27 18 D7 1E A0 32 D7 9A 97 FE 09 7E 8B 74 .v'....2.....~.t
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 02 26 02 75 A3 69 FA 68 64 02 01 A0 F6 90 BD C3 .&.u.i.hd.......
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 32: 76 00 40 74 39 4B 21 BB 15 AD 69 C0 31 39 DF D0 v.@t9K!...i.19..
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 48: 76 5F 95 97 72 50 FC 7B 5E 59 F0 32 03 BB A7 AB v_..rP.{^Y.2....
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 64: 10 E8 24 BD 4E 83 20 DF 37 C7 D7 B8 2E 60 1B 4F ..$.N. .7.....O Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 80: 64 50 74 FA 44 E0 50 8A 31 1C 75 10 31 60 0A E5 dPt.D.P.1.u.1
..
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 96: C0 D7 8D 8B 6F AB E4 F5 19 3F C6 F1 A1 D0 17 4D ....o....?.....M
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 112: 81 08 2E 15 65 4B 15 D9 6D 20 53 F6 0A AB 25 29 ....eK..m S...%)
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID => 20 bytes @ 0x80d83ff60
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 26 2D 02 AF 80 23 C1 D2 42 3B 50 FC 95 0D DF A5 &-...#..B;P.....
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 2E 71 A8 4D .q.M
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID_d => 20 bytes @ 0x80d840000
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 5B DA B4 38 BA CB A6 B8 17 71 F5 51 16 F1 D6 EB [..8.....q.Q....
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 32 D5 58 7B 2.X{
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID_a => 20 bytes @ 0x80d83ff00
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: D0 AF B9 55 59 B4 3E 90 08 19 4B CC CB D1 85 AD ...UY.>...K.....
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 2A 92 E9 73 ..s
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID_e => 20 bytes @ 0x80d83fe20
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: AC 6D 38 15 EA D4 82 D8 E5 BB 74 F1 B1 1D FB 33 .m8.......t....3
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: B1 04 E6 59 ...Y
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> encryption key Ka => 32 bytes @ 0x80d83bdb0
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 7C B7 95 CD 9C 7B 93 B1 22 C1 3F CC B9 DD BA F2 |....{..".?.....
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: D2 B7 B3 0B 38 D3 FC 6B 32 71 19 85 D0 F5 8F 84 ....8..k2q......
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> initial IV => 16 bytes @ 0x80d83fe20
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 92 50 00 87 72 57 8F 2A 28 B1 DF 7E 82 C9 E0 B6 .P..rW.(..~....
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> HASH_R data => 336 bytes @ 0x80d0f2c80
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: A2 00 A4 AD 62 68 EF 42 59 06 E1 F1 CA 74 F0 F1 ....bh.BY....t..
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: CF CB 57 AB E9 8F 29 36 90 12 6E 90 95 2E 4F 16 ..W...)6..n...O.
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 32: 21 9D C0 4F A7 50 66 33 A9 67 E7 20 8F D7 1B 28 !..O.Pf3.g. ...(
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 48: D5 6E 34 93 30 4A F3 01 45 BA 61 4A 4D 35 94 6C .n4.0J..E.aJM5.l
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 64: A2 D2 6E 5C 6B 92 EC 04 1D 39 D5 80 13 DE 0E 3E ..n\k....9.....>
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 80: CF B7 20 42 E2 4C 29 B8 19 62 E8 F0 FD F1 46 53 .. B.L)..b....FS
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 96: 21 E0 3F 2D FC AE 00 9D D9 D3 28 11 58 2E CB 14 !.?-......(.X...
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 112: D2 79 51 B5 8B E2 63 AB 6D 30 00 FF E6 A2 B3 BD .yQ...c.m0......
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 128: 2D C8 B2 51 07 11 35 85 67 A3 B4 73 2E A7 2E 87 -..Q..5.g..s....
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 144: 4A 98 AF 33 C8 77 B8 EE D7 09 A4 81 40 CA D0 93 J..3.w......@...
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 160: 99 7C 9D 35 C5 2B 2D 30 B9 33 9D AB D7 4B 44 77 .|.5.+-0.3...KDw
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 176: FA 74 54 B4 87 C3 17 D3 2D 9E C5 EA 2B 8B 83 05 .tT.....-...+...
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 192: 87 26 B3 15 34 36 B2 66 63 F6 AC D2 39 7D 12 B4 .&..46.fc...9}..
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 208: 01 C2 32 40 F6 A1 86 BD 22 B3 04 88 37 7E E2 54 ..2@...."...7~.T
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 224: EA C8 9D 43 E2 4C 2E 17 50 52 BD 4B 65 44 20 B6 ...C.L..PR.KeD .
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 240: 18 4B 5F 2C 42 A3 8C 33 01 51 66 C0 06 DE 52 7E .K_,B..3.Qf...R~
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 256: F1 55 B8 0E ED 45 CF 6C DE 55 F9 16 CC 41 F7 72 .U...E.l.U...A.r
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 272: 00 00 00 01 00 00 00 01 00 00 00 30 01 01 00 01 ...........0....
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 288: 00 00 00 28 01 01 00 00 80 01 00 07 80 0E 01 00 ...(............
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 304: 80 02 00 02 80 04 00 02 80 03 FD E9 80 0B 00 01 ................
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 320: 00 0C 00 04 00 06 97 80 01 00 00 00 05 94 2A EA ..............*.
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> HASH_R => 20 bytes @ 0x80d840040
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: F8 D7 7D 57 51 1C 6F CA 8A 99 15 D3 AA B6 C0 37 ..}WQ.o........7
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 6B 0A AA FD k...
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> natd_chunk => 22 bytes @ 0x7fffdf1f6c90
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: DE 55 F9 16 CC 41 F7 72 F1 55 B8 0E ED 45 CF 6C .U...A.r.U...E.l
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 05 45 D0 61 08 16 .E.a..
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> natd_hash => 20 bytes @ 0x80d840040
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 98 50 70 74 23 D0 FF 28 E9 7A 34 D0 26 91 7F 78 .Ppt#..(.z4.&..x
Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 9E CF 70 74 ..pt
Sep 11 08:12:00 pfsense charon: 08[ENC] <con1|1197> generating AGGRESSIVE response 0 [ SA KE No ID V V V NAT-D NAT-D HASH ]
Sep 11 08:12:00 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:00 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:00 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
Sep 11 08:12:00 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
Sep 11 08:12:01 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
Sep 11 08:12:01 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
Sep 11 08:12:01 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
Sep 11 08:12:01 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
Sep 11 08:12:01 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
Sep 11 08:12:01 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:01 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:01 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
Sep 11 08:12:01 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
Sep 11 08:12:03 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
Sep 11 08:12:03 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
Sep 11 08:12:03 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
Sep 11 08:12:03 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
Sep 11 08:12:03 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
Sep 11 08:12:03 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:03 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:03 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
Sep 11 08:12:03 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
Sep 11 08:12:04 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
Sep 11 08:12:04 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
Sep 11 08:12:04 pfsense charon: 08[IKE] <con1|1197> sending retransmit 1 of response message ID 0, seq 1
Sep 11 08:12:04 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:04 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:04 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
Sep 11 08:12:04 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
Sep 11 08:12:05 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
Sep 11 08:12:05 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
Sep 11 08:12:05 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
Sep 11 08:12:05 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
Sep 11 08:12:05 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
Sep 11 08:12:05 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:05 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:05 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
Sep 11 08:12:05 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
Sep 11 08:12:07 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
Sep 11 08:12:07 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
Sep 11 08:12:07 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
Sep 11 08:12:07 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
Sep 11 08:12:07 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
Sep 11 08:12:07 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:07 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:07 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
Sep 11 08:12:07 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
Sep 11 08:12:11 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
Sep 11 08:12:11 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
Sep 11 08:12:11 pfsense charon: 08[IKE] <con1|1197> sending retransmit 2 of response message ID 0, seq 1
Sep 11 08:12:11 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:11 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:11 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
Sep 11 08:12:11 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
Sep 11 08:12:24 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
Sep 11 08:12:24 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
Sep 11 08:12:24 pfsense charon: 08[IKE] <con1|1197> sending retransmit 3 of response message ID 0, seq 1
Sep 11 08:12:24 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:24 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
Sep 11 08:12:24 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
Sep 11 08:12:24 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
Sep 11 08:12:30 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
Sep 11 08:12:30 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
Sep 11 08:12:30 pfsense charon: 08[JOB] <con1|1197> deleting half open IKE_SA with 60.60.60.60 after timeout
Sep 11 08:12:30 pfsense charon: 08[MGR] <con1|1197> checkin and destroy IKE_SA con1[1197]
Sep 11 08:12:30 pfsense charon: 08[IKE] <con1|1197> IKE_SA con1[1197] state change: CONNECTING => DESTROYING
Sep 11 08:12:30 pfsense charon: 08[MGR] checkin and destroy of IKE_SA successful -
Have you tried it in Main mode, not in Aggressive?
What is pfSense version?Please show Avay VPN config and log.
And pfSense's /usr/local/etc/ipsec.conf -
@viktor_g thank you
Main mode is not an option on the Avaya VPN handset.pfSense version: 2.4.3-RELEASE (amd64)
Avaya 9640 does not have any logs to show
Its config is :VPN Phone Settings
VPN VENDOR - OTHER
Gateway address - 0.0.0.0 (set by DHCP)
External Phone IP Address 0.0.0.0 (set (set by DHCP)
External Subnet - 0.0.0.0 (set by DHCP)
External DNS - 0.0.0.0 (set by DHCP)
Encapsulation - 4500-4500 (default, unchanged)
Copy TOS - No (unchanged)Auth Type - PSK with XAUTH
VPN User TYPE - any
VPN User -testuser (test user set-up)
VPN PW - *IKE ID (Group Name) - none
Pre-Shared Key (PSK) - *IKE Phase 1
IKE ID Type - IPV4 ADDRESS
IKE Xchg Mode - Aggressive
IKE DH GROUP - 2
IKE Encryption Alg - AES-256
IKE Auth Alg - SHA-1
IKE Config Mode - Enabled.IKE Phase 2
IPSEC PFS DH Group - No PFS
IPSEC Encryption Alg - AES-256
IPSec Auth Alg - SHA-1
Protected Network - 0.0.0.0/0/usr/local/etc/ipsec.conf
This file is automatically generated. Do not edit
config setup
uniqueids = yesconn bypasslan
leftsubnet = 10.10.10.0/24
rightsubnet = 10.10.10.0/24
authby = never
type = passthrough
auto = routeconn con1
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = yes
mobike = norekey = no installpolicy = yes type = tunnel dpdaction = clear dpddelay = 30s dpdtimeout = 180s auto = add left = 50.50.50.50 right = %any leftid = 50.50.50.50 ikelifetime = 28800s lifetime = 28800s rightsourceip = 192.168.192.0/24 ike = aes256-sha1-modp1024! esp = aes256-sha1,aes192-sha1,aes128-sha1! leftauth = psk rightauth = psk rightauth2 = xauth-generic aggressive = yes leftsubnet = 0.0.0.0/0
-
Update
After doing some wireshark traces I concluded the traffic was not getting back to the phone. I was able to identify a routing issue that was causing the problem and resolve it.
I have now been able to connect the Avaya VPN handset through the IPSec tunnel to my phone system.So just in case anyone else tries to set this up the the following settings in the Avaya handset work:
VPN VENDOR - OTHER
Gateway address - 0.0.0.0 (set by DHCP)
External Phone IP Address 0.0.0.0 (set by DHCP)
External Subnet - 0.0.0.0 (set by DHCP)
External DNS - 0.0.0.0 (set by DHCP)
Encapsulation - 4500-4500
Copy TOS - NoAuth Type - PSK with XAUTH
VPN User TYPE - any
VPN User -vpnuser
VPN PW - *IKE ID (Group Name) - none
Pre-Shared Key (PSK) - *IKE Phase 1
IKE ID Type - IPV4 ADDRESS
IKE Xchg Mode - Aggressive
IKE DH GROUP - 2
IKE Encryption Alg - AES-256
IKE Auth Alg - SHA-1
IKE Config Mode - Enabled.IKE Phase 2
IPSEC PFS DH Group - No PFS
IPSEC Encryption Alg - AES-256
IPSec Auth Alg - SHA-1
Protected Network - 0.0.0.0/0