Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec VPN tunnel to a Fritzbox after update to 2.4.4-p1

    IPsec
    6
    33
    3.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kuschi
      last edited by

      Here is the log file from the other side: Fritzbox. Sorry part of it is in German.

      17.12.18 23:59:02 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
      17.12.18 23:58:50 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 12 SA loss
      17.12.18 23:01:46 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
      17.12.18 23:01:44 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection
      17.12.18 22:46:40 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
      17.12.18 22:46:39 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @kuschi said in IPsec VPN tunnel to a Fritzbox after update to 2.4.4-p1:

        17.12.18 23:59:02 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
        17.12.18 23:58:50 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 12 SA loss
        17.12.18 23:01:46 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
        17.12.18 23:01:44 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection
        17.12.18 22:46:40 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
        17.12.18 22:46:39 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection

        17.12.18 23:59:02 VPN connection to VPN MCKUSCH [(IP pfsense)] IKE SA: DH14 / AES-256 / SHA1 IPsec SA: ESP-AES-256 / SHA1 / LT-3600 was successfully established.
        17.12.18 23:58:50 VPN connection to VPN MCKUSCH has been disconnected. Cause: 12 SA loss
        17.12.18 23:01:46 VPN connection to VPN MCKUSCH [(IP pfsense)] IKE SA: DH14 / AES-256 / SHA1 IPsec SA: ESP-AES-256 / SHA1 / LT-3600 was successfully established.
        17.12.18 23:01:44 VPN connection to VPN MCKUSCH has been disconnected. Cause: 9 dead peer detection
        17.12.18 22:46:40 VPN connection to VPN MCKUSCH [(IP pfsense)] IKE SA: DH14 / AES-256 / SHA1 IPsec SA: ESP-AES-256 / SHA1 / LT-3600 was successfully established.
        17.12.18 22:46:39 VPN connection to VPN MCKUSCH has been disconnected. Cause: 9 dead peer detection

        Doesn't tell us much.

        Need the logs from there saying why it is ignoring these:

        Dec 17 23:36:47 charon: 09[NET] <con1000|593> sending packet: from 192.12.13.1[500] to 82.110.36.24[500] (176 bytes)
        Dec 17 23:36:47 charon: 09[IKE] <con1000|593> sending retransmit 5 of request message ID 0, seq 1
        Dec 17 23:36:05 charon: 10[NET] <con1000|593> sending packet: from 192.12.13.1[500] to 82.110.36.24[500] (176 bytes)
        Dec 17 23:36:05 charon: 10[IKE] <con1000|593> sending retransmit 4 of request message ID 0, seq 1
        Dec 17 23:35:42 charon: 10[NET] <con1000|593> sending packet: from 192.12.13.1[500] to 82.110.36.24[500] (176 bytes)
        Dec 17 23:35:42 charon: 10[IKE] <con1000|593> sending retransmit 3 of request message ID 0, seq 1

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        K 1 Reply Last reply Reply Quote 0
        • K
          kuschi @Derelict
          last edited by

          @derelict If someone could tell me where will I find more detailed logs from the Fritzbox....

          1 Reply Last reply Reply Quote 0
          • K
            kuschi
            last edited by

            I had some time to dig into the Fritzbox and found some additional log files:

            BEGIN SECTION vpn VPN

            VPN avmike

            -rw-r--r-- 1 root root 16551 Dec 27 07:32 /var/tmp/ike.log
            -rw-r--r-- 1 root root 20579 Dec 27 06:22 /var/tmp/ike.old
            2018-12-27 05:28:24 avmike:wolke_neighbour_renew_sa 1 SAs
            2018-12-27 05:28:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC c7b118c56587c471 RC 00000000 0000 SA flags=
            2018-12-27 05:28:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 SA flags=
            2018-12-27 05:28:25 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
            2018-12-27 05:28:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
            2018-12-27 05:28:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
            2018-12-27 05:28:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 KEY flags=
            2018-12-27 05:28:25 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
            2018-12-27 05:28:25 avmike:VPN MCKUSCH: Phase 2 waiting
            2018-12-27 05:28:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 KEY flags=
            2018-12-27 05:28:25 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:187
            2018-12-27 05:28:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 IDENTIFICATION flags=e
            2018-12-27 05:28:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 IDENTIFICATION flags=e
            2018-12-27 05:28:25 avmike:VPN MCKUSCH: Phase 1 ready
            2018-12-27 05:28:25 avmike:VPN MCKUSCH: current=(IP pfsense) new=(IP pfsense)
            2018-12-27 05:28:25 avmike:VPN MCKUSCH: start waiting connections
            2018-12-27 05:28:25 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
            2018-12-27 05:28:26 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC c7b118c56587c471 RC d66c8871d64ba1bd b79b46b HASH flags=e
            2018-12-27 05:28:26 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC c7b118c56587c471 RC d66c8871d64ba1bd b79b46b HASH flags=e
            2018-12-27 05:28:26 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC c7b118c56587c471 RC d66c8871d64ba1bd b79b46b HASH flags=e
            2018-12-27 05:28:26 avmike:VPN MCKUSCH: Phase 2 ready
            2018-12-27 05:28:26 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: 4750E80D LT: 3600 I/O: IN
            2018-12-27 05:28:26 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C8CD6F95 LT: 3600 I/O: OUT
            2018-12-27 05:28:26 avmike:< cb_sa_created(name=VPN MCKUSCH,id=186,...,flags=0x00002101)
            2018-12-27 05:28:26 avmike:VPN MCKUSCH: start waiting connections
            2018-12-27 05:28:26 avmike:VPN MCKUSCH: NO waiting connections
            2018-12-27 05:28:36 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1520852e HASH flags=e
            2018-12-27 05:28:36 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1520852e HASH flags=e
            2018-12-27 05:28:46 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd d8578e17 HASH flags=e
            2018-12-27 05:28:56 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 2310d460 HASH flags=e
            2018-12-27 05:29:06 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1ca9e35a HASH flags=e
            2018-12-27 05:29:16 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1fcb9fb2 HASH flags=e
            2018-12-27 05:29:26 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 4a845476 HASH flags=e
            2018-12-27 05:34:24 avmike:VPN MCKUSCH: del phase 1 SA 186
            2018-12-27 05:34:25 avmike:< delete_sa(appl=dsld,cname=VPN MCKUSCH,id=185,what=7,reason=Lifetime expired)
            2018-12-27 05:34:25 avmike:FreeIPsecSA: spi=FB204F02 protocol=3 iotype=1
            2018-12-27 05:34:25 avmike:FreeIPsecSA: spi=C9852197 protocol=3 iotype=2
            2018-12-27 06:22:25 avmike:wolke_neighbour_renew_sa 1 SAs
            2018-12-27 06:22:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC 6872414bef8f5559 RC 00000000 0000 SA flags=
            2018-12-27 06:22:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC 6872414bef8f5559 RC 6511773149bee334 0000 SA flags=
            2018-12-27 06:22:25 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
            2018-12-27 06:22:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
            2018-12-27 06:22:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
            2018-12-27 06:22:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 6872414bef8f5559 RC 6511773149bee334 0000 KEY flags=
            2018-12-27 06:22:26 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC 6872414bef8f5559 RC 6511773149bee334 0000 KEY flags=
            2018-12-27 06:22:26 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:188
            2018-12-27 06:22:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 0000 IDENTIFICATION flags=e
            2018-12-27 06:22:26 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
            2018-12-27 06:22:26 avmike:VPN MCKUSCH: Phase 2 waiting
            2018-12-27 06:22:26 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 6872414bef8f5559 RC 6511773149bee334 0000 IDENTIFICATION flags=e
            2018-12-27 06:22:26 avmike:VPN MCKUSCH: Phase 1 ready
            2018-12-27 06:22:26 avmike:VPN MCKUSCH: current=(IP pfsense) new=(IP pfsense)
            2018-12-27 06:22:26 avmike:VPN MCKUSCH: start waiting connections
            2018-12-27 06:22:26 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
            2018-12-27 06:22:26 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC 6872414bef8f5559 RC 6511773149bee334 9a91fdf1 HASH flags=e
            2018-12-27 06:22:26 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC 6872414bef8f5559 RC 6511773149bee334 9a91fdf1 HASH flags=e
            2018-12-27 06:22:27 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC 6872414bef8f5559 RC 6511773149bee334 9a91fdf1 HASH flags=e
            2018-12-27 06:22:27 avmike:VPN MCKUSCH: Phase 2 ready
            2018-12-27 06:22:27 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: 86D44AE1 LT: 3600 I/O: IN
            2018-12-27 06:22:27 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C2365320 LT: 3600 I/O: OUT
            2018-12-27 06:22:27 avmike:< cb_sa_created(name=VPN MCKUSCH,id=187,...,flags=0x00002101)
            2018-12-27 06:22:27 avmike:VPN MCKUSCH: start waiting connections
            2018-12-27 06:22:27 avmike:VPN MCKUSCH: NO waiting connections
            2018-12-27 06:22:37 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 a8fa1dd1 HASH flags=e
            2018-12-27 06:22:37 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 a8fa1dd1 HASH flags=e
            2018-12-27 06:22:47 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2b5f8cc7 HASH flags=e
            2018-12-27 06:22:57 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2549e835 HASH flags=e
            2018-12-27 06:23:07 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 751f7fab HASH flags=e
            2018-12-27 06:23:17 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2c07e412 HASH flags=e
            2018-12-27 06:23:27 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 279a5e57 HASH flags=e
            2018-12-27 06:28:25 avmike:VPN MCKUSCH: del phase 1 SA 187
            2018-12-27 06:28:26 avmike:< delete_sa(appl=dsld,cname=VPN MCKUSCH,id=186,what=7,reason=Lifetime expired)
            2018-12-27 06:28:26 avmike:FreeIPsecSA: spi=4750E80D protocol=3 iotype=1
            2018-12-27 06:28:26 avmike:FreeIPsecSA: spi=C8CD6F95 protocol=3 iotype=2
            2018-12-27 06:55:18 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2c1e5ef7 HASH flags=e
            2018-12-27 07:16:26 avmike:wolke_neighbour_renew_sa 1 SAs
            2018-12-27 07:16:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC 928c71fe2ff76662 RC 00000000 0000 SA flags=
            2018-12-27 07:16:26 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 SA flags=
            2018-12-27 07:16:26 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
            2018-12-27 07:16:26 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
            2018-12-27 07:16:26 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
            2018-12-27 07:16:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 KEY flags=
            2018-12-27 07:16:27 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
            2018-12-27 07:16:27 avmike:VPN MCKUSCH: Phase 2 waiting
            2018-12-27 07:16:28 avmike:>r> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 KEY flags=
            2018-12-27 07:16:28 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 KEY flags=
            2018-12-27 07:16:29 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:189
            2018-12-27 07:16:29 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 IDENTIFICATION flags=e
            2018-12-27 07:16:29 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 IDENTIFICATION flags=e
            2018-12-27 07:16:29 avmike:VPN MCKUSCH: Phase 1 ready
            2018-12-27 07:16:29 avmike:VPN MCKUSCH: current=(IP pfsense) new=(IP pfsense)
            2018-12-27 07:16:29 avmike:VPN MCKUSCH: start waiting connections
            2018-12-27 07:16:29 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
            2018-12-27 07:16:29 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2bf7fa9 HASH flags=e
            2018-12-27 07:16:29 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2bf7fa9 HASH flags=e
            2018-12-27 07:16:29 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2bf7fa9 HASH flags=e
            2018-12-27 07:16:29 avmike:VPN MCKUSCH: Phase 2 ready
            2018-12-27 07:16:29 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: CBD62308 LT: 3600 I/O: IN
            2018-12-27 07:16:29 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C05403E4 LT: 3600 I/O: OUT
            2018-12-27 07:16:29 avmike:< cb_sa_created(name=VPN MCKUSCH,id=188,...,flags=0x00002101)
            2018-12-27 07:16:29 avmike:VPN MCKUSCH: start waiting connections
            2018-12-27 07:16:29 avmike:VPN MCKUSCH: NO waiting connections
            2018-12-27 07:16:40 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2b4fccd5 HASH flags=e
            2018-12-27 07:16:40 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2b4fccd5 HASH flags=e
            2018-12-27 07:16:50 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 f64d9069 HASH flags=e
            2018-12-27 07:17:00 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 9a87db77 HASH flags=e
            2018-12-27 07:17:10 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 69880609 HASH flags=e
            2018-12-27 07:17:20 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 51824bd9 HASH flags=e
            2018-12-27 07:17:30 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 bf9c6d0f HASH flags=e
            2018-12-27 07:17:48 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 7a749f0 HASH flags=e
            2018-12-27 07:17:58 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 65e2e2ed HASH flags=e
            2018-12-27 07:18:08 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 bf211ecc HASH flags=e
            2018-12-27 07:18:18 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 96681b4f HASH flags=e
            2018-12-27 07:18:28 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 f62169fb HASH flags=e
            2018-12-27 07:22:26 avmike:VPN MCKUSCH: del phase 1 SA 188
            2018-12-27 07:22:27 avmike:< delete_sa(appl=dsld,cname=VPN MCKUSCH,id=187,what=7,reason=Lifetime expired)
            2018-12-27 07:22:27 avmike:FreeIPsecSA: spi=86D44AE1 protocol=3 iotype=1
            2018-12-27 07:22:27 avmike:FreeIPsecSA: spi=C2365320 protocol=3 iotype=2
            2018-12-27 07:22:50 avmike:< cb_sa_deleted(name=VPN MCKUSCH,id=188,what=3)
            2018-12-27 07:22:50 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 5812faab HASH flags=e
            2018-12-27 07:22:50 avmike:FreeIPsecSA: spi=CBD62308 protocol=3 iotype=1
            2018-12-27 07:22:50 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 498d3042 HASH flags=e
            2018-12-27 07:22:50 avmike:FreeIPsecSA: spi=C05403E4 protocol=3 iotype=2
            2018-12-27 07:22:50 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 b0282d8d HASH flags=e
            2018-12-27 07:22:50 avmike:VPN MCKUSCH: del phase 1 SA 189
            2018-12-27 07:22:55 avmike:< add(appl=dsld,cname=VPN MCKUSCH,localip=(IP Fritzbox), remoteip=255.255.255.255, p1ss=dh14/aes/sha, p2ss=esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs p1mode=2 keepalive_ip=0.0.0.0 flags=0x40001 tunnel no_xauth no_cfgmode no_nat_t no_certsrv_server_auth)
            2018-12-27 07:22:55 avmike:new neighbour VPN MCKUSCH:
            2018-12-27 07:22:55 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
            2018-12-27 07:22:55 avmike:VPN MCKUSCH: Phase 1 starting
            2018-12-27 07:22:55 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC 83b4f0f722b753b4 RC 00000000 0000 SA flags=
            2018-12-27 07:22:55 avmike:VPN MCKUSCH: Warning: source changed from 0.0.0.0:500 to (IP pfsense):500
            2018-12-27 07:22:55 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 SA flags=
            2018-12-27 07:22:55 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
            2018-12-27 07:22:55 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
            2018-12-27 07:22:55 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
            2018-12-27 07:22:55 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 KEY flags=
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: Warning: source changed from 0.0.0.0:500 to (IP pfsense):500
            2018-12-27 07:22:56 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 KEY flags=
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:1
            2018-12-27 07:22:56 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 108 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 IDENTIFICATION flags=e
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: Warning: source changed from 0.0.0.0:500 to (IP pfsense):500
            2018-12-27 07:22:56 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 IDENTIFICATION flags=e
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: Phase 1 ready
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: current=0.0.0.0 new=(IP pfsense)
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: no valid sa, reseting initialcontactdone flag
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: sending initial contact message
            2018-12-27 07:22:56 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 940ec48 HASH flags=e
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: start waiting connections
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
            2018-12-27 07:22:56 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC 83b4f0f722b753b4 RC 84484486b407c0a8 bb9dcb6a HASH flags=e
            2018-12-27 07:22:56 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC 83b4f0f722b753b4 RC 84484486b407c0a8 bb9dcb6a HASH flags=e
            2018-12-27 07:22:56 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC 83b4f0f722b753b4 RC 84484486b407c0a8 bb9dcb6a HASH flags=e
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: Phase 2 ready
            2018-12-27 07:22:56 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: 59C898BB LT: 3600 I/O: IN
            2018-12-27 07:22:56 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C9FC517F LT: 3600 I/O: OUT
            2018-12-27 07:22:56 avmike:< cb_sa_created(name=VPN MCKUSCH,id=1,...,flags=0x00002101)
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: start waiting connections
            2018-12-27 07:22:56 avmike:VPN MCKUSCH: NO waiting connections
            2018-12-27 07:23:07 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 cd4fbd83 HASH flags=e
            2018-12-27 07:23:07 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 cd4fbd83 HASH flags=e
            2018-12-27 07:25:40 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 e17cc7d6 HASH flags=e
            2018-12-27 07:25:50 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 e6b964ba HASH flags=e
            2018-12-27 07:26:00 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 4d99e03e HASH flags=e
            2018-12-27 07:26:16 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 40692e24 HASH flags=e
            2018-12-27 07:26:26 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 5a1176a4 HASH flags=e
            2018-12-27 07:26:40 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 e4d053b9 HASH flags=e
            2018-12-27 07:26:50 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 fc62b165 HASH flags=e
            2018-12-27 07:27:00 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 5767b485 HASH flags=e
            2018-12-27 07:27:10 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 15a82a23 HASH flags=e
            2018-12-27 07:27:20 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 200be361 HASH flags=e

            1 Reply Last reply Reply Quote 0
            • K
              kuschi
              last edited by

              I had another opportunity to test the connections from the side of the Fritzbox and from the side of the pfsense box:

              • pfsense box shows connection inactive, Fritzbox shows connection active: traffic direction from Fritzbox to pfsense works, e.g. ping / trace route. pfsense box changes status to connection active
              • pfsense box shows connection inactive, Fritzbox shows connection active: traffic direction from pfsense box to Fritzbox does not work. Traffic times out, ping/ trace route shows no result
              1 Reply Last reply Reply Quote 0
              • K
                kuschi
                last edited by

                Any news from anybody regarding this issue? I still have troubles with dropping connections.

                Thanks,
                Martin

                D 1 Reply Last reply Reply Quote 0
                • D
                  defender110 @kuschi
                  last edited by

                  @kuschi Still no solution? I am on 2.4.5 and the problem persists.

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    kuschi @defender110
                    last edited by

                    @defender110 Still no solution. I am on 2.4.5 too and I, too, still have the same problem. The Fritzbox connects successful but pfSense shows the connection as "inactive" after a while. The clients on the Fritzbox side, however, can still reach their targets on pfSense's side but not the other way round.

                    D 1 Reply Last reply Reply Quote 1
                    • D
                      defender110 @kuschi
                      last edited by

                      @kuschi Thank You! Well...then the Fritz!Box will have to go and be replaced by a pfSense box. Just have to figure out how to make the Fritz do the phone duties behind the pfSense.

                      1 Reply Last reply Reply Quote 0
                      • N
                        NOCling
                        last edited by

                        I got it stable only with Aggressive Mode, Tunel endpoint is a 6490.
                        Otherwise my Tunnel crash after some time and dont com up again.
                        I hope AVM react on the feature request to upgrade the vpn features.

                        Netgate 6100 & Netgate 2100

                        1 Reply Last reply Reply Quote 0
                        • K
                          kuschi
                          last edited by

                          How did you get it stable in Aggressive Mode? Could you please share your config? Thanks!

                          1 Reply Last reply Reply Quote 0
                          • N
                            NOCling
                            last edited by NOCling

                            Phase 1:

                            IKEv1
                            IPv4
                            PSK
                            Aggressiv
                            Distinguished name
                            Distinguished name
                            PSK Generate by pfSense
                            AES 256 SHA512 DH2
                            DPD on

                            Phase 2:
                            IPv4
                            NAT None
                            ESP
                            AES 236
                            SHA1
                            PFS Key Group 2
                            Lifetime 3600

                            However, a new Netgate has been ordered and replace the Fritz shortly.

                            Netgate 6100 & Netgate 2100

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.