IPSEC not activating - zero packets sent to remote
-
I have a new IPSEC site-to-site tunnel configured.
First time putting up IPSEC on this platform, all other tunnels have been OpenVPN.
My end is on a Netgate SG-5100. Up-to-date at 2.4.5-RELEASE
Remote is an ASA5500
All of the Phase params for our two ends look fine, BUT ...
My IPSEC stops early in its activation cycle and never connects.
It never sends any packets out the WAN to the remote to even begin negotiations.
I can watch WAN in a packet capture. Simple pings etc to the remote IP are caught, so I know remote is reachable and packet capture on that IP is correct, but ZERO packets for IPSEC.Here is a clip from IPSEC log showing the last messages from the initial local activation, which end with "ipsec_starter 87617 'con1000' routed", and then a cycle of 4 repeating messages that indicate failure.. The IPSEC never gets beyond the repeating messages:
May 29 13:01:51 charon 15[CFG] keyexchange=ikev2 May 29 13:01:51 charon 15[CFG] added configuration 'con1000' May 29 13:01:51 charon 15[CFG] received stroke: route 'con1000' May 29 13:01:51 charon 15[CFG] configured proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ May 29 13:01:51 charon 15[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED May 29 13:01:51 ipsec_starter 87617 'con1000' routed May 29 13:02:07 charon 12[CFG] vici client 1 connected May 29 13:02:07 charon 11[CFG] vici client 1 registered for: list-sa May 29 13:02:07 charon 12[CFG] vici client 1 requests: list-sas May 29 13:02:07 charon 13[CFG] vici client 1 disconnected May 29 13:02:16 charon 12[CFG] vici client 2 connected May 29 13:02:16 charon 13[CFG] vici client 2 registered for: list-sa May 29 13:02:16 charon 13[CFG] vici client 2 requests: list-sas May 29 13:02:16 charon 13[CFG] vici client 2 disconnected
A packet capture on IPSEC interface also shows ZERO packets.
Any suggestions what is blocking or not generating packets?
-
A bit more info, and a question:
Based on another topic where traffic was not flowing, I have disabled these params in IPSEC : Advanced
- Auto-exclude LAN address
- Asynch Crypto
My question...
Unlike each of my OpenVPN tunnels on pfSense, I don't see IPSEC tunnel creating an interface to be activated in Interface::Assignments.
There is an IPSEC interface, and I have enabled it and given it a pass all all all rule in Firewall. But there is not another specific to the tunnel I configured.
Does the tunnel not need an interface?
If it does, what am I missing to enable it and to give it a Firewall rule to permit IP?