Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC not activating - zero packets sent to remote

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 360 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      davebu
      last edited by

      I have a new IPSEC site-to-site tunnel configured.
      First time putting up IPSEC on this platform, all other tunnels have been OpenVPN.
      My end is on a Netgate SG-5100. Up-to-date at 2.4.5-RELEASE
      Remote is an ASA5500
      All of the Phase params for our two ends look fine, BUT ...
      My IPSEC stops early in its activation cycle and never connects.
      It never sends any packets out the WAN to the remote to even begin negotiations.
      I can watch WAN in a packet capture. Simple pings etc to the remote IP are caught, so I know remote is reachable and packet capture on that IP is correct, but ZERO packets for IPSEC.

      Here is a clip from IPSEC log showing the last messages from the initial local activation, which end with "ipsec_starter 87617 'con1000' routed", and then a cycle of 4 repeating messages that indicate failure.. The IPSEC never gets beyond the repeating messages:

      May 29 13:01:51	charon		15[CFG] keyexchange=ikev2
May 29 13:01:51	charon		15[CFG] added configuration 'con1000'
May 29 13:01:51	charon		15[CFG] received stroke: route 'con1000'
May 29 13:01:51	charon		15[CFG] configured proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA2_256_128/NO_EXT_SEQ
May 29 13:01:51	charon		15[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED
May 29 13:01:51	ipsec_starter	87617	'con1000' routed
May 29 13:02:07	charon		12[CFG] vici client 1 connected
May 29 13:02:07	charon		11[CFG] vici client 1 registered for: list-sa
May 29 13:02:07	charon		12[CFG] vici client 1 requests: list-sas
May 29 13:02:07	charon		13[CFG] vici client 1 disconnected
May 29 13:02:16	charon		12[CFG] vici client 2 connected
May 29 13:02:16	charon		13[CFG] vici client 2 registered for: list-sa
May 29 13:02:16	charon		13[CFG] vici client 2 requests: list-sas
May 29 13:02:16	charon		13[CFG] vici client 2 disconnected

      A packet capture on IPSEC interface also shows ZERO packets.

      Any suggestions what is blocking or not generating packets?

      1 Reply Last reply Reply Quote 0
      • D
        davebu
        last edited by

        A bit more info, and a question:

        Based on another topic where traffic was not flowing, I have disabled these params in IPSEC : Advanced

        • Auto-exclude LAN address
        • Asynch Crypto

        My question...
        Unlike each of my OpenVPN tunnels on pfSense, I don't see IPSEC tunnel creating an interface to be activated in Interface::Assignments.
        There is an IPSEC interface, and I have enabled it and given it a pass all all all rule in Firewall. But there is not another specific to the tunnel I configured.
        Does the tunnel not need an interface?
        If it does, what am I missing to enable it and to give it a Firewall rule to permit IP?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.