Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Child-SA only one-way

    Scheduled Pinned Locked Moved IPsec
    9 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oli
      last edited by

      Hi all

      My first topic here, tell me if this is the wrong place or format.

      I'm having a strange issue with a newly created IPsec tunnel. My pfSense Version is 2.4.5, the foreign endpoint is a Cisco Firewall.

      I read up on https://docs.netgate.com/pfsense/en/latest/book/ipsec/ipsec-troubleshooting.html#tunnel-establishes-when-initiating-but-not-when-responding, but I couldn't figure out the misconfiguration yet. The configuration seems to match, see cisco config: config.txt

      It goes as follows.

      • status before bringing the connection up
      # ipsec status
Shunted Connections:
   bypasslan:  172.16.14.0/24|/0 === 172.16.14.0/24|/0 PASS
Routed Connections:
     con3000{963}:  ROUTED, TUNNEL, reqid 11
     con3000{963}:   172.16.14.34/32|/0 172.16.14.35/32|/0 172.16.14.36/32|/0 172.16.14.37/32|/0 === 10.153.64.0/20|/0
Security Associations (0 up, 0 connecting):
  none
      • bringing the connection up, IKE_SA succeeds, CHILD_SA fails with TS_UNACCEPTABLE
      # ipsec up con3000
initiating IKE_SA con3000[92] to 46.14.34.14
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 95.128.34.75[500] to 46.14.34.14[500] (464 bytes)
received packet: from 46.14.34.14[500] to 95.128.34.75[500] (574 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]
received Cisco Delete Reason vendor ID
received Cisco Copyright (c) 2009 vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
authentication of '95.128.34.75' (myself) with pre-shared key
establishing CHILD_SA con3000{965}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 95.128.34.75[500] to 46.14.34.14[500] (400 bytes)
received packet: from 46.14.34.14[500] to 95.128.34.75[500] (160 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH N(TS_UNACCEPT) ]
authentication of '46.14.34.14' with pre-shared key successful
IKE_SA con3000[92] established between 95.128.34.75[95.128.34.75]...46.14.34.14[46.14.34.14]
scheduling reauthentication in 2525s
maximum IKE_SA lifetime 3065s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'con3000' failed
      • status after bringing the connection up
      # ipsec status
Shunted Connections:
   bypasslan:  172.16.14.0/24|/0 === 172.16.14.0/24|/0 PASS
Routed Connections:
     con3000{963}:  ROUTED, TUNNEL, reqid 11
     con3000{963}:   172.16.14.34/32|/0 172.16.14.35/32|/0 172.16.14.36/32|/0 172.16.14.37/32|/0 === 10.153.64.0/20|/0
Security Associations (1 up, 0 connecting):
     con3000[92]: ESTABLISHED 2 minutes ago, 95.128.34.75[95.128.34.75]...46.14.34.14[46.14.34.14]
      • after a ping is initiated from the other endpoint to 172.16.14.34 the CHILD_SA gets created (clog /var/log/ipsec.log)
      Jun  8 11:27:12 fw-tbabs-01 charon: 05[NET] <con3000|92> received packet: from 46.14.34.14[500] to 95.128.34.75[500] (592 bytes)
Jun  8 11:27:12 fw-tbabs-01 charon: 05[ENC] <con3000|92> parsed CREATE_CHILD_SA request 0 [ SA No KE TSi TSr ]
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> looking for a child config for 172.16.14.34/32|/0 === 10.153.64.240/32|/0 10.153.64.0/20|/0
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> proposing traffic selectors for us:
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  172.16.14.34/32|/0
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  172.16.14.35/32|/0
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  172.16.14.36/32|/0
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  172.16.14.37/32|/0
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> proposing traffic selectors for other:
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  10.153.64.0/20|/0
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>   candidate "con3000" with prio 5+7
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> found matching child config "con3000" with prio 12
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> selecting proposal:
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>   no acceptable ENCRYPTION_ALGORITHM found
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> selecting proposal:
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>   proposal matches
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> received proposals: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_12_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_8_256/MODP_2048/NO_EXT_SEQ
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> selecting traffic selectors for us:
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  config: 172.16.14.34/32|/0, received: 172.16.14.34/32|/0 => match: 172.16.14.34/32|/0
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  config: 172.16.14.35/32|/0, received: 172.16.14.34/32|/0 => no match
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  config: 172.16.14.36/32|/0, received: 172.16.14.34/32|/0 => no match
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  config: 172.16.14.37/32|/0, received: 172.16.14.34/32|/0 => no match
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> selecting traffic selectors for other:
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  config: 10.153.64.0/20|/0, received: 10.153.64.240/32|/0 => match: 10.153.64.240/32|/0
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>  config: 10.153.64.0/20|/0, received: 10.153.64.0/20|/0 => match: 10.153.64.0/20|/0
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CHD] <con3000|92> CHILD_SA con3000{966} state change: CREATED => INSTALLING
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CHD] <con3000|92>   using AES_CBC for encryption
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CHD] <con3000|92>   using HMAC_SHA2_256_128 for integrity
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CHD] <con3000|92> adding inbound ESP SA
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CHD] <con3000|92>   SPI 0xc48473c5, src 46.14.34.14 dst 95.128.34.75
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CHD] <con3000|92> adding outbound ESP SA
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CHD] <con3000|92>   SPI 0xc2c8931a, src 95.128.34.75 dst 46.14.34.14
Jun  8 11:27:12 fw-tbabs-01 charon: 05[IKE] <con3000|92> CHILD_SA con3000{966} established with SPIs c48473c5_i c2c8931a_o and TS 172.16.14.34/32|/0 === 10.153.64.0/20|/0
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CHD] <con3000|92> CHILD_SA con3000{966} state change: INSTALLING => INSTALLED
Jun  8 11:27:12 fw-tbabs-01 charon: 05[ENC] <con3000|92> generating CREATE_CHILD_SA response 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Jun  8 11:27:12 fw-tbabs-01 charon: 05[NET] <con3000|92> sending packet: from 95.128.34.75[500] to 46.14.34.14[500] (480 bytes)
      • status after creation
      ipsec status
Shunted Connections:
  bypasslan:  172.16.14.0/24|/0 === 172.16.14.0/24|/0 PASS
Routed Connections:
    con3000{1}:  ROUTED, TUNNEL, reqid 1
    con3000{1}:   172.16.14.34/32|/0 172.16.14.35/32|/0 172.16.14.36/32|/0 172.16.14.37/32|/0 === 10.153.64.0/20|/0
Security Associations (1 up, 0 connecting):
    con3000[2]: ESTABLISHED 12 minutes ago, 95.128.34.75[95.128.34.75]...46.14.34.14[46.14.34.14]
    con3000{5}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cf2e3af4_i cd44d223_o
    con3000{5}:   172.16.14.34/32|/0 === 10.153.64.0/20|/0

      In conclusion, the CHILD_SA only gets created after a ping from the other endpoint, not if initiated from my end.

      • A ping to one of the foreign IP's (a.e. 10.153.64.1) before the established tunnel does not work, only after establishing the tunnel.
      • There is no route before nor after creating the CHILD_SA, see netstat below. As I understand this is some IPsec magic in the background that does routing
      • Without established CHILD_SA, traffic from 172.16.14.34 does not pass enc0 interface and times out

      Any idea what went wrong here? I see following proposal error when the remote gateway establishes, but then it matches anyway, so not sure thats the issue.

      Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> selecting proposal:
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>   no acceptable ENCRYPTION_ALGORITHM found
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92> selecting proposal:
Jun  8 11:27:12 fw-tbabs-01 charon: 05[CFG] <con3000|92>   proposal matches

      ifconfig

      em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
	ether 00:1a:4a:02:02:45
	hwaddr 00:1a:4a:02:02:45
	inet6 fe80::21a:4aff:fe02:245%em0 prefixlen 64 scopeid 0x1
	inet 95.128.34.75 netmask 0xffffffe0 broadcast 95.128.34.95
	inet 95.128.34.77 netmask 0xffffffff broadcast 95.128.34.77
	inet 95.128.34.79 netmask 0xffffffff broadcast 95.128.34.79
	inet 95.128.34.84 netmask 0xffffffff broadcast 95.128.34.84
	inet 95.128.34.85 netmask 0xffffffff broadcast 95.128.34.85
	inet 95.128.34.66 netmask 0xffffffff broadcast 95.128.34.66
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
	ether 00:1a:4a:02:02:46
	hwaddr 00:1a:4a:02:02:46
	inet6 fe80::21a:4aff:fe02:246%em1 prefixlen 64 scopeid 0x2
	inet 172.16.14.1 netmask 0xffffff00 broadcast 172.16.14.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
	ether 00:1a:4a:02:02:48
	hwaddr 00:1a:4a:02:02:48
	inet6 fe80::21a:4aff:fe02:248%em2 prefixlen 64 scopeid 0x3
	inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
	inet 127.0.0.1 netmask 0xff000000
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo
pflog0: flags=100<PROMISC> metric 0 mtu 33160
	groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
	groups: pfsync
ovpns1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	inet6 fe80::21a:4aff:fe02:245%ovpns1 prefixlen 64 scopeid 0x8
	inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffff00
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: tun openvpn
	Opened by PID 24930

      netstat -r -n

      Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            95.128.34.65       UGS         em0
10.0.0.0/24        10.0.0.2           UGS      ovpns1
10.0.0.1           link#8             UHS         lo0
10.0.0.2           link#8             UH       ovpns1
46.14.34.14        95.128.34.65       UGHS        em0
95.128.34.64/27    link#1             U           em0
95.128.34.66       link#1             UHS         lo0
95.128.34.66/32    link#1             U           em0
95.128.34.75       link#1             UHS         lo0
95.128.34.77       link#1             UHS         lo0
95.128.34.77/32    link#1             U           em0
95.128.34.79       link#1             UHS         lo0
95.128.34.79/32    link#1             U           em0
95.128.34.84       link#1             UHS         lo0
95.128.34.84/32    link#1             U           em0
95.128.34.85       link#1             UHS         lo0
95.128.34.85/32    link#1             U           em0
127.0.0.1          link#5             UH          lo0
172.16.14.0/24     link#2             U           em1
172.16.14.1        link#2             UHS         lo0
192.168.0.0/24     link#3             U           em2
192.168.0.1        link#3             UHS         lo0

      /var/etc/ipsec/ipsec.conf

      # This file is automatically generated. Do not edit
config setup
	uniqueids = yes

conn bypasslan
	leftsubnet = 172.16.14.0/24
	rightsubnet = 172.16.14.0/24
	authby = never
	type = passthrough
	auto = route

conn con3000
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = no
	mobike = no
	
	rekey = yes
	installpolicy = yes
	type = tunnel
	dpdaction = restart
	dpddelay = 2s
	dpdtimeout = 12s
	closeaction = restart
	auto = route
	left = 95.128.34.75
	right = 46.14.34.14
	leftid = 95.128.34.75
	ikelifetime = 3600s
	lifetime = 3600s
	ike = aes256-sha256-modp2048!
	esp = aes256-sha256-modp2048,aes256gcm128-sha256-modp2048,aes256gcm96-sha256-modp2048,aes256gcm64-sha256-modp2048!
	leftauth = psk
	rightauth = psk
	rightid = 46.14.34.14
	rightsubnet = 10.153.64.0/20
	leftsubnet = 172.16.14.34,172.16.14.35,172.16.14.36,172.16.14.37

      /var/etc/ipsec/strongswan.conf

      # Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.
starter {
	load_warning = no
	config_file = /var/etc/ipsec/ipsec.conf
}

charon {
# number of worker threads in charon
	threads = 16
	ikesa_table_size = 32
	ikesa_table_segments = 4
	init_limit_half_open = 1000
	install_routes = no
	load_modular = yes
	ignore_acquire_ts = yes
	
	
	cisco_unity = no
	
	

	syslog {
		identifier = charon
		# log everything under daemon since it ends up in the same place regardless with our syslog.conf
		daemon {
			ike_name = yes
			dmn = 1
			mgr = 1
			ike = 2
			chd = 2
			job = 1
			cfg = 2
			knl = 1
			net = 1
			asn = 1
			enc = 1
			imc = 1
			imv = 1
			pts = 1
			tls = 1
			esp = 1
			lib = 1

		}
		# disable logging under auth so logs aren't duplicated
		auth {
			default = -1
		}
	}

	plugins {
		# Load defaults
		include /var/etc/ipsec/strongswan.d/charon/*.conf

		stroke {
			secrets_file = /var/etc/ipsec/ipsec.secrets
		}

		unity {
			load = no
		}

		curve25519 {
			load = yes
		}

	}
}
      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @oli
        last edited by

        @oli
        Hi
        Try setting up phase-2 on both sides of the tunnel like this ( PFSense side)

        2c3361a0-7ae2-48c1-abe4-2a8497dabe74-image.png

        1 Reply Last reply Reply Quote 0
        • O
          oli
          last edited by

          @Konstanti
          Thanks for the reply, will do. But why would this work?

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @oli
            last edited by Konstanti

            @oli
            Because only one SA will be created on both sides of the tunnel, and the system will set a trap (TS 172.16.14.32/29|/0 === 10.153.64.0/20|/0 ) that will get traffic from 172.16.14.34,172.16.14.35,172.16.14.36,172.16.14.37 to 10.153.64.0/20, and that traffic will go into the tunnel

            28b6ab09-4145-46d1-9431-4dea842f206e-image.png

            1 Reply Last reply Reply Quote 0
            • O
              oli
              last edited by

              @Konstanti
              Ok, I'm curious if this will also fix the issue that I can not initiate. I'll keep you posted, thanks for the clarification.

              K 1 Reply Last reply Reply Quote 0
              • K
                Konstanti @oli
                last edited by

                @oli
                I see that when I connect , Cisco sends an error message
                received TS_UNACCEPTABLE notify, no CHILD_SA built

                That's why I suggest creating one phase-2 instead of 4.

                1 Reply Last reply Reply Quote 0
                • O
                  oli
                  last edited by

                  @Konstanti
                  Worked like a charm, thank you very much!
                  Do single adresses generally not work or just in this specific case?
                  How can i extend the official documentation with this? I found a couple of threads in the wild with the same error message but no working solutions as far as i can tell.

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    Konstanti @oli
                    last edited by

                    @oli said in Child-SA only one-way:

                    Worked like a charm, thank you very much!
                    Do single adresses generally not work or just in this specific case?
                    How can i extend the official documentation with this? I found a couple of threads in the wild with the same error message but no working solutions as far as i can tell.

                    I think there is a problem with the IPSec phase-2 settings on the Cisco side
                    If you can , show me the Cisco settings

                    1 Reply Last reply Reply Quote 0
                    • O
                      oli
                      last edited by

                      @Konstanti
                      I'll see what I can do.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.