[SOLVED] IPSec site-to-site establishes but only initiated from remote

mannyjacobs73

I've decided to begin with v2.2.6 as it generally seems quite a stable release.

I've setup a ipsec site-to-site, following a clean install, BASIC LAN-WAN setup using the correct procedures (enabling ipsec - Adding related Phase 1 - Adding Phase 2 - For initial testing, allowed all via ipsec interface in the ipsec fw rules).

Remote end is a CISCO PIX/ASA (I have two test locations).  CISCO Unity is at default (enabled).
Nat-T Auto (the remote has this enabled)
DPD off

I have made sure the check-box for "Responder Only" is at default (unchecked).

LOCAL system uses pfsense as default gw.

If I ping my local LAN from the remote end, the tunnel initiates, establishes and things are ok.  However, when trying to intialize pings from my local LAN, the tunnel doesn't establish and I get the output below in my logs:

Jul 12 18:46:49 charon: 13[IKE] <con2|22>ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
Jul 12 18:46:49 charon: 13[IKE] ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
Jul 12 18:46:49 charon: 13[NET] <con2|22>received packet: from x.x.x.[500] to x.x.x.x[500] (68 bytes)
Jul 12 18:46:49 charon: 13[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (68 bytes)
Jul 12 18:46:49 charon: 03[NET] waiting for data on sockets
Jul 12 18:46:49 charon: 03[NET] waiting for data on sockets
Jul 12 18:46:49 charon: 03[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]

My ipsec.conf is below.  Is there anything I am missing??

conn bypasslan
        leftsubnet = 10.10.25.0/24
        rightsubnet = 10.10.25.0/24
        authby = never
        type = passthrough
        auto = route

conn con1
        fragmentation = yes
        keyexchange = ike
        reauth = yes
        forceencaps = no
        mobike = no
        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = none
        auto = route
        left = x.x.x.x
        right = x.x.x.x
        leftid = x.x.x.x
        ikelifetime = 86400s
        lifetime = 28800s
        ike = 3des-sha1-modp1024!
        esp = 3des-sha1-modp1024!
        leftauth = psk
        rightauth = psk
        rightid = x.x.x.x
        rightsubnet = 192.168.110.0/24
        leftsubnet = 10.10.25.0/24

Thanks,</con2|22></con2|22>

cmb

You have IKE version set to auto, where your remote is strictly IKEv1. You need to set it to IKEv1 so it matches.

mannyjacobs73

Forcing the IKE version on my end to v1 worked, thank you!

Saqibshakeel035

I am also trying to connect to a VPN sever which is remote and I get this error.

sudo ipsec up  ikev1-psk-xauth
initiating Aggressive Mode IKE_SA ikev1-psk-xauth[1] to 193.174.193.64
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.60.96[500] to 193.174.193.64[500] (356 bytes)
received packet: from 193.174.193.64[500] to 192.168.60.96[500] (404 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
IDir '193.174.193.64' does not match to 'vpngw.fh-kempten.de'
generating INFORMATIONAL_V1 request 2111536507 [ N(INVAL_ID) ]
sending packet: from 192.168.60.96[500] to 193.174.193.64[500] (56 bytes)
establishing connection 'ikev1-psk-xauth' failed

Any surggestions ?

Derelict

@saqibshakeel035 said in [SOLVED] IPSec site-to-site establishes but only initiated from remote:

Any surggestions ?

Yes. You probably want to start a new thread. This one is years-old. Locking.