Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] IPSec site-to-site establishes but only initiated from remote

    Scheduled Pinned Locked Moved IPsec
    5 Posts 4 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mannyjacobs73
      last edited by

      I've decided to begin with v2.2.6 as it generally seems quite a stable release.

      I've setup a ipsec site-to-site, following a clean install, BASIC LAN-WAN setup using the correct procedures (enabling ipsec - Adding related Phase 1 - Adding Phase 2 - For initial testing, allowed all via ipsec interface in the ipsec fw rules).

      Remote end is a CISCO PIX/ASA (I have two test locations).  CISCO Unity is at default (enabled).
      Nat-T Auto (the remote has this enabled)
      DPD off

      I have made sure the check-box for "Responder Only" is at default (unchecked).

      LOCAL system uses pfsense as default gw.

      If I ping my local LAN from the remote end, the tunnel initiates, establishes and things are ok.  However, when trying to intialize pings from my local LAN, the tunnel doesn't establish and I get the output below in my logs:

      Jul 12 18:46:49 charon: 13[IKE] <con2|22>ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
      Jul 12 18:46:49 charon: 13[IKE] ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
      Jul 12 18:46:49 charon: 13[NET] <con2|22>received packet: from x.x.x.[500] to x.x.x.x[500] (68 bytes)
      Jul 12 18:46:49 charon: 13[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (68 bytes)
      Jul 12 18:46:49 charon: 03[NET] waiting for data on sockets
      Jul 12 18:46:49 charon: 03[NET] waiting for data on sockets
      Jul 12 18:46:49 charon: 03[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]

      My ipsec.conf is below.  Is there anything I am missing??

      conn bypasslan
              leftsubnet = 10.10.25.0/24
              rightsubnet = 10.10.25.0/24
              authby = never
              type = passthrough
              auto = route

      conn con1
              fragmentation = yes
              keyexchange = ike
              reauth = yes
              forceencaps = no
              mobike = no
              rekey = yes
              installpolicy = yes
              type = tunnel
              dpdaction = none
              auto = route
              left = x.x.x.x
              right = x.x.x.x
              leftid = x.x.x.x
              ikelifetime = 86400s
              lifetime = 28800s
              ike = 3des-sha1-modp1024!
              esp = 3des-sha1-modp1024!
              leftauth = psk
              rightauth = psk
              rightid = x.x.x.x
              rightsubnet = 192.168.110.0/24
              leftsubnet = 10.10.25.0/24

      Thanks,</con2|22></con2|22>

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You have IKE version set to auto, where your remote is strictly IKEv1. You need to set it to IKEv1 so it matches.

        1 Reply Last reply Reply Quote 0
        • M
          mannyjacobs73
          last edited by

          Forcing the IKE version on my end to v1 worked, thank you!

          1 Reply Last reply Reply Quote 0
          • S
            Saqibshakeel035
            last edited by

            I am also trying to connect to a VPN sever which is remote and I get this error.

            sudo ipsec up  ikev1-psk-xauth
            initiating Aggressive Mode IKE_SA ikev1-psk-xauth[1] to 193.174.193.64
            generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
            sending packet: from 192.168.60.96[500] to 193.174.193.64[500] (356 bytes)
            received packet: from 193.174.193.64[500] to 192.168.60.96[500] (404 bytes)
            parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D V V ]
            received Cisco Unity vendor ID
            received XAuth vendor ID
            received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
            received FRAGMENTATION vendor ID
            received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
            IDir '193.174.193.64' does not match to 'vpngw.fh-kempten.de'
            generating INFORMATIONAL_V1 request 2111536507 [ N(INVAL_ID) ]
            sending packet: from 192.168.60.96[500] to 193.174.193.64[500] (56 bytes)
            establishing connection 'ikev1-psk-xauth' failed
            

            Any surggestions ?

            DerelictD 1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate @Saqibshakeel035
              last edited by

              @saqibshakeel035 said in [SOLVED] IPSec site-to-site establishes but only initiated from remote:

              Any surggestions ?

              Yes. You probably want to start a new thread. This one is years-old. Locking.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.