[SOLVED] IPSec site-to-site establishes but only initiated from remote



  • I've decided to begin with v2.2.6 as it generally seems quite a stable release.

    I've setup a ipsec site-to-site, following a clean install, BASIC LAN-WAN setup using the correct procedures (enabling ipsec - Adding related Phase 1 - Adding Phase 2 - For initial testing, allowed all via ipsec interface in the ipsec fw rules).

    Remote end is a CISCO PIX/ASA (I have two test locations).  CISCO Unity is at default (enabled).
    Nat-T Auto (the remote has this enabled)
    DPD off

    I have made sure the check-box for "Responder Only" is at default (unchecked).

    LOCAL system uses pfsense as default gw.

    If I ping my local LAN from the remote end, the tunnel initiates, establishes and things are ok.  However, when trying to intialize pings from my local LAN, the tunnel doesn't establish and I get the output below in my logs:

    Jul 12 18:46:49 charon: 13[IKE] <con2|22>ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
    Jul 12 18:46:49 charon: 13[IKE] ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
    Jul 12 18:46:49 charon: 13[NET] <con2|22>received packet: from x.x.x.[500] to x.x.x.x[500] (68 bytes)
    Jul 12 18:46:49 charon: 13[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (68 bytes)
    Jul 12 18:46:49 charon: 03[NET] waiting for data on sockets
    Jul 12 18:46:49 charon: 03[NET] waiting for data on sockets
    Jul 12 18:46:49 charon: 03[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]

    My ipsec.conf is below.  Is there anything I am missing??

    conn bypasslan
            leftsubnet = 10.10.25.0/24
            rightsubnet = 10.10.25.0/24
            authby = never
            type = passthrough
            auto = route

    conn con1
            fragmentation = yes
            keyexchange = ike
            reauth = yes
            forceencaps = no
            mobike = no
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = none
            auto = route
            left = x.x.x.x
            right = x.x.x.x
            leftid = x.x.x.x
            ikelifetime = 86400s
            lifetime = 28800s
            ike = 3des-sha1-modp1024!
            esp = 3des-sha1-modp1024!
            leftauth = psk
            rightauth = psk
            rightid = x.x.x.x
            rightsubnet = 192.168.110.0/24
            leftsubnet = 10.10.25.0/24

    Thanks,</con2|22></con2|22>



  • You have IKE version set to auto, where your remote is strictly IKEv1. You need to set it to IKEv1 so it matches.



  • Forcing the IKE version on my end to v1 worked, thank you!



  • I am also trying to connect to a VPN sever which is remote and I get this error.

    sudo ipsec up  ikev1-psk-xauth
    initiating Aggressive Mode IKE_SA ikev1-psk-xauth[1] to 193.174.193.64
    generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
    sending packet: from 192.168.60.96[500] to 193.174.193.64[500] (356 bytes)
    received packet: from 193.174.193.64[500] to 192.168.60.96[500] (404 bytes)
    parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D V V ]
    received Cisco Unity vendor ID
    received XAuth vendor ID
    received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    received FRAGMENTATION vendor ID
    received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
    IDir '193.174.193.64' does not match to 'vpngw.fh-kempten.de'
    generating INFORMATIONAL_V1 request 2111536507 [ N(INVAL_ID) ]
    sending packet: from 192.168.60.96[500] to 193.174.193.64[500] (56 bytes)
    establishing connection 'ikev1-psk-xauth' failed
    

    Any surggestions ?


  • LAYER 8 Netgate

    @saqibshakeel035 said in [SOLVED] IPSec site-to-site establishes but only initiated from remote:

    Any surggestions ?

    Yes. You probably want to start a new thread. This one is years-old. Locking.


Log in to reply