4. [SOLVED] IPSec site-to-site establishes but only initiated from remote

[SOLVED] IPSec site-to-site establishes but only initiated from remote

  • M

    I've decided to begin with v2.2.6 as it generally seems quite a stable release.

    I've setup a ipsec site-to-site, following a clean install, BASIC LAN-WAN setup using the correct procedures (enabling ipsec - Adding related Phase 1 - Adding Phase 2 - For initial testing, allowed all via ipsec interface in the ipsec fw rules).

    Remote end is a CISCO PIX/ASA (I have two test locations).  CISCO Unity is at default (enabled).
    Nat-T Auto (the remote has this enabled)
    DPD off

    I have made sure the check-box for "Responder Only" is at default (unchecked).

    LOCAL system uses pfsense as default gw.

    If I ping my local LAN from the remote end, the tunnel initiates, establishes and things are ok.  However, when trying to intialize pings from my local LAN, the tunnel doesn't establish and I get the output below in my logs:

    Jul 12 18:46:49 charon: 13[IKE] <con2|22>ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
    Jul 12 18:46:49 charon: 13[IKE] ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
    Jul 12 18:46:49 charon: 13[NET] <con2|22>received packet: from x.x.x.[500] to x.x.x.x[500] (68 bytes)
    Jul 12 18:46:49 charon: 13[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (68 bytes)
    Jul 12 18:46:49 charon: 03[NET] waiting for data on sockets
    Jul 12 18:46:49 charon: 03[NET] waiting for data on sockets
    Jul 12 18:46:49 charon: 03[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]

    My ipsec.conf is below.  Is there anything I am missing??

    conn bypasslan
            leftsubnet = 10.10.25.0/24
            rightsubnet = 10.10.25.0/24
            authby = never
            type = passthrough
            auto = route

    conn con1
            fragmentation = yes
            keyexchange = ike
            reauth = yes
            forceencaps = no
            mobike = no
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = none
            auto = route
            left = x.x.x.x
            right = x.x.x.x
            leftid = x.x.x.x
            ikelifetime = 86400s
            lifetime = 28800s
            ike = 3des-sha1-modp1024!
            esp = 3des-sha1-modp1024!
            leftauth = psk
            rightauth = psk
            rightid = x.x.x.x
            rightsubnet = 192.168.110.0/24
            leftsubnet = 10.10.25.0/24

    Thanks,</con2|22></con2|22>

    0
  • C

    You have IKE version set to auto, where your remote is strictly IKEv1. You need to set it to IKEv1 so it matches.

    0
  • M

    Forcing the IKE version on my end to v1 worked, thank you!

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy