[SOLVED] IPSec site-to-site establishes but only initiated from remote
-
I've decided to begin with v2.2.6 as it generally seems quite a stable release.
I've setup a ipsec site-to-site, following a clean install, BASIC LAN-WAN setup using the correct procedures (enabling ipsec - Adding related Phase 1 - Adding Phase 2 - For initial testing, allowed all via ipsec interface in the ipsec fw rules).
Remote end is a CISCO PIX/ASA (I have two test locations). CISCO Unity is at default (enabled).
Nat-T Auto (the remote has this enabled)
DPD offI have made sure the check-box for "Responder Only" is at default (unchecked).
LOCAL system uses pfsense as default gw.
If I ping my local LAN from the remote end, the tunnel initiates, establishes and things are ok. However, when trying to intialize pings from my local LAN, the tunnel doesn't establish and I get the output below in my logs:
Jul 12 18:46:49 charon: 13[IKE] <con2|22>ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
Jul 12 18:46:49 charon: 13[IKE] ignoring INFORMATIONAL_V1 IKEv1 exchange on IKEv2 SA
Jul 12 18:46:49 charon: 13[NET] <con2|22>received packet: from x.x.x.[500] to x.x.x.x[500] (68 bytes)
Jul 12 18:46:49 charon: 13[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (68 bytes)
Jul 12 18:46:49 charon: 03[NET] waiting for data on sockets
Jul 12 18:46:49 charon: 03[NET] waiting for data on sockets
Jul 12 18:46:49 charon: 03[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]My ipsec.conf is below. Is there anything I am missing??
conn bypasslan
leftsubnet = 10.10.25.0/24
rightsubnet = 10.10.25.0/24
authby = never
type = passthrough
auto = routeconn con1
fragmentation = yes
keyexchange = ike
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = none
auto = route
left = x.x.x.x
right = x.x.x.x
leftid = x.x.x.x
ikelifetime = 86400s
lifetime = 28800s
ike = 3des-sha1-modp1024!
esp = 3des-sha1-modp1024!
leftauth = psk
rightauth = psk
rightid = x.x.x.x
rightsubnet = 192.168.110.0/24
leftsubnet = 10.10.25.0/24Thanks,</con2|22></con2|22>
-
You have IKE version set to auto, where your remote is strictly IKEv1. You need to set it to IKEv1 so it matches.
-
Forcing the IKE version on my end to v1 worked, thank you!
-
I am also trying to connect to a VPN sever which is remote and I get this error.
sudo ipsec up ikev1-psk-xauth initiating Aggressive Mode IKE_SA ikev1-psk-xauth[1] to 193.174.193.64 generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from 192.168.60.96[500] to 193.174.193.64[500] (356 bytes) received packet: from 193.174.193.64[500] to 192.168.60.96[500] (404 bytes) parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D V V ] received Cisco Unity vendor ID received XAuth vendor ID received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 IDir '193.174.193.64' does not match to 'vpngw.fh-kempten.de' generating INFORMATIONAL_V1 request 2111536507 [ N(INVAL_ID) ] sending packet: from 192.168.60.96[500] to 193.174.193.64[500] (56 bytes) establishing connection 'ikev1-psk-xauth' failedAny surggestions ?
-
@saqibshakeel035 said in [SOLVED] IPSec site-to-site establishes but only initiated from remote:
Any surggestions ?
Yes. You probably want to start a new thread. This one is years-old. Locking.
