IpSec doesn't work anymore when behind router



  • Hello everyone,

    Unfortunately, my pfSense IP/Sec VPN connection does not work anymore since I am behind a new router.
    My internet service provider has send me a new router and I cannot put it in bridge mode.

    Therefore, I have setup a DMZ host on my new router to my pfSense box.
    Everything is working fine for now, except my IP/Sec VPN.

    Hope someone here has a clue. I have almost tried everything, but I cannot get it to work anymore.

    My setup:

    WAN IP  –>  Router from ISP --> 10.10.10.2 (DMZ) --> pfSense

    Here is my connection log:

    
    Feb 15 09:23:43	charon: 10[NET] <30> received packet: from 31.161.206.214[500] to 10.10.10.2[500] (763 bytes)
    Feb 15 09:23:43	charon: 10[ENC] <30> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Feb 15 09:23:43	charon: 10[IKE] <30> received FRAGMENTATION vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received NAT-T (RFC 3947) vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received XAuth vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received Cisco Unity vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> received DPD vendor ID
    Feb 15 09:23:43	charon: 10[IKE] <30> 31.161.206.214 is initiating a Aggressive Mode IKE_SA
    Feb 15 09:23:43	charon: 10[CFG] <30> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Feb 15 09:23:43	charon: 10[CFG] <30> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Feb 15 09:23:43	charon: 10[IKE] <30> no proposal found
    Feb 15 09:23:43	charon: 10[ENC] <30> generating INFORMATIONAL_V1 request 1996475904 [ N(NO_PROP) ]
    Feb 15 09:23:43	charon: 10[NET] <30> sending packet: from 10.10.10.2[500] to 31.161.206.214[500] (56 bytes)
    Feb 15 09:23:44	charon: 08[NET] <31> received packet: from 31.161.206.214[500] to 10.10.10.2[500] (763 bytes)
    Feb 15 09:23:44	charon: 08[ENC] <31> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Feb 15 09:23:44	charon: 08[IKE] <31> received FRAGMENTATION vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received NAT-T (RFC 3947) vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received XAuth vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received Cisco Unity vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> received DPD vendor ID
    Feb 15 09:23:44	charon: 08[IKE] <31> 31.161.206.214 is initiating a Aggressive Mode IKE_SA
    Feb 15 09:23:44	charon: 08[CFG] <31> looking for XAuthInitPSK peer configs matching 10.10.10.2...31.161.206.214[EwesVPN]
    Feb 15 09:23:44	charon: 08[CFG] <31> selected peer config "con1"
    Feb 15 09:23:44	charon: 08[ENC] <con1|31>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Feb 15 09:23:44	charon: 08[NET] <con1|31>sending packet: from 10.10.10.2[500] to 31.161.206.214[500] (412 bytes)
    Feb 15 09:23:48	charon: 07[IKE] <con1|31>sending retransmit 1 of response message ID 0, seq 1
    Feb 15 09:23:48	charon: 07[NET] <con1|31>sending packet: from 10.10.10.2[500] to 31.161.206.214[500] (412 bytes)
    Feb 15 09:23:55	charon: 10[IKE] <con1|31>sending retransmit 2 of response message ID 0, seq 1
    Feb 15 09:23:55	charon: 10[NET] <con1|31>sending packet: from 10.10.10.2[500] to 31.161.206.214[500] (412 bytes)
    Feb 15 09:24:08	charon: 07[IKE] <con1|31>sending retransmit 3 of response message ID 0, seq 1
    Feb 15 09:24:08	charon: 07[NET] <con1|31>sending packet: from 10.10.10.2[500] to 31.161.206.214[500] (412 bytes)
    Feb 15 09:24:14	charon: 07[JOB] <con1|31>deleting half open IKE_SA after timeout</con1|31></con1|31></con1|31></con1|31></con1|31></con1|31></con1|31></con1|31></con1|31>