Can Not Establish IPSEC Connection – PFSense Behind Cisco Router



  • Hello Community,

    I have been looking through documentation, and tried a few, but I am still stuck on trying to establish an IPSEC connection from a client (IOS or Windows). The setup that I have is: WAN Connection –> Cisco 4431 Router --> PF Sense --> LAN

    I have created the Phase 1 + 2 settings with

    Phase 1:

    Interface: WAN
    Authentication Method: PSK + Xauth
    Negotiation Mode: Aggressive
    My Identifier: My IP Address
    Peer Identifier: Distinguished Name

    Proposal: AES / 128-bit
    Hash: SHA1
    DH Group: 2 - 1024 bit
    Checked Responder Only
    Nat Traversal: Force

    Phase 2:

    Local Network: LAN subnet
    Protocol: ESP
    Encryption Algorithm: Checked AES / 128-bit
    Hash: SHA1
    PFS Key Group: Grayed Out
    Lifetime: 3600

    Router settings and log messages are as follows:

    interface GigabitEthernet0/0/0
    description WAN side
    ip address x.x.208.170 255.255.255.248
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip verify unicast reverse-path
    ip access-group 110 in
    load-interval 30
    media-type sfp
    negotiation auto
    ip virtual-reassembly
    !
    interface GigabitEthernet0/0/1
    shutdown
    !
    interface GigabitEthernet0/0/2
    description LAN Side
    ip address 10.20.0.1 255.255.255.252
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    negotiation auto
    ip virtual-reassembly
    !
    interface GigabitEthernet0
    vrf forwarding Mgmt-intf
    no ip address
    shutdown
    negotiation auto
    !
    ip nat inside source list 111 interface GigabitEthernet0/0/0 overload
    ip nat inside source static udp 10.20.0.2 500 interface GigabitEthernet0/0/0 500
    ip nat inside source static esp 10.20.0.2 interface GigabitEthernet0/0/0
    ip nat inside source static tcp 10.20.0.2 22 x.x.208.170 1022 extendable
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    ip tftp source-interface GigabitEthernet0/0/1
    ip route 0.0.0.0 0.0.0.0 x.x.208.169
    ip route 10.30.0.0 255.255.255.224 10.20.0.2
    !
    !
    access-list 110 permit udp any any
    access-list 110 permit ip any any
    access-list 111 permit ip any any log
    !

    Feb 18 13:09:00 charon 08[NET] <17> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
    Feb 18 13:09:00 charon 08[ENC] <17> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Feb 18 13:09:00 charon 08[IKE] <17> received FRAGMENTATION vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received NAT-T (RFC 3947) vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received XAuth vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received Cisco Unity vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received DPD vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 18 13:09:00 charon 08[CFG] <17> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Feb 18 13:09:00 charon 08[CFG] <17> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Feb 18 13:09:00 charon 08[IKE] <17> no proposal found
    Feb 18 13:09:00 charon 08[ENC] <17> generating INFORMATIONAL_V1 request 3836950386 [ N(NO_PROP) ]
    Feb 18 13:09:00 charon 08[NET] <17> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
    Feb 18 13:09:00 charon 08[NET] <18> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
    Feb 18 13:09:00 charon 08[ENC] <18> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Feb 18 13:09:00 charon 08[IKE] <18> received FRAGMENTATION vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received NAT-T (RFC 3947) vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received XAuth vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received Cisco Unity vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received DPD vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 18 13:09:00 charon 08[CFG] <18> looking for XAuthInitPSK peer configs matching 10.20.0.2…103.46.209.154[cisco]
    Feb 18 13:09:00 charon 08[CFG] <18> selected peer config "con1"
    Feb 18 13:09:00 charon 08[ENC] <con1|18>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Feb 18 13:09:00 charon 08[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 13:09:04 charon 08[IKE] <con1|18>sending retransmit 1 of response message ID 0, seq 1
    Feb 18 13:09:04 charon 08[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 13:09:09 charon 10[CFG] received stroke: terminate 'con1000'
    Feb 18 13:09:09 charon 10[CFG] no IKE_SA named 'con1000' found
    Feb 18 13:09:09 charon 08[CFG] received stroke: initiate 'con1000'
    Feb 18 13:09:09 charon 08[CFG] no config named 'con1000'
    Feb 18 13:09:11 charon 10[IKE] <con1|18>sending retransmit 2 of response message ID 0, seq 1
    Feb 18 13:09:11 charon 10[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 13:09:24 charon 13[IKE] <con1|18>sending retransmit 3 of response message ID 0, seq 1
    Feb 18 13:09:24 charon 13[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 13:09:30 charon 14[JOB] <con1|18>deleting half open IKE_SA after timeout
    Feb 18 14:22:14 charon 10[NET] <19> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
    Feb 18 14:22:14 charon 10[ENC] <19> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Feb 18 14:22:14 charon 10[IKE] <19> received FRAGMENTATION vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received NAT-T (RFC 3947) vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received XAuth vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received Cisco Unity vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received DPD vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 18 14:22:14 charon 10[CFG] <19> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Feb 18 14:22:14 charon 10[CFG] <19> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Feb 18 14:22:14 charon 10[IKE] <19> no proposal found
    Feb 18 14:22:14 charon 10[ENC] <19> generating INFORMATIONAL_V1 request 3476172714 [ N(NO_PROP) ]
    Feb 18 14:22:14 charon 10[NET] <19> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
    Feb 18 14:22:14 charon 10[NET] <20> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
    Feb 18 14:22:14 charon 10[ENC] <20> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Feb 18 14:22:14 charon 10[IKE] <20> received FRAGMENTATION vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received NAT-T (RFC 3947) vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received XAuth vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received Cisco Unity vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received DPD vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 18 14:22:14 charon 10[CFG] <20> looking for XAuthInitPSK peer configs matching 10.20.0.2…103.46.209.154[cisco]
    Feb 18 14:22:14 charon 10[CFG] <20> selected peer config "con1"
    Feb 18 14:22:14 charon 10[ENC] <con1|20>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Feb 18 14:22:14 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 14:22:18 charon 10[IKE] <con1|20>sending retransmit 1 of response message ID 0, seq 1
    Feb 18 14:22:18 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 14:22:25 charon 10[IKE] <con1|20>sending retransmit 2 of response message ID 0, seq 1
    Feb 18 14:22:25 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 14:22:38 charon 10[IKE] <con1|20>sending retransmit 3 of response message ID 0, seq 1
    Feb 18 14:22:38 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 14:22:44 charon 10[JOB] <con1|20>deleting half open IKE_SA after timeout

    Please Help!!!</con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18>



  • Now seeing the attempted connection under Status –> IPSEC:

    Time Process PID Message
    Feb 19 15:12:25 charon 07[NET] received packet: from 103.46.209.154[500] to 10.20.0.2[500]
    Feb 19 15:12:25 charon 07[NET] waiting for data on sockets
    Feb 19 15:12:25 charon 12[MGR] checkout IKEv1 SA by message with SPIs 7ba7c04f2b6e9753_i 0000000000000000_r
    Feb 19 15:12:25 charon 12[MGR] created IKE_SA (unnamed)[3]
    Feb 19 15:12:25 charon 12[NET] <3> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (771 bytes)
    Feb 19 15:12:25 charon 12[IKE] <3> received FRAGMENTATION vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received NAT-T (RFC 3947) vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received XAuth vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received Cisco Unity vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received DPD vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 19 15:12:25 charon 12[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
    Feb 19 15:12:25 charon 12[IKE] <3> no proposal found
    Feb 19 15:12:25 charon 12[IKE] <3> queueing INFORMATIONAL task
    Feb 19 15:12:25 charon 12[IKE] <3> activating new tasks
    Feb 19 15:12:25 charon 12[IKE] <3> activating INFORMATIONAL task
    Feb 19 15:12:25 charon 12[NET] <3> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
    Feb 19 15:12:25 charon 12[MGR] <3> checkin and destroy IKE_SA (unnamed)[3]
    Feb 19 15:12:25 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
    Feb 19 15:12:25 charon 12[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
    Feb 19 15:12:25 charon 12[MGR] checkin and destroy of IKE_SA successful
    Feb 19 15:12:25 charon 07[NET] received packet: from 103.46.209.154[500] to 10.20.0.2[500]
    Feb 19 15:12:25 charon 07[NET] waiting for data on sockets
    Feb 19 15:12:25 charon 12[MGR] checkout IKEv1 SA by message with SPIs c24d4bc5c9ba68b2_i 0000000000000000_r
    Feb 19 15:12:25 charon 12[MGR] created IKE_SA (unnamed)[4]
    Feb 19 15:12:25 charon 12[NET] <4> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (771 bytes)
    Feb 19 15:12:25 charon 12[IKE] <4> received FRAGMENTATION vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received NAT-T (RFC 3947) vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received XAuth vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received Cisco Unity vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received DPD vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 19 15:12:25 charon 12[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
    Feb 19 15:12:25 charon 12[LIB] <4> size of DH secret exponent: 1023 bits
    Feb 19 15:12:25 charon 12[IKE] <con1|4>sending XAuth vendor ID
    Feb 19 15:12:25 charon 12[IKE] <con1|4>sending DPD vendor ID
    Feb 19 15:12:25 charon 12[IKE] <con1|4>sending Cisco Unity vendor ID
    Feb 19 15:12:25 charon 12[IKE] <con1|4>sending FRAGMENTATION vendor ID
    Feb 19 15:12:25 charon 12[IKE] <con1|4>sending NAT-T (RFC 3947) vendor ID
    Feb 19 15:12:25 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
    Feb 19 15:12:25 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
    Feb 19 15:12:25 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
    Feb 19 15:12:25 charon 12[MGR] <con1|4>checkin of IKE_SA successful
    Feb 19 15:12:29 charon 12[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
    Feb 19 15:12:29 charon 12[MGR] IKE_SA con1[4] successfully checked out
    Feb 19 15:12:29 charon 12[IKE] <con1|4>sending retransmit 1 of response message ID 0, seq 1
    Feb 19 15:12:29 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
    Feb 19 15:12:29 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
    Feb 19 15:12:29 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
    Feb 19 15:12:29 charon 12[MGR] <con1|4>checkin of IKE_SA successful
    Feb 19 15:12:36 charon 12[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
    Feb 19 15:12:36 charon 12[MGR] IKE_SA con1[4] successfully checked out
    Feb 19 15:12:36 charon 12[IKE] <con1|4>sending retransmit 2 of response message ID 0, seq 1
    Feb 19 15:12:36 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
    Feb 19 15:12:36 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
    Feb 19 15:12:36 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
    Feb 19 15:12:36 charon 12[MGR] <con1|4>checkin of IKE_SA successful
    Feb 19 15:12:49 charon 02[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
    Feb 19 15:12:49 charon 02[MGR] IKE_SA con1[4] successfully checked out
    Feb 19 15:12:49 charon 02[IKE] <con1|4>sending retransmit 3 of response message ID 0, seq 1
    Feb 19 15:12:49 charon 02[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
    Feb 19 15:12:49 charon 02[MGR] <con1|4>checkin IKE_SA con1[4]
    Feb 19 15:12:49 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
    Feb 19 15:12:49 charon 02[MGR] <con1|4>checkin of IKE_SA successful
    Feb 19 15:12:55 charon 02[MGR] checkout IKEv1 SA with SPIs 7ba7c04f2b6e9753_i b49a71955a2f7a35_r
    Feb 19 15:12:55 charon 02[MGR] IKE_SA checkout not successful
    Feb 19 15:12:55 charon 06[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
    Feb 19 15:12:55 charon 06[MGR] IKE_SA con1[4] successfully checked out
    Feb 19 15:12:55 charon 06[MGR] <con1|4>checkin and destroy IKE_SA con1[4]
    Feb 19 15:12:55 charon 06[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => DESTROYING
    Feb 19 15:12:55 charon 06[MGR] checkin and destroy of IKE_SA successful
    Feb 19 15:13:12 charon 06[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
    Feb 19 15:13:12 charon 06[MGR] IKE_SA checkout not successful
    Feb 19 15:25:04 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
    Feb 19 15:25:04 charon 07[NET] waiting for data on sockets
    Feb 19 15:25:04 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
    Feb 19 15:25:04 charon 11[MGR] created IKE_SA (unnamed)[5]
    Feb 19 15:25:04 charon 11[NET] <5> received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
    Feb 19 15:25:04 charon 11[IKE] <5> received XAuth vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received NAT-T (RFC 3947) vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received FRAGMENTATION vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received DPD vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received Cisco Unity vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> 172.30.3.163 is initiating a Aggressive Mode IKE_SA
    Feb 19 15:25:04 charon 11[IKE] <5> IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
    Feb 19 15:25:04 charon 11[LIB] <5> size of DH secret exponent: 1023 bits
    Feb 19 15:25:04 charon 11[IKE] <con1|5>sending XAuth vendor ID
    Feb 19 15:25:04 charon 11[IKE] <con1|5>sending DPD vendor ID
    Feb 19 15:25:04 charon 11[IKE] <con1|5>sending Cisco Unity vendor ID
    Feb 19 15:25:04 charon 11[IKE] <con1|5>sending FRAGMENTATION vendor ID
    Feb 19 15:25:04 charon 11[IKE] <con1|5>sending NAT-T (RFC 3947) vendor ID
    Feb 19 15:25:04 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:04 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:04 charon 11[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:04 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:08 charon 11[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
    Feb 19 15:25:08 charon 11[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:08 charon 11[IKE] <con1|5>sending retransmit 1 of response message ID 0, seq 1
    Feb 19 15:25:08 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:08 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:08 charon 11[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:08 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:09 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
    Feb 19 15:25:09 charon 07[NET] waiting for data on sockets
    Feb 19 15:25:09 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
    Feb 19 15:25:09 charon 11[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:09 charon 11[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
    Feb 19 15:25:09 charon 11[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
    Feb 19 15:25:09 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:09 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:09 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:09 charon 11[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:14 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
    Feb 19 15:25:14 charon 07[NET] waiting for data on sockets
    Feb 19 15:25:14 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
    Feb 19 15:25:14 charon 11[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:14 charon 11[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
    Feb 19 15:25:14 charon 11[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
    Feb 19 15:25:14 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:14 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:14 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:14 charon 11[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:15 charon 11[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
    Feb 19 15:25:15 charon 11[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:15 charon 11[IKE] <con1|5>sending retransmit 2 of response message ID 0, seq 1
    Feb 19 15:25:15 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:15 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:15 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:15 charon 11[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:19 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
    Feb 19 15:25:19 charon 07[NET] waiting for data on sockets
    Feb 19 15:25:19 charon 12[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
    Feb 19 15:25:19 charon 12[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:19 charon 12[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
    Feb 19 15:25:19 charon 12[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
    Feb 19 15:25:19 charon 12[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:19 charon 12[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:19 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:19 charon 12[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:28 charon 12[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
    Feb 19 15:25:28 charon 12[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:28 charon 12[IKE] <con1|5>sending retransmit 3 of response message ID 0, seq 1
    Feb 19 15:25:28 charon 12[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:28 charon 12[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:28 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:28 charon 12[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:34 charon 12[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
    Feb 19 15:25:34 charon 12[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:34 charon 12[MGR] <con1|5>checkin and destroy IKE_SA con1[5]
    Feb 19 15:25:34 charon 12[IKE] <con1|5>IKE_SA con1[5] state change: CONNECTING => DESTROYING
    Feb 19 15:25:34 charon 12[MGR] checkin and destroy of IKE_SA successful</con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>



  • Have you fix this problem? It seems that I have exact the same problem as you.
    My config is almost the same as yours. I hope someone could give the right answer.


Log in to reply