4. Can Not Establish IPSEC Connection – PFSense Behind Cisco Router

Can Not Establish IPSEC Connection – PFSense Behind Cisco Router

  • A

    Hello Community,

    I have been looking through documentation, and tried a few, but I am still stuck on trying to establish an IPSEC connection from a client (IOS or Windows). The setup that I have is: WAN Connection –> Cisco 4431 Router --> PF Sense --> LAN

    I have created the Phase 1 + 2 settings with

    Phase 1:

    Interface: WAN
    Authentication Method: PSK + Xauth
    Negotiation Mode: Aggressive
    My Identifier: My IP Address
    Peer Identifier: Distinguished Name

    Proposal: AES / 128-bit
    Hash: SHA1
    DH Group: 2 - 1024 bit
    Checked Responder Only
    Nat Traversal: Force

    Phase 2:

    Local Network: LAN subnet
    Protocol: ESP
    Encryption Algorithm: Checked AES / 128-bit
    Hash: SHA1
    PFS Key Group: Grayed Out
    Lifetime: 3600

    Router settings and log messages are as follows:

    interface GigabitEthernet0/0/0
    description WAN side
    ip address x.x.208.170 255.255.255.248
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip verify unicast reverse-path
    ip access-group 110 in
    load-interval 30
    media-type sfp
    negotiation auto
    ip virtual-reassembly
    !
    interface GigabitEthernet0/0/1
    shutdown
    !
    interface GigabitEthernet0/0/2
    description LAN Side
    ip address 10.20.0.1 255.255.255.252
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    negotiation auto
    ip virtual-reassembly
    !
    interface GigabitEthernet0
    vrf forwarding Mgmt-intf
    no ip address
    shutdown
    negotiation auto
    !
    ip nat inside source list 111 interface GigabitEthernet0/0/0 overload
    ip nat inside source static udp 10.20.0.2 500 interface GigabitEthernet0/0/0 500
    ip nat inside source static esp 10.20.0.2 interface GigabitEthernet0/0/0
    ip nat inside source static tcp 10.20.0.2 22 x.x.208.170 1022 extendable
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    ip tftp source-interface GigabitEthernet0/0/1
    ip route 0.0.0.0 0.0.0.0 x.x.208.169
    ip route 10.30.0.0 255.255.255.224 10.20.0.2
    !
    !
    access-list 110 permit udp any any
    access-list 110 permit ip any any
    access-list 111 permit ip any any log
    !

    Feb 18 13:09:00 charon 08[NET] <17> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
    Feb 18 13:09:00 charon 08[ENC] <17> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Feb 18 13:09:00 charon 08[IKE] <17> received FRAGMENTATION vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received NAT-T (RFC 3947) vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received XAuth vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received Cisco Unity vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> received DPD vendor ID
    Feb 18 13:09:00 charon 08[IKE] <17> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 18 13:09:00 charon 08[CFG] <17> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Feb 18 13:09:00 charon 08[CFG] <17> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Feb 18 13:09:00 charon 08[IKE] <17> no proposal found
    Feb 18 13:09:00 charon 08[ENC] <17> generating INFORMATIONAL_V1 request 3836950386 [ N(NO_PROP) ]
    Feb 18 13:09:00 charon 08[NET] <17> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
    Feb 18 13:09:00 charon 08[NET] <18> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
    Feb 18 13:09:00 charon 08[ENC] <18> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Feb 18 13:09:00 charon 08[IKE] <18> received FRAGMENTATION vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received NAT-T (RFC 3947) vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received XAuth vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received Cisco Unity vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> received DPD vendor ID
    Feb 18 13:09:00 charon 08[IKE] <18> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 18 13:09:00 charon 08[CFG] <18> looking for XAuthInitPSK peer configs matching 10.20.0.2…103.46.209.154[cisco]
    Feb 18 13:09:00 charon 08[CFG] <18> selected peer config "con1"
    Feb 18 13:09:00 charon 08[ENC] <con1|18>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Feb 18 13:09:00 charon 08[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 13:09:04 charon 08[IKE] <con1|18>sending retransmit 1 of response message ID 0, seq 1
    Feb 18 13:09:04 charon 08[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 13:09:09 charon 10[CFG] received stroke: terminate 'con1000'
    Feb 18 13:09:09 charon 10[CFG] no IKE_SA named 'con1000' found
    Feb 18 13:09:09 charon 08[CFG] received stroke: initiate 'con1000'
    Feb 18 13:09:09 charon 08[CFG] no config named 'con1000'
    Feb 18 13:09:11 charon 10[IKE] <con1|18>sending retransmit 2 of response message ID 0, seq 1
    Feb 18 13:09:11 charon 10[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 13:09:24 charon 13[IKE] <con1|18>sending retransmit 3 of response message ID 0, seq 1
    Feb 18 13:09:24 charon 13[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 13:09:30 charon 14[JOB] <con1|18>deleting half open IKE_SA after timeout
    Feb 18 14:22:14 charon 10[NET] <19> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
    Feb 18 14:22:14 charon 10[ENC] <19> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Feb 18 14:22:14 charon 10[IKE] <19> received FRAGMENTATION vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received NAT-T (RFC 3947) vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received XAuth vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received Cisco Unity vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> received DPD vendor ID
    Feb 18 14:22:14 charon 10[IKE] <19> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 18 14:22:14 charon 10[CFG] <19> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
    Feb 18 14:22:14 charon 10[CFG] <19> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Feb 18 14:22:14 charon 10[IKE] <19> no proposal found
    Feb 18 14:22:14 charon 10[ENC] <19> generating INFORMATIONAL_V1 request 3476172714 [ N(NO_PROP) ]
    Feb 18 14:22:14 charon 10[NET] <19> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
    Feb 18 14:22:14 charon 10[NET] <20> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
    Feb 18 14:22:14 charon 10[ENC] <20> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
    Feb 18 14:22:14 charon 10[IKE] <20> received FRAGMENTATION vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received NAT-T (RFC 3947) vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received XAuth vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received Cisco Unity vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> received DPD vendor ID
    Feb 18 14:22:14 charon 10[IKE] <20> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 18 14:22:14 charon 10[CFG] <20> looking for XAuthInitPSK peer configs matching 10.20.0.2…103.46.209.154[cisco]
    Feb 18 14:22:14 charon 10[CFG] <20> selected peer config "con1"
    Feb 18 14:22:14 charon 10[ENC] <con1|20>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
    Feb 18 14:22:14 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 14:22:18 charon 10[IKE] <con1|20>sending retransmit 1 of response message ID 0, seq 1
    Feb 18 14:22:18 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 14:22:25 charon 10[IKE] <con1|20>sending retransmit 2 of response message ID 0, seq 1
    Feb 18 14:22:25 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 14:22:38 charon 10[IKE] <con1|20>sending retransmit 3 of response message ID 0, seq 1
    Feb 18 14:22:38 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
    Feb 18 14:22:44 charon 10[JOB] <con1|20>deleting half open IKE_SA after timeout

    Please Help!!!</con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18>

    0
  • A

    Now seeing the attempted connection under Status –> IPSEC:

    Time Process PID Message
    Feb 19 15:12:25 charon 07[NET] received packet: from 103.46.209.154[500] to 10.20.0.2[500]
    Feb 19 15:12:25 charon 07[NET] waiting for data on sockets
    Feb 19 15:12:25 charon 12[MGR] checkout IKEv1 SA by message with SPIs 7ba7c04f2b6e9753_i 0000000000000000_r
    Feb 19 15:12:25 charon 12[MGR] created IKE_SA (unnamed)[3]
    Feb 19 15:12:25 charon 12[NET] <3> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (771 bytes)
    Feb 19 15:12:25 charon 12[IKE] <3> received FRAGMENTATION vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received NAT-T (RFC 3947) vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received XAuth vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received Cisco Unity vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> received DPD vendor ID
    Feb 19 15:12:25 charon 12[IKE] <3> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 19 15:12:25 charon 12[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
    Feb 19 15:12:25 charon 12[IKE] <3> no proposal found
    Feb 19 15:12:25 charon 12[IKE] <3> queueing INFORMATIONAL task
    Feb 19 15:12:25 charon 12[IKE] <3> activating new tasks
    Feb 19 15:12:25 charon 12[IKE] <3> activating INFORMATIONAL task
    Feb 19 15:12:25 charon 12[NET] <3> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
    Feb 19 15:12:25 charon 12[MGR] <3> checkin and destroy IKE_SA (unnamed)[3]
    Feb 19 15:12:25 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
    Feb 19 15:12:25 charon 12[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
    Feb 19 15:12:25 charon 12[MGR] checkin and destroy of IKE_SA successful
    Feb 19 15:12:25 charon 07[NET] received packet: from 103.46.209.154[500] to 10.20.0.2[500]
    Feb 19 15:12:25 charon 07[NET] waiting for data on sockets
    Feb 19 15:12:25 charon 12[MGR] checkout IKEv1 SA by message with SPIs c24d4bc5c9ba68b2_i 0000000000000000_r
    Feb 19 15:12:25 charon 12[MGR] created IKE_SA (unnamed)[4]
    Feb 19 15:12:25 charon 12[NET] <4> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (771 bytes)
    Feb 19 15:12:25 charon 12[IKE] <4> received FRAGMENTATION vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received NAT-T (RFC 3947) vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received XAuth vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received Cisco Unity vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> received DPD vendor ID
    Feb 19 15:12:25 charon 12[IKE] <4> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
    Feb 19 15:12:25 charon 12[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
    Feb 19 15:12:25 charon 12[LIB] <4> size of DH secret exponent: 1023 bits
    Feb 19 15:12:25 charon 12[IKE] <con1|4>sending XAuth vendor ID
    Feb 19 15:12:25 charon 12[IKE] <con1|4>sending DPD vendor ID
    Feb 19 15:12:25 charon 12[IKE] <con1|4>sending Cisco Unity vendor ID
    Feb 19 15:12:25 charon 12[IKE] <con1|4>sending FRAGMENTATION vendor ID
    Feb 19 15:12:25 charon 12[IKE] <con1|4>sending NAT-T (RFC 3947) vendor ID
    Feb 19 15:12:25 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
    Feb 19 15:12:25 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
    Feb 19 15:12:25 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
    Feb 19 15:12:25 charon 12[MGR] <con1|4>checkin of IKE_SA successful
    Feb 19 15:12:29 charon 12[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
    Feb 19 15:12:29 charon 12[MGR] IKE_SA con1[4] successfully checked out
    Feb 19 15:12:29 charon 12[IKE] <con1|4>sending retransmit 1 of response message ID 0, seq 1
    Feb 19 15:12:29 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
    Feb 19 15:12:29 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
    Feb 19 15:12:29 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
    Feb 19 15:12:29 charon 12[MGR] <con1|4>checkin of IKE_SA successful
    Feb 19 15:12:36 charon 12[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
    Feb 19 15:12:36 charon 12[MGR] IKE_SA con1[4] successfully checked out
    Feb 19 15:12:36 charon 12[IKE] <con1|4>sending retransmit 2 of response message ID 0, seq 1
    Feb 19 15:12:36 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
    Feb 19 15:12:36 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
    Feb 19 15:12:36 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
    Feb 19 15:12:36 charon 12[MGR] <con1|4>checkin of IKE_SA successful
    Feb 19 15:12:49 charon 02[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
    Feb 19 15:12:49 charon 02[MGR] IKE_SA con1[4] successfully checked out
    Feb 19 15:12:49 charon 02[IKE] <con1|4>sending retransmit 3 of response message ID 0, seq 1
    Feb 19 15:12:49 charon 02[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
    Feb 19 15:12:49 charon 02[MGR] <con1|4>checkin IKE_SA con1[4]
    Feb 19 15:12:49 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
    Feb 19 15:12:49 charon 02[MGR] <con1|4>checkin of IKE_SA successful
    Feb 19 15:12:55 charon 02[MGR] checkout IKEv1 SA with SPIs 7ba7c04f2b6e9753_i b49a71955a2f7a35_r
    Feb 19 15:12:55 charon 02[MGR] IKE_SA checkout not successful
    Feb 19 15:12:55 charon 06[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
    Feb 19 15:12:55 charon 06[MGR] IKE_SA con1[4] successfully checked out
    Feb 19 15:12:55 charon 06[MGR] <con1|4>checkin and destroy IKE_SA con1[4]
    Feb 19 15:12:55 charon 06[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => DESTROYING
    Feb 19 15:12:55 charon 06[MGR] checkin and destroy of IKE_SA successful
    Feb 19 15:13:12 charon 06[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
    Feb 19 15:13:12 charon 06[MGR] IKE_SA checkout not successful
    Feb 19 15:25:04 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
    Feb 19 15:25:04 charon 07[NET] waiting for data on sockets
    Feb 19 15:25:04 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
    Feb 19 15:25:04 charon 11[MGR] created IKE_SA (unnamed)[5]
    Feb 19 15:25:04 charon 11[NET] <5> received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
    Feb 19 15:25:04 charon 11[IKE] <5> received XAuth vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received NAT-T (RFC 3947) vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received FRAGMENTATION vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received DPD vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> received Cisco Unity vendor ID
    Feb 19 15:25:04 charon 11[IKE] <5> 172.30.3.163 is initiating a Aggressive Mode IKE_SA
    Feb 19 15:25:04 charon 11[IKE] <5> IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
    Feb 19 15:25:04 charon 11[LIB] <5> size of DH secret exponent: 1023 bits
    Feb 19 15:25:04 charon 11[IKE] <con1|5>sending XAuth vendor ID
    Feb 19 15:25:04 charon 11[IKE] <con1|5>sending DPD vendor ID
    Feb 19 15:25:04 charon 11[IKE] <con1|5>sending Cisco Unity vendor ID
    Feb 19 15:25:04 charon 11[IKE] <con1|5>sending FRAGMENTATION vendor ID
    Feb 19 15:25:04 charon 11[IKE] <con1|5>sending NAT-T (RFC 3947) vendor ID
    Feb 19 15:25:04 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:04 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:04 charon 11[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:04 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:08 charon 11[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
    Feb 19 15:25:08 charon 11[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:08 charon 11[IKE] <con1|5>sending retransmit 1 of response message ID 0, seq 1
    Feb 19 15:25:08 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:08 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:08 charon 11[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:08 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:09 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
    Feb 19 15:25:09 charon 07[NET] waiting for data on sockets
    Feb 19 15:25:09 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
    Feb 19 15:25:09 charon 11[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:09 charon 11[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
    Feb 19 15:25:09 charon 11[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
    Feb 19 15:25:09 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:09 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:09 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:09 charon 11[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:14 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
    Feb 19 15:25:14 charon 07[NET] waiting for data on sockets
    Feb 19 15:25:14 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
    Feb 19 15:25:14 charon 11[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:14 charon 11[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
    Feb 19 15:25:14 charon 11[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
    Feb 19 15:25:14 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:14 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:14 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:14 charon 11[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:15 charon 11[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
    Feb 19 15:25:15 charon 11[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:15 charon 11[IKE] <con1|5>sending retransmit 2 of response message ID 0, seq 1
    Feb 19 15:25:15 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:15 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:15 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:15 charon 11[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:19 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
    Feb 19 15:25:19 charon 07[NET] waiting for data on sockets
    Feb 19 15:25:19 charon 12[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
    Feb 19 15:25:19 charon 12[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:19 charon 12[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
    Feb 19 15:25:19 charon 12[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
    Feb 19 15:25:19 charon 12[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:19 charon 12[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:19 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:19 charon 12[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:28 charon 12[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
    Feb 19 15:25:28 charon 12[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:28 charon 12[IKE] <con1|5>sending retransmit 3 of response message ID 0, seq 1
    Feb 19 15:25:28 charon 12[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
    Feb 19 15:25:28 charon 12[MGR] <con1|5>checkin IKE_SA con1[5]
    Feb 19 15:25:28 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
    Feb 19 15:25:28 charon 12[MGR] <con1|5>checkin of IKE_SA successful
    Feb 19 15:25:34 charon 12[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
    Feb 19 15:25:34 charon 12[MGR] IKE_SA con1[5] successfully checked out
    Feb 19 15:25:34 charon 12[MGR] <con1|5>checkin and destroy IKE_SA con1[5]
    Feb 19 15:25:34 charon 12[IKE] <con1|5>IKE_SA con1[5] state change: CONNECTING => DESTROYING
    Feb 19 15:25:34 charon 12[MGR] checkin and destroy of IKE_SA successful</con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>

    0
  • -

    Have you fix this problem? It seems that I have exact the same problem as you.
    My config is almost the same as yours. I hope someone could give the right answer.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy