Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can Not Establish IPSEC Connection – PFSense Behind Cisco Router

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anking
      last edited by

      Hello Community,

      I have been looking through documentation, and tried a few, but I am still stuck on trying to establish an IPSEC connection from a client (IOS or Windows). The setup that I have is: WAN Connection –> Cisco 4431 Router --> PF Sense --> LAN

      I have created the Phase 1 + 2 settings with

      Phase 1:

      Interface: WAN
      Authentication Method: PSK + Xauth
      Negotiation Mode: Aggressive
      My Identifier: My IP Address
      Peer Identifier: Distinguished Name

      Proposal: AES / 128-bit
      Hash: SHA1
      DH Group: 2 - 1024 bit
      Checked Responder Only
      Nat Traversal: Force

      Phase 2:

      Local Network: LAN subnet
      Protocol: ESP
      Encryption Algorithm: Checked AES / 128-bit
      Hash: SHA1
      PFS Key Group: Grayed Out
      Lifetime: 3600

      Router settings and log messages are as follows:

      interface GigabitEthernet0/0/0
      description WAN side
      ip address x.x.208.170 255.255.255.248
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip nat outside
      ip verify unicast reverse-path
      ip access-group 110 in
      load-interval 30
      media-type sfp
      negotiation auto
      ip virtual-reassembly
      !
      interface GigabitEthernet0/0/1
      shutdown
      !
      interface GigabitEthernet0/0/2
      description LAN Side
      ip address 10.20.0.1 255.255.255.252
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip nat inside
      negotiation auto
      ip virtual-reassembly
      !
      interface GigabitEthernet0
      vrf forwarding Mgmt-intf
      no ip address
      shutdown
      negotiation auto
      !
      ip nat inside source list 111 interface GigabitEthernet0/0/0 overload
      ip nat inside source static udp 10.20.0.2 500 interface GigabitEthernet0/0/0 500
      ip nat inside source static esp 10.20.0.2 interface GigabitEthernet0/0/0
      ip nat inside source static tcp 10.20.0.2 22 x.x.208.170 1022 extendable
      ip forward-protocol nd
      ip http server
      no ip http secure-server
      ip tftp source-interface GigabitEthernet0/0/1
      ip route 0.0.0.0 0.0.0.0 x.x.208.169
      ip route 10.30.0.0 255.255.255.224 10.20.0.2
      !
      !
      access-list 110 permit udp any any
      access-list 110 permit ip any any
      access-list 111 permit ip any any log
      !

      Feb 18 13:09:00 charon 08[NET] <17> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
      Feb 18 13:09:00 charon 08[ENC] <17> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Feb 18 13:09:00 charon 08[IKE] <17> received FRAGMENTATION vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received NAT-T (RFC 3947) vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received XAuth vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received Cisco Unity vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> received DPD vendor ID
      Feb 18 13:09:00 charon 08[IKE] <17> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
      Feb 18 13:09:00 charon 08[CFG] <17> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
      Feb 18 13:09:00 charon 08[CFG] <17> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Feb 18 13:09:00 charon 08[IKE] <17> no proposal found
      Feb 18 13:09:00 charon 08[ENC] <17> generating INFORMATIONAL_V1 request 3836950386 [ N(NO_PROP) ]
      Feb 18 13:09:00 charon 08[NET] <17> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
      Feb 18 13:09:00 charon 08[NET] <18> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
      Feb 18 13:09:00 charon 08[ENC] <18> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Feb 18 13:09:00 charon 08[IKE] <18> received FRAGMENTATION vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received NAT-T (RFC 3947) vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received XAuth vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received Cisco Unity vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> received DPD vendor ID
      Feb 18 13:09:00 charon 08[IKE] <18> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
      Feb 18 13:09:00 charon 08[CFG] <18> looking for XAuthInitPSK peer configs matching 10.20.0.2…103.46.209.154[cisco]
      Feb 18 13:09:00 charon 08[CFG] <18> selected peer config "con1"
      Feb 18 13:09:00 charon 08[ENC] <con1|18>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
      Feb 18 13:09:00 charon 08[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
      Feb 18 13:09:04 charon 08[IKE] <con1|18>sending retransmit 1 of response message ID 0, seq 1
      Feb 18 13:09:04 charon 08[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
      Feb 18 13:09:09 charon 10[CFG] received stroke: terminate 'con1000'
      Feb 18 13:09:09 charon 10[CFG] no IKE_SA named 'con1000' found
      Feb 18 13:09:09 charon 08[CFG] received stroke: initiate 'con1000'
      Feb 18 13:09:09 charon 08[CFG] no config named 'con1000'
      Feb 18 13:09:11 charon 10[IKE] <con1|18>sending retransmit 2 of response message ID 0, seq 1
      Feb 18 13:09:11 charon 10[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
      Feb 18 13:09:24 charon 13[IKE] <con1|18>sending retransmit 3 of response message ID 0, seq 1
      Feb 18 13:09:24 charon 13[NET] <con1|18>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
      Feb 18 13:09:30 charon 14[JOB] <con1|18>deleting half open IKE_SA after timeout
      Feb 18 14:22:14 charon 10[NET] <19> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
      Feb 18 14:22:14 charon 10[ENC] <19> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Feb 18 14:22:14 charon 10[IKE] <19> received FRAGMENTATION vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received NAT-T (RFC 3947) vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received XAuth vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received Cisco Unity vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> received DPD vendor ID
      Feb 18 14:22:14 charon 10[IKE] <19> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
      Feb 18 14:22:14 charon 10[CFG] <19> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
      Feb 18 14:22:14 charon 10[CFG] <19> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Feb 18 14:22:14 charon 10[IKE] <19> no proposal found
      Feb 18 14:22:14 charon 10[ENC] <19> generating INFORMATIONAL_V1 request 3476172714 [ N(NO_PROP) ]
      Feb 18 14:22:14 charon 10[NET] <19> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
      Feb 18 14:22:14 charon 10[NET] <20> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (761 bytes)
      Feb 18 14:22:14 charon 10[ENC] <20> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V V ]
      Feb 18 14:22:14 charon 10[IKE] <20> received FRAGMENTATION vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received NAT-T (RFC 3947) vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received XAuth vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received Cisco Unity vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> received DPD vendor ID
      Feb 18 14:22:14 charon 10[IKE] <20> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
      Feb 18 14:22:14 charon 10[CFG] <20> looking for XAuthInitPSK peer configs matching 10.20.0.2…103.46.209.154[cisco]
      Feb 18 14:22:14 charon 10[CFG] <20> selected peer config "con1"
      Feb 18 14:22:14 charon 10[ENC] <con1|20>generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
      Feb 18 14:22:14 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
      Feb 18 14:22:18 charon 10[IKE] <con1|20>sending retransmit 1 of response message ID 0, seq 1
      Feb 18 14:22:18 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
      Feb 18 14:22:25 charon 10[IKE] <con1|20>sending retransmit 2 of response message ID 0, seq 1
      Feb 18 14:22:25 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
      Feb 18 14:22:38 charon 10[IKE] <con1|20>sending retransmit 3 of response message ID 0, seq 1
      Feb 18 14:22:38 charon 10[NET] <con1|20>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (412 bytes)
      Feb 18 14:22:44 charon 10[JOB] <con1|20>deleting half open IKE_SA after timeout

      Please Help!!!</con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|20></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18>

      1 Reply Last reply Reply Quote 0
      • A
        anking
        last edited by

        Now seeing the attempted connection under Status –> IPSEC:

        Time Process PID Message
        Feb 19 15:12:25 charon 07[NET] received packet: from 103.46.209.154[500] to 10.20.0.2[500]
        Feb 19 15:12:25 charon 07[NET] waiting for data on sockets
        Feb 19 15:12:25 charon 12[MGR] checkout IKEv1 SA by message with SPIs 7ba7c04f2b6e9753_i 0000000000000000_r
        Feb 19 15:12:25 charon 12[MGR] created IKE_SA (unnamed)[3]
        Feb 19 15:12:25 charon 12[NET] <3> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (771 bytes)
        Feb 19 15:12:25 charon 12[IKE] <3> received FRAGMENTATION vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received NAT-T (RFC 3947) vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received XAuth vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received Cisco Unity vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> received DPD vendor ID
        Feb 19 15:12:25 charon 12[IKE] <3> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
        Feb 19 15:12:25 charon 12[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
        Feb 19 15:12:25 charon 12[IKE] <3> no proposal found
        Feb 19 15:12:25 charon 12[IKE] <3> queueing INFORMATIONAL task
        Feb 19 15:12:25 charon 12[IKE] <3> activating new tasks
        Feb 19 15:12:25 charon 12[IKE] <3> activating INFORMATIONAL task
        Feb 19 15:12:25 charon 12[NET] <3> sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (56 bytes)
        Feb 19 15:12:25 charon 12[MGR] <3> checkin and destroy IKE_SA (unnamed)[3]
        Feb 19 15:12:25 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
        Feb 19 15:12:25 charon 12[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
        Feb 19 15:12:25 charon 12[MGR] checkin and destroy of IKE_SA successful
        Feb 19 15:12:25 charon 07[NET] received packet: from 103.46.209.154[500] to 10.20.0.2[500]
        Feb 19 15:12:25 charon 07[NET] waiting for data on sockets
        Feb 19 15:12:25 charon 12[MGR] checkout IKEv1 SA by message with SPIs c24d4bc5c9ba68b2_i 0000000000000000_r
        Feb 19 15:12:25 charon 12[MGR] created IKE_SA (unnamed)[4]
        Feb 19 15:12:25 charon 12[NET] <4> received packet: from 103.46.209.154[500] to 10.20.0.2[500] (771 bytes)
        Feb 19 15:12:25 charon 12[IKE] <4> received FRAGMENTATION vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received NAT-T (RFC 3947) vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received XAuth vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received Cisco Unity vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> received DPD vendor ID
        Feb 19 15:12:25 charon 12[IKE] <4> 103.46.209.154 is initiating a Aggressive Mode IKE_SA
        Feb 19 15:12:25 charon 12[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
        Feb 19 15:12:25 charon 12[LIB] <4> size of DH secret exponent: 1023 bits
        Feb 19 15:12:25 charon 12[IKE] <con1|4>sending XAuth vendor ID
        Feb 19 15:12:25 charon 12[IKE] <con1|4>sending DPD vendor ID
        Feb 19 15:12:25 charon 12[IKE] <con1|4>sending Cisco Unity vendor ID
        Feb 19 15:12:25 charon 12[IKE] <con1|4>sending FRAGMENTATION vendor ID
        Feb 19 15:12:25 charon 12[IKE] <con1|4>sending NAT-T (RFC 3947) vendor ID
        Feb 19 15:12:25 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
        Feb 19 15:12:25 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
        Feb 19 15:12:25 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
        Feb 19 15:12:25 charon 12[MGR] <con1|4>checkin of IKE_SA successful
        Feb 19 15:12:29 charon 12[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
        Feb 19 15:12:29 charon 12[MGR] IKE_SA con1[4] successfully checked out
        Feb 19 15:12:29 charon 12[IKE] <con1|4>sending retransmit 1 of response message ID 0, seq 1
        Feb 19 15:12:29 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
        Feb 19 15:12:29 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
        Feb 19 15:12:29 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
        Feb 19 15:12:29 charon 12[MGR] <con1|4>checkin of IKE_SA successful
        Feb 19 15:12:36 charon 12[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
        Feb 19 15:12:36 charon 12[MGR] IKE_SA con1[4] successfully checked out
        Feb 19 15:12:36 charon 12[IKE] <con1|4>sending retransmit 2 of response message ID 0, seq 1
        Feb 19 15:12:36 charon 12[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
        Feb 19 15:12:36 charon 12[MGR] <con1|4>checkin IKE_SA con1[4]
        Feb 19 15:12:36 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
        Feb 19 15:12:36 charon 12[MGR] <con1|4>checkin of IKE_SA successful
        Feb 19 15:12:49 charon 02[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
        Feb 19 15:12:49 charon 02[MGR] IKE_SA con1[4] successfully checked out
        Feb 19 15:12:49 charon 02[IKE] <con1|4>sending retransmit 3 of response message ID 0, seq 1
        Feb 19 15:12:49 charon 02[NET] <con1|4>sending packet: from 10.20.0.2[500] to 103.46.209.154[500] (428 bytes)
        Feb 19 15:12:49 charon 02[MGR] <con1|4>checkin IKE_SA con1[4]
        Feb 19 15:12:49 charon 04[NET] sending packet: from 10.20.0.2[500] to 103.46.209.154[500]
        Feb 19 15:12:49 charon 02[MGR] <con1|4>checkin of IKE_SA successful
        Feb 19 15:12:55 charon 02[MGR] checkout IKEv1 SA with SPIs 7ba7c04f2b6e9753_i b49a71955a2f7a35_r
        Feb 19 15:12:55 charon 02[MGR] IKE_SA checkout not successful
        Feb 19 15:12:55 charon 06[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
        Feb 19 15:12:55 charon 06[MGR] IKE_SA con1[4] successfully checked out
        Feb 19 15:12:55 charon 06[MGR] <con1|4>checkin and destroy IKE_SA con1[4]
        Feb 19 15:12:55 charon 06[IKE] <con1|4>IKE_SA con1[4] state change: CONNECTING => DESTROYING
        Feb 19 15:12:55 charon 06[MGR] checkin and destroy of IKE_SA successful
        Feb 19 15:13:12 charon 06[MGR] checkout IKEv1 SA with SPIs c24d4bc5c9ba68b2_i f79e3272d7218d04_r
        Feb 19 15:13:12 charon 06[MGR] IKE_SA checkout not successful
        Feb 19 15:25:04 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
        Feb 19 15:25:04 charon 07[NET] waiting for data on sockets
        Feb 19 15:25:04 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
        Feb 19 15:25:04 charon 11[MGR] created IKE_SA (unnamed)[5]
        Feb 19 15:25:04 charon 11[NET] <5> received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
        Feb 19 15:25:04 charon 11[IKE] <5> received XAuth vendor ID
        Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
        Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
        Feb 19 15:25:04 charon 11[IKE] <5> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
        Feb 19 15:25:04 charon 11[IKE] <5> received NAT-T (RFC 3947) vendor ID
        Feb 19 15:25:04 charon 11[IKE] <5> received FRAGMENTATION vendor ID
        Feb 19 15:25:04 charon 11[IKE] <5> received DPD vendor ID
        Feb 19 15:25:04 charon 11[IKE] <5> received Cisco Unity vendor ID
        Feb 19 15:25:04 charon 11[IKE] <5> 172.30.3.163 is initiating a Aggressive Mode IKE_SA
        Feb 19 15:25:04 charon 11[IKE] <5> IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
        Feb 19 15:25:04 charon 11[LIB] <5> size of DH secret exponent: 1023 bits
        Feb 19 15:25:04 charon 11[IKE] <con1|5>sending XAuth vendor ID
        Feb 19 15:25:04 charon 11[IKE] <con1|5>sending DPD vendor ID
        Feb 19 15:25:04 charon 11[IKE] <con1|5>sending Cisco Unity vendor ID
        Feb 19 15:25:04 charon 11[IKE] <con1|5>sending FRAGMENTATION vendor ID
        Feb 19 15:25:04 charon 11[IKE] <con1|5>sending NAT-T (RFC 3947) vendor ID
        Feb 19 15:25:04 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
        Feb 19 15:25:04 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
        Feb 19 15:25:04 charon 11[MGR] <con1|5>checkin of IKE_SA successful
        Feb 19 15:25:04 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
        Feb 19 15:25:08 charon 11[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
        Feb 19 15:25:08 charon 11[MGR] IKE_SA con1[5] successfully checked out
        Feb 19 15:25:08 charon 11[IKE] <con1|5>sending retransmit 1 of response message ID 0, seq 1
        Feb 19 15:25:08 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
        Feb 19 15:25:08 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
        Feb 19 15:25:08 charon 11[MGR] <con1|5>checkin of IKE_SA successful
        Feb 19 15:25:08 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
        Feb 19 15:25:09 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
        Feb 19 15:25:09 charon 07[NET] waiting for data on sockets
        Feb 19 15:25:09 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
        Feb 19 15:25:09 charon 11[MGR] IKE_SA con1[5] successfully checked out
        Feb 19 15:25:09 charon 11[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
        Feb 19 15:25:09 charon 11[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
        Feb 19 15:25:09 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
        Feb 19 15:25:09 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
        Feb 19 15:25:09 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
        Feb 19 15:25:09 charon 11[MGR] <con1|5>checkin of IKE_SA successful
        Feb 19 15:25:14 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
        Feb 19 15:25:14 charon 07[NET] waiting for data on sockets
        Feb 19 15:25:14 charon 11[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
        Feb 19 15:25:14 charon 11[MGR] IKE_SA con1[5] successfully checked out
        Feb 19 15:25:14 charon 11[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
        Feb 19 15:25:14 charon 11[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
        Feb 19 15:25:14 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
        Feb 19 15:25:14 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
        Feb 19 15:25:14 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
        Feb 19 15:25:14 charon 11[MGR] <con1|5>checkin of IKE_SA successful
        Feb 19 15:25:15 charon 11[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
        Feb 19 15:25:15 charon 11[MGR] IKE_SA con1[5] successfully checked out
        Feb 19 15:25:15 charon 11[IKE] <con1|5>sending retransmit 2 of response message ID 0, seq 1
        Feb 19 15:25:15 charon 11[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
        Feb 19 15:25:15 charon 11[MGR] <con1|5>checkin IKE_SA con1[5]
        Feb 19 15:25:15 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
        Feb 19 15:25:15 charon 11[MGR] <con1|5>checkin of IKE_SA successful
        Feb 19 15:25:19 charon 07[NET] received packet: from 172.30.3.163[500] to 10.20.0.2[500]
        Feb 19 15:25:19 charon 07[NET] waiting for data on sockets
        Feb 19 15:25:19 charon 12[MGR] checkout IKEv1 SA by message with SPIs 72c13bb99d21bb9e_i 0000000000000000_r
        Feb 19 15:25:19 charon 12[MGR] IKE_SA con1[5] successfully checked out
        Feb 19 15:25:19 charon 12[NET] <con1|5>received packet: from 172.30.3.163[500] to 10.20.0.2[500] (1183 bytes)
        Feb 19 15:25:19 charon 12[IKE] <con1|5>received retransmit of request with ID 0, retransmitting response
        Feb 19 15:25:19 charon 12[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
        Feb 19 15:25:19 charon 12[MGR] <con1|5>checkin IKE_SA con1[5]
        Feb 19 15:25:19 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
        Feb 19 15:25:19 charon 12[MGR] <con1|5>checkin of IKE_SA successful
        Feb 19 15:25:28 charon 12[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
        Feb 19 15:25:28 charon 12[MGR] IKE_SA con1[5] successfully checked out
        Feb 19 15:25:28 charon 12[IKE] <con1|5>sending retransmit 3 of response message ID 0, seq 1
        Feb 19 15:25:28 charon 12[NET] <con1|5>sending packet: from 10.20.0.2[500] to 172.30.3.163[500] (432 bytes)
        Feb 19 15:25:28 charon 12[MGR] <con1|5>checkin IKE_SA con1[5]
        Feb 19 15:25:28 charon 04[NET] sending packet: from 10.20.0.2[500] to 172.30.3.163[500]
        Feb 19 15:25:28 charon 12[MGR] <con1|5>checkin of IKE_SA successful
        Feb 19 15:25:34 charon 12[MGR] checkout IKEv1 SA with SPIs 72c13bb99d21bb9e_i 27700ec4f94d446a_r
        Feb 19 15:25:34 charon 12[MGR] IKE_SA con1[5] successfully checked out
        Feb 19 15:25:34 charon 12[MGR] <con1|5>checkin and destroy IKE_SA con1[5]
        Feb 19 15:25:34 charon 12[IKE] <con1|5>IKE_SA con1[5] state change: CONNECTING => DESTROYING
        Feb 19 15:25:34 charon 12[MGR] checkin and destroy of IKE_SA successful</con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4></con1|4>

        1 Reply Last reply Reply Quote 0
        • -
          -Sonic- 0
          last edited by

          Have you fix this problem? It seems that I have exact the same problem as you.
          My config is almost the same as yours. I hope someone could give the right answer.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.