Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec with AWS

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 900 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      manikandan
      last edited by

      Hi,

      I'm using PFsence firewall from AWS, nad while configuring IPSec, I'm facing some problem. Please help me to resolve it.
      As I'm using AWS, my firewall private ip is 10.10.10.100 and consider my public ip is xx.xx.xx.xxx

      Firewall Private IP: 10.10.10.100
      Firewall public IP: xx.xx.xx.xx
      Remote IP: rr.rr.rr.rr

      @Phase1
      Encryption Algorithm : 3DES
      Hash Algorithm : SHA1
      My identifier : My Ip address
      Peer identifier : IP address  10.10.10.100

      Problem is while connecting IPSec I'm getting below message and connection is not success.

      Feb 22 09:52:48 charon 05[IKE] <con2000|1>received DPD vendor ID
      Feb 22 09:52:48 charon 05[IKE] <con2000|1>IDir 'rr.rr.rr.rr' does not match to 'xx.xx.xx.xx'
      Feb 22 09:52:48 charon 05[IKE] <con2000|1>deleting IKE_SA con2000[1] between 10.10.10.100[10.10.10.100]…rr.rr.rr.rr[%any]
      Feb 22 09:52:48 charon 05[IKE] <con2000|1>sending DELETE for IKE_SA con2000[1]
      Feb 22 09:52:48 charon 05[ENC] <con2000|1>generating INFORMATIONAL_V1 request 1432215359 [ HASH D ]
      Feb 22 09:52:48 charon 05[NET] <con2000|1>sending packet: from 10.10.10.100[4500] to rr.rr.rr.rr[4500] (84 bytes)

      Thank you,
      Manikandan</con2000|1></con2000|1></con2000|1></con2000|1></con2000|1></con2000|1>

      1 Reply Last reply Reply Quote 0
      • J
        jrsphoto
        last edited by

        Looks like a your pfsense is behind NAT.  Try changing your peer identifier setting to "IP Address" and enter the pre-nat ip address.

        Have a look at this document https://doc.pfsense.org/index.php/IPsec_Troubleshooting and look at the section "Mismatched Identifier with NAT"

        John

        1 Reply Last reply Reply Quote 0
        • M
          manikandan
          last edited by

          Hi,

          Thanks for replay. I have already tried that, but it was not working.

          Mani

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            That would be closer to how it should be so change it back and post those logs. What you have there is certainly not right.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.