Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Diffie Hellman group erorr phase 1

    Scheduled Pinned Locked Moved IPsec
    20 Posts 3 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      Unchewable
      last edited by

      I have 4 ipsec tunnels connecting to my pfsense only 1 of them is having issues connecting as if pfsense is just blocking the one when they are all set up the same. We recently had a outage with AT&T at that site but it came up just fine for days before this. I have updated firmware rebooted etc nothing works all the settings look correct. The only thing I can find out of the norm is modp 1024 configured and 1536 recieved. dh group in phase 1 is set for 5 i have the screen shot for phase 2 attached.

      Aug 24 08:40:22 charon 06[NET] <10788> sending packet: from xx.xx.xxx.xx[500] to xx.xx.xx.xx[500] (56 bytes)
      Aug 24 08:40:22 charon 06[ENC] <10788> generating INFORMATIONAL_V1 request 3610246692 [ N(NO_PROP) ]
      Aug 24 08:40:22 charon 06[IKE] <10788> activating INFORMATIONAL task
      Aug 24 08:40:22 charon 06[IKE] <10788> activating new tasks
      Aug 24 08:40:22 charon 06[IKE] <10788> queueing INFORMATIONAL task
      Aug 24 08:40:22 charon 06[IKE] <10788> no proposal found
      Aug 24 08:40:22 charon 06[CFG] <10788> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Aug 24 08:40:22 charon 06[CFG] <10788> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
      Aug 24 08:40:22 charon 06[CFG] <10788> no acceptable DIFFIE_HELLMAN_GROUP found
      Aug 24 08:40:22 charon 06[CFG] <10788> selecting proposal:
      Aug 24 08:40:22 charon 06[IKE] <10788> IKE_SA (unnamed)[10788] state change: CREATED => CONNECTING
      Aug 24 08:40:22 charon 06[IKE] <10788> remote ip is initiating a Main Mode IKE_SA
      Aug 24 08:40:22 charon 06[ENC] <10788> received unknown vendor ID: xx:xx:xx:xx:xx:xx:xx:xx:xx
      Aug 24 08:40:22 charon 06[IKE] <10788> received DPD vendor ID
      Aug 24 08:40:22 charon 06[IKE] <10788> received NAT-T (RFC 3947) vendor ID
      Aug 24 08:40:22 charon 06[IKE] <10788> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Aug 24 08:40:22 charon 06[IKE] <10788> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 24 08:40:22 charon 06[IKE] <10788> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Aug 24 08:40:22 charon 06[ENC] <10788> received unknown vendor ID: xx:xx:xx:Xx:xx:xx:xx:xx:Xx:xx:xx:xx:xx:xx:Xx
      Aug 24 08:40:22 charon 06[ENC] <10788> received unknown vendor ID: xx:xx:xx:Xx:xx:xx:xx:xx:Xx:xx:xx:xx:xx:xx:Xx
      Aug 24 08:40:22 charon 06[CFG] <10788> found matching ike config: xx.xx.xxx.xx…%any with prio 1052
      Aug 24 08:40:22 charon 06[CFG] <10788> candidate: xx.xx.xxx.xx…%any, prio 1052
      Aug 24 08:40:22 charon 06[CFG] <10788> looking for an ike config for xx.xx.xxx.xx…xx.xx.xxx.xx
      Aug 24 08:40:22 charon 06[ENC] <10788> parsed ID_PROT request 0 [ SA V V V V V V V V ]
      Aug 24 08:40:22 charon 06[NET] <10788> received packet: from xx.xx.xxx.xx[500] to 71.95.197.22[500] (240 bytes)
      Aug 24 08:40:15 charon 06[IKE] <con3|9099>nothing to initiate
      Aug 24 08:40:15 charon 06[IKE] <con3|9099>activating new tasks
      Aug 24 08:40:15 charon 06[ENC] <con3|9099>parsed INFORMATIONAL_V1 request 368268754 [ HASH N(DPD_ACK) ]

      ![phase 2 barstow.JPG](/public/imported_attachments/1/phase 2 barstow.JPG)
      ![phase 2 barstow.JPG_thumb](/public/imported_attachments/1/phase 2 barstow.JPG_thumb)</con3|9099></con3|9099></con3|9099>

      1 Reply Last reply Reply Quote 0
      • U
        Unchewable
        last edited by

        It is as if Pfsense is setting it for dh2 in the second phase even though I have it set for none. So I changed the setting in the pfs key on both sides to none then 2 and 5, fails every time.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          That looks to me like your Phase 1 is configured for group 2 and the other side is expecting group 5.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • U
            Unchewable
            last edited by

            Yeah that is the weird thing, the logs are showing that but the settings are set for 5 on both sides. See attached any ideas should I reboot pfsense after hours tonight?

            ![pfsense phase1.JPG](/public/imported_attachments/1/pfsense phase1.JPG)
            ![pfsense phase1.JPG_thumb](/public/imported_attachments/1/pfsense phase1.JPG_thumb)
            ![zyxel phase1.JPG](/public/imported_attachments/1/zyxel phase1.JPG)
            ![zyxel phase1.JPG_thumb](/public/imported_attachments/1/zyxel phase1.JPG_thumb)

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              No need to reboot. If anything stop and start the ipsec service. Don't restart, stop and start.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • U
                Unchewable
                last edited by

                Its so strange as Pfsense has been so reliable and I have 3 other sites that are connecting with the exact same config and connecting fine.

                I am remoted into the remote router its a zyxel and it seems to be running fine with the exception of getting timed out each time I try to connect.

                I even set up for aggressive on both sides and changed to dh2 just to see if it did anything but it gave the exact same error.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Yeah stop stabbing around at checkboxes that make no difference.

                  Is this 2.3.4_1?

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • U
                    Unchewable
                    last edited by

                    restarted ipsec service no dice. I am running 2.3.2-RELEASE

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      I don't know of anything that would affect that but maybe you should get current.

                      PM your /var/etc/ipsec/ipsec.conf and that output from ipsec statusall

                      If the logs have changed it might be helpful so see fresh ones, too.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • U
                        Unchewable
                        last edited by

                        will pm you know I even set up a completely new connection on pfsense and the remote router. Pfsense is still stuck on wanting dh2 in phase 1 for some reason so i matched on the remote site and got a pseudo random function found. see below

                        Aug 24 13:46:26 charon 06[IKE] <11758> IKE_SA (unnamed)[11758] state change: CONNECTING => DESTROYING
                        Aug 24 13:46:26 charon 06[NET] <11758> sending packet: from xxxxxxx[500] to xxxxxx[500] (56 bytes)
                        Aug 24 13:46:26 charon 06[ENC] <11758> generating INFORMATIONAL_V1 request 1417244930 [ N(NO_PROP) ]
                        Aug 24 13:46:26 charon 06[IKE] <11758> activating INFORMATIONAL task
                        Aug 24 13:46:26 charon 06[IKE] <11758> activating new tasks
                        Aug 24 13:46:26 charon 06[IKE] <11758> queueing INFORMATIONAL task
                        Aug 24 13:46:26 charon 06[IKE] <11758> no proposal found
                        Aug 24 13:46:26 charon 06[CFG] <11758> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                        Aug 24 13:46:26 charon 06[CFG] <11758> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
                        Aug 24 13:46:26 charon 06[CFG] <11758> no acceptable PSEUDO_RANDOM_FUNCTION found
                        Aug 24 13:46:26 charon 06[CFG] <11758> selecting proposal:
                        Aug 24 13:46:26 charon 06[IKE] <11758> IKE_SA (unnamed)[11758] state change: CREATED => CONNECTING
                        Aug 24 13:46:26 charon 06[IKE] <11758> xxxxxxx is initiating a Main Mode IKE_SA
                        Aug 24 13:46:26 charon 06[ENC] <11758> received unknown vendor ID:
                        Aug 24 13:46:26 charon 06[IKE] <11758> received DPD vendor ID
                        Aug 24 13:46:26 charon 06[IKE] <11758> received NAT-T (RFC 3947) vendor ID
                        Aug 24 13:46:26 charon 06[IKE] <11758> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
                        Aug 24 13:46:26 charon 06[IKE] <11758> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                        Aug 24 13:46:26 charon 06[IKE] <11758> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
                        Aug 24 13:46:26 charon 06[ENC] <11758> received unknown vendor ID:
                        Aug 24 13:46:26 charon 06[ENC] <11758> received unknown vendor ID:
                        Aug 24 13:46:26 charon 06[CFG] <11758> found matching ike config: xxxxxxxxx…%any with prio 1052
                        Aug 24 13:46:26 charon 06[CFG] <11758> candidate: xxxxxxxx…%any, prio 1052
                        Aug 24 13:46:26 charon 06[CFG] <11758> looking for an ike config for xxxxxxx…xxxxxxxx
                        Aug 24 13:46:26 charon 06[ENC] <11758> parsed ID_PROT request 0 [ SA V V V V V V V V ]
                        Aug 24 13:46:26 charon 06[NET] <11758> received packet: from xxxx[500] to xxxxx[500] (240 bytes)

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          That is set MD5 on one side and SHA1 on the other.

                          
These do not match:

IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • U
                            Unchewable
                            last edited by

                            I set them both to match but its like pfsense is sticking. I am going to have them all set sha1 but that is saying it doesn't support a preshared key in the log stand by i have to drive home then will try and repost logs feels like i am closer at least.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              There are settings that do not take effect until rekey/reauth or the tunnel is torn down and brought back up. IPsec is generally set it and forget it so it likes to keep the tunnels up.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • U
                                Unchewable
                                last edited by

                                Yeah for all my other sites it has been set it and forget it so I set up another tunnel to see if that fixed it but it just seemed to have other issues. The most i have had to do up til now is reset the unit usually just need to reconnect VPN.

                                here is the most recently logs as i went back to that tunnel. i changed the designation to be pfsense and remote also both are set for dh5 for phase1 and none for phase 2

                                Aug 24 15:35:52 charon 06[IKE] <12010> IKE_SA (unnamed)[12010] state change: CONNECTING => DESTROYING
                                Aug 24 15:35:52 charon 06[NET] <12010> sending packet: from pfsense[500] to remote[500] (56 bytes)
                                Aug 24 15:35:52 charon 06[ENC] <12010> generating INFORMATIONAL_V1 request 1130904949 [ N(NO_PROP) ]
                                Aug 24 15:35:52 charon 06[IKE] <12010> activating INFORMATIONAL task
                                Aug 24 15:35:52 charon 06[IKE] <12010> activating new tasks
                                Aug 24 15:35:52 charon 06[IKE] <12010> queueing INFORMATIONAL task
                                Aug 24 15:35:52 charon 06[IKE] <12010> no proposal found
                                Aug 24 15:35:52 charon 06[CFG] <12010> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                                Aug 24 15:35:52 charon 06[CFG] <12010> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
                                Aug 24 15:35:52 charon 06[CFG] <12010> no acceptable DIFFIE_HELLMAN_GROUP found
                                Aug 24 15:35:52 charon 06[CFG] <12010> selecting proposal:
                                Aug 24 15:35:52 charon 06[IKE] <12010> IKE_SA (unnamed)[12010] state change: CREATED => CONNECTING
                                Aug 24 15:35:52 charon 06[IKE] <12010> remote is initiating a Main Mode IKE_SA
                                Aug 24 15:35:52 charon 06[ENC] <12010> received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
                                Aug 24 15:35:52 charon 06[IKE] <12010> received DPD vendor ID
                                Aug 24 15:35:52 charon 06[IKE] <12010> received NAT-T (RFC 3947) vendor ID
                                Aug 24 15:35:52 charon 06[IKE] <12010> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
                                Aug 24 15:35:52 charon 06[IKE] <12010> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                                Aug 24 15:35:52 charon 06[IKE] <12010> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
                                Aug 24 15:35:52 charon 06[ENC] <12010> received unknown vendor ID:
                                Aug 24 15:35:52 charon 06[ENC] <12010> received unknown vendor ID:
                                Aug 24 15:35:52 charon 06[CFG] <12010> found matching ike config: pfsense…%any with prio 1052
                                Aug 24 15:35:52 charon 06[CFG] <12010> candidate: pfsense…%any, prio 1052
                                Aug 24 15:35:52 charon 06[CFG] <12010> looking for an ike config for pfsense…remote
                                Aug 24 15:35:52 charon 06[ENC] <12010> parsed ID_PROT request 0 [ SA V V V V V V V V ]
                                Aug 24 15:35:52 charon 06[NET] <12010> received packet: from remote[500] to pfsense[500] (240 bytes)

                                1 Reply Last reply Reply Quote 0
                                • U
                                  Unchewable
                                  last edited by

                                  now that i changed the remote to dh2 I get this

                                  Aug 24 15:41:42 charon 10[IKE] <12046> IKE_SA (unnamed)[12046] state change: CONNECTING => DESTROYING
                                  Aug 24 15:41:42 charon 10[NET] <12046> sending packet: from pfsense[4500] to remote[4500] (84 bytes)
                                  Aug 24 15:41:42 charon 10[ENC] <12046> generating INFORMATIONAL_V1 request 295856288 [ HASH N(AUTH_FAILED) ]
                                  Aug 24 15:41:42 charon 10[IKE] <12046> activating INFORMATIONAL task
                                  Aug 24 15:41:42 charon 10[IKE] <12046> activating new tasks
                                  Aug 24 15:41:42 charon 10[IKE] <12046> queueing INFORMATIONAL task
                                  Aug 24 15:41:42 charon 10[IKE] <12046> found 1 matching config, but none allows pre-shared key authentication using Main Mode
                                  Aug 24 15:41:42 charon 10[CFG] <12046> candidate "con5", match: 1/1/1052 (me/other/ike)
                                  Aug 24 15:41:42 charon 10[CFG] <12046> looking for pre-shared key peer configs matching pfsense…remote[remote]
                                  Aug 24 15:41:42 charon 10[ENC] <12046> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
                                  Aug 24 15:41:42 charon 10[NET] <12046> received packet: from remote[4500] to pfsense[4500] (92 bytes)
                                  Aug 24 15:41:42 charon 04[NET] <12046> sending packet: from pfsense[500] to remote[500] (244 bytes)
                                  Aug 24 15:41:42 charon 04[ENC] <12046> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
                                  Aug 24 15:41:42 charon 04[IKE] <12046> faking NAT situation to enforce UDP encapsulation
                                  Aug 24 15:41:42 charon 04[ENC] <12046> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
                                  Aug 24 15:41:42 charon 04[NET] <12046> received packet: from remote[500] to pfsense[500] (228 bytes)
                                  Aug 24 15:41:41 charon 04[NET] <12046> sending packet: from pfsense[500] to remote[500] (136 bytes)
                                  Aug 24 15:41:41 charon 04[ENC] <12046> generating ID_PROT response 0 [ SA V V V ]
                                  Aug 24 15:41:41 charon 04[IKE] <12046> sending NAT-T (RFC 3947) vendor ID
                                  Aug 24 15:41:41 charon 04[IKE] <12046> sending DPD vendor ID
                                  Aug 24 15:41:41 charon 04[IKE] <12046> sending XAuth vendor ID
                                  Aug 24 15:41:41 charon 04[CFG] <12046> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                                  Aug 24 15:41:41 charon 04[CFG] <12046> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                                  Aug 24 15:41:41 charon 04[CFG] <12046> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                                  Aug 24 15:41:41 charon 04[CFG] <12046> proposal matches
                                  Aug 24 15:41:41 charon 04[CFG] <12046> selecting proposal:
                                  Aug 24 15:41:41 charon 04[IKE] <12046> IKE_SA (unnamed)[12046] state change: CREATED => CONNECTING
                                  Aug 24 15:41:41 charon 04[IKE] <12046> remote is initiating a Main Mode IKE_SA
                                  Aug 24 15:41:41 charon 04[ENC] <12046> received unknown vendor ID:
                                  Aug 24 15:41:41 charon 04[IKE] <12046> received DPD vendor ID
                                  Aug 24 15:41:41 charon 04[IKE] <12046> received NAT-T (RFC 3947) vendor ID
                                  Aug 24 15:41:41 charon 04[IKE] <12046> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
                                  Aug 24 15:41:41 charon 04[IKE] <12046> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                                  Aug 24 15:41:41 charon 04[IKE] <12046> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
                                  Aug 24 15:41:41 charon 04[ENC] <12046> received unknown vendor ID:
                                  Aug 24 15:41:41 charon 04[ENC] <12046> received unknown vendor ID:
                                  Aug 24 15:41:41 charon 04[CFG] <12046> found matching ike config: pfsense…%any with prio 1052
                                  Aug 24 15:41:41 charon 04[CFG] <12046> candidate: pfsense…%any, prio 1052
                                  Aug 24 15:41:41 charon 04[CFG] <12046> looking for an ike config for pfsense…remote
                                  Aug 24 15:41:41 charon 04[ENC] <12046> parsed ID_PROT request 0 [ SA V V V V V V V V ]
                                  Aug 24 15:41:41 charon 04[NET] <12046> received packet: from remote[500] to pfsense[500] (240 bytes)

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    Is it still set for aggressive mode? Set it to Main.

                                    I won't know what con5 is until I get those config files and output in the PM.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • U
                                      Unchewable
                                      last edited by

                                      I copied settings from other working tunnels but it is saying it is DH2 on phase 1 when I have DH5 selected. They are all set for Main.

                                      Can I give you those outputs via the gui? I dont have shell enabled and don't know the commands.

                                      If I have too I can restart the pfsense router tonight.

                                      Aug 24 16:36:02 charon 13[IKE] <12233> IKE_SA (unnamed)[12233] state change: CONNECTING => DESTROYING
                                      Aug 24 16:36:02 charon 13[NET] <12233> sending packet: from pfsense[500] to remote[500] (56 bytes)
                                      Aug 24 16:36:02 charon 13[ENC] <12233> generating INFORMATIONAL_V1 request 2927385480 [ N(NO_PROP) ]
                                      Aug 24 16:36:02 charon 13[IKE] <12233> activating INFORMATIONAL task
                                      Aug 24 16:36:02 charon 13[IKE] <12233> activating new tasks
                                      Aug 24 16:36:02 charon 13[IKE] <12233> queueing INFORMATIONAL task
                                      Aug 24 16:36:02 charon 13[IKE] <12233> no proposal found
                                      Aug 24 16:36:02 charon 13[CFG] <12233> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                                      Aug 24 16:36:02 charon 13[CFG] <12233> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
                                      Aug 24 16:36:02 charon 13[CFG] <12233> no acceptable DIFFIE_HELLMAN_GROUP found
                                      Aug 24 16:36:02 charon 13[CFG] <12233> selecting proposal:
                                      Aug 24 16:36:02 charon 13[IKE] <12233> IKE_SA (unnamed)[12233] state change: CREATED => CONNECTING
                                      Aug 24 16:36:02 charon 13[IKE] <12233> remote is initiating a Main Mode IKE_SA
                                      Aug 24 16:36:02 charon 13[ENC] <12233> received unknown vendor ID:
                                      Aug 24 16:36:02 charon 13[IKE] <12233> received DPD vendor ID
                                      Aug 24 16:36:02 charon 13[IKE] <12233> received NAT-T (RFC 3947) vendor ID
                                      Aug 24 16:36:02 charon 13[IKE] <12233> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
                                      Aug 24 16:36:02 charon 13[IKE] <12233> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                                      Aug 24 16:36:02 charon 13[IKE] <12233> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
                                      Aug 24 16:36:02 charon 13[ENC] <12233> received unknown vendor ID:
                                      Aug 24 16:36:02 charon 13[ENC] <12233> received unknown vendor ID:
                                      Aug 24 16:36:02 charon 13[CFG] <12233> found matching ike config: pfsense…%any with prio 1052
                                      Aug 24 16:36:02 charon 13[CFG] <12233> candidate: pfsense…%any, prio 1052
                                      Aug 24 16:36:02 charon 13[CFG] <12233> looking for an ike config for pfsense…remote
                                      Aug 24 16:36:02 charon 13[ENC] <12233> parsed ID_PROT request 0 [ SA V V V V V V V V ]
                                      Aug 24 16:36:02 charon 13[NET] <12233> received packet: from remote[500] to pfsense[500] (240 bytes)

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        It looks like those connections are matching your Mobile IPsec somehow. Is the other side set to be aggressive mode?

                                        I see it says Main mode up there. but that's what's happening…

                                        Aug 24 16:36:02  charon      13[NET] <12233> received packet: from remote[500] to pfsense[500] (240 bytes)

                                        Are you sure about that remote source IP address?

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • U
                                          Unchewable
                                          last edited by

                                          Turns out as strange as it was pfsense was somehow stuck on dh2 for phase 1. I had to reboot pfsense and it fixed the problem even though no configs had changed and 3 other sites were connected in exactly the same way the unit had been up for almost 300 days though without reboot. Can't figure out how to mark as solved maybe thats left for moderators?

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            emeianoite
                                            last edited by

                                            LOL Pfsense does funny things.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.