IPSEC Tunnel will not come up after upgrade



  • pfSense-kernel-pfSense upgraded: 2.4.0.b.20170516.1310 -> 2.4.0.r.20170828.1105

    After the upgrade the tunnel will not come up.

    Due to the remote device we are limited in what we can select for settings.  We have verified the settings on this side have not changed within the web interface after the upgrade.  The remote side is a full work day trip so we have not verified that side, but it was verified that it was working up until we did the upgrade and after the upgrade it never came back up.

    IKEv1
    IPv4
    Mutual PSK
    Aggressive
    Identifiers:
    IP address
    IP address

    Phase 1 Proposal:
    Encryption Algorithm - AES 128
    Hash - SHA1
    DH - 2
    Lifetime - 28800

    Advanced:
    NAT traversal - Auto

    Log:

    Aug 30 10:54:55 charon 08[IKE] <con4000|36>IKE_SA con4000[36] state change: CONNECTING => DESTROYING
    Aug 30 10:54:55 charon 08[IKE] <con4000|36>received AUTHENTICATION_FAILED error notify
    Aug 30 10:54:55 charon 08[ENC] <con4000|36>parsed INFORMATIONAL_V1 request 4198953118 [ N(AUTH_FAILED) ]
    Aug 30 10:54:55 charon 08[NET] <con4000|36>received packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (56 bytes)
    Aug 30 10:54:54 charon 08[NET] <con4000|36>sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (360 bytes)
    Aug 30 10:54:54 charon 08[ENC] <con4000|36>generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
    Aug 30 10:54:54 charon 08[CFG] <con4000|36>configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>IKE_SA con4000[36] state change: CREATED => CONNECTING
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>initiating Aggressive Mode IKE_SA con4000[36] to yyy.yyy.yyy.yyy
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>sending NAT-T (RFC 3947) vendor ID
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>sending FRAGMENTATION vendor ID
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>sending DPD vendor ID
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>sending XAuth vendor ID
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>activating ISAKMP_NATD task
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>activating ISAKMP_CERT_POST task
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>activating AGGRESSIVE_MODE task
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>activating ISAKMP_CERT_PRE task
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>activating ISAKMP_VENDOR task
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>activating new tasks
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>queueing QUICK_MODE task
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>queueing ISAKMP_NATD task
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>queueing ISAKMP_CERT_POST task
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>queueing AGGRESSIVE_MODE task
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>queueing ISAKMP_CERT_PRE task
    Aug 30 10:54:54 charon 08[IKE] <con4000|36>queueing ISAKMP_VENDOR task
    Aug 30 10:54:54 charon 08[KNL] creating acquire job for policy xxx.xxx.xxx.xxx/32|/0 === yyy.yyy.yyy.yyy/32|/0 with reqid {4}</con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36></con4000|36>


Log in to reply