Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get IPSEC to connect, been trying for days.

    Scheduled Pinned Locked Moved IPsec
    8 Posts 6 Posters 43.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tnbp
      last edited by

      heres the logs, I've tried all sorts of ways to set it up, no luck..

      Jan 24 16:06:19 charon 07[NET] <con1|7>received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (80 bytes)
      Jan 24 16:06:19 charon 07[ENC] <con1|7>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Jan 24 16:06:19 charon 07[IKE] <con1|7>received AUTHENTICATION_FAILED notify error
      Jan 24 16:06:24 charon 07[NET] <8> received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
      Jan 24 16:06:24 charon 07[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Jan 24 16:06:24 charon 07[IKE] <8> 110.142.113.249 is initiating an IKE_SA
      Jan 24 16:06:24 charon 07[IKE] <8> local host is behind NAT, sending keep alives
      Jan 24 16:06:24 charon 07[IKE] <8> remote host is behind NAT
      Jan 24 16:06:24 charon 07[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
      Jan 24 16:06:24 charon 07[NET] <8> sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
      Jan 24 16:06:24 charon 07[NET] <8> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (256 bytes)
      Jan 24 16:06:24 charon 07[ENC] <8> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
      Jan 24 16:06:24 charon 07[CFG] <8> looking for peer configs matching 192.168.15.2[120.151.146.229]…110.142.113.249[192.168.1.2]
      Jan 24 16:06:24 charon 07[CFG] <bypasslan|8>selected peer config 'bypasslan'
      Jan 24 16:06:24 charon 07[IKE] <bypasslan|8>no shared key found for '120.151.146.229' - '192.168.1.2'
      Jan 24 16:06:24 charon 07[IKE] <bypasslan|8>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Jan 24 16:06:24 charon 07[ENC] <bypasslan|8>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Jan 24 16:06:24 charon 07[NET] <bypasslan|8>sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (80 bytes)
      Jan 24 16:06:26 charon 07[NET] <9> received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
      Jan 24 16:06:26 charon 07[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Jan 24 16:06:26 charon 07[IKE] <9> 110.142.113.249 is initiating an IKE_SA
      Jan 24 16:06:27 charon 07[IKE] <9> local host is behind NAT, sending keep alives
      Jan 24 16:06:27 charon 07[IKE] <9> remote host is behind NAT
      Jan 24 16:06:27 charon 07[ENC] <9> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
      Jan 24 16:06:27 charon 07[NET] <9> sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
      Jan 24 16:06:27 charon 07[NET] <9> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (256 bytes)
      Jan 24 16:06:27 charon 07[ENC] <9> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
      Jan 24 16:06:27 charon 07[CFG] <9> looking for peer configs matching 192.168.15.2[120.151.146.229]…110.142.113.249[192.168.1.2]
      Jan 24 16:06:27 charon 07[CFG] <bypasslan|9>selected peer config 'bypasslan'
      Jan 24 16:06:27 charon 07[IKE] <bypasslan|9>no shared key found for '120.151.146.229' - '192.168.1.2'
      Jan 24 16:06:27 charon 07[IKE] <bypasslan|9>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Jan 24 16:06:27 charon 07[ENC] <bypasslan|9>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Jan 24 16:06:27 charon 07[NET] <bypasslan|9>sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (80 bytes)
      Jan 24 16:07:11 charon 05[CFG] received stroke: terminate 'con1'
      Jan 24 16:07:11 charon 05[CFG] no IKE_SA named 'con1' found
      Jan 24 16:07:11 charon 06[CFG] received stroke: initiate 'con1'
      Jan 24 16:07:11 charon 05[IKE] <con1|10>initiating IKE_SA con1[10] to 110.142.113.249
      Jan 24 16:07:11 charon 05[ENC] <con1|10>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Jan 24 16:07:11 charon 05[NET] <con1|10>sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
      Jan 24 16:07:11 charon 05[NET] <con1|10>received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
      Jan 24 16:07:11 charon 05[ENC] <con1|10>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
      Jan 24 16:07:11 charon 05[IKE] <con1|10>local host is behind NAT, sending keep alives
      Jan 24 16:07:11 charon 05[IKE] <con1|10>remote host is behind NAT
      Jan 24 16:07:11 charon 05[IKE] <con1|10>authentication of '192.168.15.2' (myself) with pre-shared key
      Jan 24 16:07:11 charon 05[IKE] <con1|10>establishing CHILD_SA con1{6}
      Jan 24 16:07:11 charon 05[ENC] <con1|10>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Jan 24 16:07:11 charon 05[NET] <con1|10>sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (272 bytes)
      Jan 24 16:07:11 charon 05[NET] <con1|10>received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (80 bytes)
      Jan 24 16:07:11 charon 05[ENC] <con1|10>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Jan 24 16:07:11 charon 05[IKE] <con1|10>received AUTHENTICATION_FAILED notify error</con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></con1|10></bypasslan|9></bypasslan|9></bypasslan|9></bypasslan|9></bypasslan|9></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></con1|7></con1|7></con1|7>

      1 Reply Last reply Reply Quote 0
      • T
        tnbp
        last edited by

        more logs

        Jan 24 16:14:12 charon 13[NET] <11> sending packet: from 192.168.0.1[500] to 110.142.113.249[500] (338 bytes)
        Jan 24 16:14:12 charon 13[NET] <11> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (256 bytes)
        Jan 24 16:14:12 charon 13[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
        Jan 24 16:14:12 charon 13[CFG] <11> looking for peer configs matching 192.168.15.2[120.151.146.229]…110.142.113.249[192.168.1.2]
        Jan 24 16:14:12 charon 13[CFG] <bypasslan|11>selected peer config 'bypasslan'
        Jan 24 16:14:12 charon 13[IKE] <bypasslan|11>no shared key found for '120.151.146.229' - '192.168.1.2'
        Jan 24 16:14:12 charon 13[IKE] <bypasslan|11>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
        Jan 24 16:14:12 charon 13[ENC] <bypasslan|11>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
        Jan 24 16:14:13 charon 13[NET] <bypasslan|11>sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (80 bytes)
        Jan 24 16:14:22 charon 11[CFG] rereading secrets
        Jan 24 16:14:22 charon 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
        Jan 24 16:14:22 charon 11[CFG] loaded IKE secret for %any 110.142.113.249
        Jan 24 16:14:22 charon 11[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
        Jan 24 16:14:22 charon 11[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
        Jan 24 16:14:22 charon 11[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
        Jan 24 16:14:22 charon 11[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
        Jan 24 16:14:22 charon 11[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
        Jan 24 16:14:22 charon 13[CFG] received stroke: unroute 'bypasslan'
        Jan 24 16:14:22 ipsec_starter 28108 shunt policy 'bypasslan' uninstalled
        Jan 24 16:14:22 charon 10[CFG] received stroke: delete connection 'bypasslan'
        Jan 24 16:14:22 charon 10[CFG] deleted connection 'bypasslan'
        Jan 24 16:14:22 charon 11[CFG] received stroke: unroute 'con1'
        Jan 24 16:14:22 ipsec_starter 28108 configuration 'con1' unrouted
        Jan 24 16:14:22 charon 13[CFG] received stroke: delete connection 'con1'
        Jan 24 16:14:22 charon 13[CFG] deleted connection 'con1'
        Jan 24 16:14:22 charon 13[CFG] received stroke: add connection 'bypasslan'
        Jan 24 16:14:22 charon 13[CFG] added configuration 'bypasslan'
        Jan 24 16:14:22 charon 10[CFG] received stroke: route 'bypasslan'
        Jan 24 16:14:22 ipsec_starter 28108 'bypasslan' shunt PASS policy installed
        Jan 24 16:14:22 charon 08[CFG] received stroke: add connection 'con1'
        Jan 24 16:14:22 charon 08[CFG] added configuration 'con1'
        Jan 24 16:14:22 charon 08[CFG] received stroke: route 'con1'
        Jan 24 16:14:22 ipsec_starter 28108 'con1' routed
        Jan 24 16:14:26 charon 10[CFG] received stroke: terminate 'con1'
        Jan 24 16:14:26 charon 10[CFG] no IKE_SA named 'con1' found
        Jan 24 16:14:26 charon 16[CFG] received stroke: initiate 'con1'
        Jan 24 16:14:26 charon 10[IKE] <con1|12>initiating IKE_SA con1[12] to 110.142.113.249
        Jan 24 16:14:26 charon 10[ENC] <con1|12>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
        Jan 24 16:14:26 charon 10[NET] <con1|12>sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
        Jan 24 16:14:26 charon 10[NET] <con1|12>received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
        Jan 24 16:14:26 charon 10[ENC] <con1|12>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
        Jan 24 16:14:26 charon 10[IKE] <con1|12>local host is behind NAT, sending keep alives
        Jan 24 16:14:26 charon 10[IKE] <con1|12>remote host is behind NAT
        Jan 24 16:14:26 charon 10[IKE] <con1|12>authentication of '192.168.15.2' (myself) with pre-shared key
        Jan 24 16:14:26 charon 10[IKE] <con1|12>establishing CHILD_SA con1{8}
        Jan 24 16:14:26 charon 10[ENC] <con1|12>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
        Jan 24 16:14:26 charon 10[NET] <con1|12>sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (272 bytes)
        Jan 24 16:14:27 charon 10[NET] <con1|12>received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (80 bytes)
        Jan 24 16:14:27 charon 10[ENC] <con1|12>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
        Jan 24 16:14:27 charon 10[IKE] <con1|12>received AUTHENTICATION_FAILED notify error</con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11></bypasslan|11>

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          You are behind NAT. You probably need to explicitly set the public IP address as your identifier in the phase 1.

          If your address is dynamic, you will probably need to set a distinguished name instead.

          The other side is rejecting the authentication. You will need to be on the same page with them.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 3
          • T
            tnbp
            last edited by

            Thanks mate, that fixed it. Legend.

            1 Reply Last reply Reply Quote 0
            • DudleydoggD
              Dudleydogg
              last edited by

              Also Fixed mine, Thanks for your insight again Derelict

              1 Reply Last reply Reply Quote 1
              • A
                antineutrinos
                last edited by

                and mine. Thanks !

                1 Reply Last reply Reply Quote 0
                • D
                  DBrowning
                  last edited by

                  Three year old post saved the few remaining hair on my well scratched head. Such a simple fix - thank you!

                  1 Reply Last reply Reply Quote 1
                  • M
                    marcoscosac
                    last edited by

                    Laughs! A post from 4 years ago managed to get me out of a problem I was having. Thank you very much! 😊

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.