Ipsec phase 2 not working



  • i am tring to fix this but still can not understand how can i fix phase2 can any one please help

    but not Phase 2. make sure your access list matches exactly the opposite of ours. Check your other P2 parameters.

    Crypto Map IPv4 "VPN" 49 ipsec-isakmp
    Description:  Center
    Peer = static ip address
    Extended IP access list acl-vpn-NJB
    access-list acl-vpn-NJB permit ip host 172.17.0.254 172.17.7.0 0.0.0.255
    access-list acl-vpn-NJB permit ip host 172.17.0.4 172.17.7.0 0.0.0.255
    access-list acl-vpn-NJB permit ip host 172.17.0.51 172.17.7.0 0.0.0.255
    Current peer: same staic ip address as above
    Security association lifetime: 4608000 kilobytes/3600 seconds
    Responder-Only (Y/N): N
    PFS (Y/N): Y
    DH group: group2
    Mixed-mode : Disabled
    Transform sets={
    vpn-aes128-sha: { esp-aes esp-sha-hmac } ,


  • Netgate

    What is not working?

    What is in the logs?

    How is the pfSense side set up?



  • IKE Phase 1

    Key Negotiation Type                  ISAKMP
    Encryption                              AES (128-bit)
    Authentication                            SHA1
    Key Group                                Diffie_Hellman
    SA Life Time                                86400
    Mode Exchange                        Main       
    Shared Key Prefix                    self generated

    IPSEC Phase-2

    Type                                    ESP (encapsulating
    Authentication                          SHA1
    Encryption                                AES (128-bit)
    Perfect Forward                      Diff-Hellman
    SA Life                                        3600
    SA life Kilobytes                        4608000

    IP  Netblock/Host
    192.168.1.254/32                      192.168.1.0/24
    192.168.1.4/32
    192.168.1.4.54/32

    in bound Ports
    ALL



  • Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating new tasks
    Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating ISAKMP_DPD task
    Jan 31 09:35:40 charon 12[ENC] <con1000|21>generating INFORMATIONAL_V1 request 71033770 [ HASH N(DPD) ]
    Jan 31 09:35:40 charon 12[NET] <con1000|21>sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
    Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating new tasks
    Jan 31 09:35:40 charon 12[IKE] <con1000|21>nothing to initiate
    Jan 31 09:35:40 charon 12[NET] <con1000|21>received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
    Jan 31 09:35:40 charon 12[ENC] <con1000|21>parsed INFORMATIONAL_V1 request 422502870 [ HASH N(DPD_ACK) ]
    Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating new tasks
    Jan 31 09:35:40 charon 12[IKE] <con1000|21>nothing to initiate
    Jan 31 09:35:44 charon 06[CFG] vici client 49 connected
    Jan 31 09:35:44 charon 13[CFG] vici client 49 registered for: list-sa
    Jan 31 09:35:44 charon 13[CFG] vici client 49 requests: list-sas
    Jan 31 09:35:44 charon 13[CFG] vici client 49 disconnected
    Jan 31 09:35:49 charon 14[CFG] vici client 50 connected
    Jan 31 09:35:49 charon 06[CFG] vici client 50 registered for: list-sa
    Jan 31 09:35:49 charon 14[CFG] vici client 50 requests: list-sas
    Jan 31 09:35:49 charon 14[CFG] vici client 50 disconnected
    Jan 31 09:35:50 charon 14[IKE] <con1000|21>sending DPD request
    Jan 31 09:35:50 charon 14[IKE] <con1000|21>queueing ISAKMP_DPD task
    Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating new tasks
    Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating ISAKMP_DPD task
    Jan 31 09:35:50 charon 14[ENC] <con1000|21>generating INFORMATIONAL_V1 request 3516362738 [ HASH N(DPD) ]
    Jan 31 09:35:50 charon 14[NET] <con1000|21>sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
    Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating new tasks
    Jan 31 09:35:50 charon 14[IKE] <con1000|21>nothing to initiate
    Jan 31 09:35:50 charon 14[NET] <con1000|21>received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
    Jan 31 09:35:50 charon 14[ENC] <con1000|21>parsed INFORMATIONAL_V1 request 472707021 [ HASH N(DPD_ACK) ]
    Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating new tasks
    Jan 31 09:35:50 charon 14[IKE] <con1000|21>nothing to initiate
    Jan 31 09:35:54 charon 13[CFG] vici client 51 connected
    Jan 31 09:35:54 charon 13[CFG] vici client 51 registered for: list-sa
    Jan 31 09:35:54 charon 05[CFG] vici client 51 requests: list-sas
    Jan 31 09:35:54 charon 13[CFG] vici client 51 disconnected
    Jan 31 09:35:59 charon 13[CFG] vici client 52 connected
    Jan 31 09:35:59 charon 10[CFG] vici client 52 registered for: list-sa
    Jan 31 09:35:59 charon 10[CFG] vici client 52 requests: list-sas
    Jan 31 09:35:59 charon 10[CFG] vici client 52 disconnected
    Jan 31 09:36:00 charon 10[IKE] <con1000|21>sending DPD request
    Jan 31 09:36:00 charon 10[IKE] <con1000|21>queueing ISAKMP_DPD task
    Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating new tasks
    Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating ISAKMP_DPD task
    Jan 31 09:36:00 charon 10[ENC] <con1000|21>generating INFORMATIONAL_V1 request 3870667372 [ HASH N(DPD) ]
    Jan 31 09:36:00 charon 10[NET] <con1000|21>sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
    Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating new tasks
    Jan 31 09:36:00 charon 10[IKE] <con1000|21>nothing to initiate
    Jan 31 09:36:00 charon 10[NET] <con1000|21>received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
    Jan 31 09:36:00 charon 10[ENC] <con1000|21>parsed INFORMATIONAL_V1 request 483150185 [ HASH N(DPD_ACK) ]
    Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating new tasks
    Jan 31 09:36:00 charon 10[IKE] <con1000|21>nothing to initiat</con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21>



  • Phase 2 is not working.



  • any idea what is wrong I am doing to make phase 2 running?


  • Netgate

    Nothing in those logs are helpful. They have nothing to do with establishing or failed connections.

    Have you looked at this?

    https://doc.pfsense.org/index.php/IPsec_Troubleshooting

    Be sure IKE SA, IKE Child SA, and Configuration Backend are all set to Diag in VPN > IPsec, Advanced. Everything else can be Control.



  • Thx for your kindly reply, though i read that link but still can not figure out how to NAT in ipsec to allow access to three different ip address


  • Netgate

    What do you mean NAT?

    Based on this:

    access-list acl-vpn-NJB permit ip host 172.17.0.254 172.17.7.0 0.0.0.255
    access-list acl-vpn-NJB permit ip host 172.17.0.4 172.17.7.0 0.0.0.255
    access-list acl-vpn-NJB permit ip host 172.17.0.51 172.17.7.0 0.0.0.255

    You would make three phase 2 tunnel entries:

    Local Network: Network: 172.17.7.0 /24
    Remote Network: Address: 172.17.0.254

    Local Network: Network: 172.17.7.0 /24
    Remote Network: Address: 172.17.0.4

    Local Network: Network: 172.17.7.0 /24
    Remote Network: Address: 172.17.0.51