Ipsec phase 2 not working

irs

i am tring to fix this but still can not understand how can i fix phase2 can any one please help

but not Phase 2. make sure your access list matches exactly the opposite of ours. Check your other P2 parameters.

Crypto Map IPv4 "VPN" 49 ipsec-isakmp
Description:  Center
Peer = static ip address
Extended IP access list acl-vpn-NJB
access-list acl-vpn-NJB permit ip host 172.17.0.254 172.17.7.0 0.0.0.255
access-list acl-vpn-NJB permit ip host 172.17.0.4 172.17.7.0 0.0.0.255
access-list acl-vpn-NJB permit ip host 172.17.0.51 172.17.7.0 0.0.0.255
Current peer: same staic ip address as above
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group2
Mixed-mode : Disabled
Transform sets={
vpn-aes128-sha: { esp-aes esp-sha-hmac } ,

Derelict

What is not working?

What is in the logs?

How is the pfSense side set up?

irs

IKE Phase 1

Key Negotiation Type                  ISAKMP
Encryption                              AES (128-bit)
Authentication                            SHA1
Key Group                                Diffie_Hellman
SA Life Time                                86400
Mode Exchange                        Main       
Shared Key Prefix                    self generated

IPSEC Phase-2

Type                                    ESP (encapsulating
Authentication                          SHA1
Encryption                                AES (128-bit)
Perfect Forward                      Diff-Hellman
SA Life                                        3600
SA life Kilobytes                        4608000

IP  Netblock/Host
192.168.1.254/32                      192.168.1.0/24
192.168.1.4/32
192.168.1.4.54/32

in bound Ports
ALL

irs

Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating new tasks
Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating ISAKMP_DPD task
Jan 31 09:35:40 charon 12[ENC] <con1000|21>generating INFORMATIONAL_V1 request 71033770 [ HASH N(DPD) ]
Jan 31 09:35:40 charon 12[NET] <con1000|21>sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating new tasks
Jan 31 09:35:40 charon 12[IKE] <con1000|21>nothing to initiate
Jan 31 09:35:40 charon 12[NET] <con1000|21>received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:40 charon 12[ENC] <con1000|21>parsed INFORMATIONAL_V1 request 422502870 [ HASH N(DPD_ACK) ]
Jan 31 09:35:40 charon 12[IKE] <con1000|21>activating new tasks
Jan 31 09:35:40 charon 12[IKE] <con1000|21>nothing to initiate
Jan 31 09:35:44 charon 06[CFG] vici client 49 connected
Jan 31 09:35:44 charon 13[CFG] vici client 49 registered for: list-sa
Jan 31 09:35:44 charon 13[CFG] vici client 49 requests: list-sas
Jan 31 09:35:44 charon 13[CFG] vici client 49 disconnected
Jan 31 09:35:49 charon 14[CFG] vici client 50 connected
Jan 31 09:35:49 charon 06[CFG] vici client 50 registered for: list-sa
Jan 31 09:35:49 charon 14[CFG] vici client 50 requests: list-sas
Jan 31 09:35:49 charon 14[CFG] vici client 50 disconnected
Jan 31 09:35:50 charon 14[IKE] <con1000|21>sending DPD request
Jan 31 09:35:50 charon 14[IKE] <con1000|21>queueing ISAKMP_DPD task
Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating new tasks
Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating ISAKMP_DPD task
Jan 31 09:35:50 charon 14[ENC] <con1000|21>generating INFORMATIONAL_V1 request 3516362738 [ HASH N(DPD) ]
Jan 31 09:35:50 charon 14[NET] <con1000|21>sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating new tasks
Jan 31 09:35:50 charon 14[IKE] <con1000|21>nothing to initiate
Jan 31 09:35:50 charon 14[NET] <con1000|21>received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:50 charon 14[ENC] <con1000|21>parsed INFORMATIONAL_V1 request 472707021 [ HASH N(DPD_ACK) ]
Jan 31 09:35:50 charon 14[IKE] <con1000|21>activating new tasks
Jan 31 09:35:50 charon 14[IKE] <con1000|21>nothing to initiate
Jan 31 09:35:54 charon 13[CFG] vici client 51 connected
Jan 31 09:35:54 charon 13[CFG] vici client 51 registered for: list-sa
Jan 31 09:35:54 charon 05[CFG] vici client 51 requests: list-sas
Jan 31 09:35:54 charon 13[CFG] vici client 51 disconnected
Jan 31 09:35:59 charon 13[CFG] vici client 52 connected
Jan 31 09:35:59 charon 10[CFG] vici client 52 registered for: list-sa
Jan 31 09:35:59 charon 10[CFG] vici client 52 requests: list-sas
Jan 31 09:35:59 charon 10[CFG] vici client 52 disconnected
Jan 31 09:36:00 charon 10[IKE] <con1000|21>sending DPD request
Jan 31 09:36:00 charon 10[IKE] <con1000|21>queueing ISAKMP_DPD task
Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating new tasks
Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating ISAKMP_DPD task
Jan 31 09:36:00 charon 10[ENC] <con1000|21>generating INFORMATIONAL_V1 request 3870667372 [ HASH N(DPD) ]
Jan 31 09:36:00 charon 10[NET] <con1000|21>sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating new tasks
Jan 31 09:36:00 charon 10[IKE] <con1000|21>nothing to initiate
Jan 31 09:36:00 charon 10[NET] <con1000|21>received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:36:00 charon 10[ENC] <con1000|21>parsed INFORMATIONAL_V1 request 483150185 [ HASH N(DPD_ACK) ]
Jan 31 09:36:00 charon 10[IKE] <con1000|21>activating new tasks
Jan 31 09:36:00 charon 10[IKE] <con1000|21>nothing to initiat</con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21></con1000|21>

irs

Phase 2 is not working.

irs

any idea what is wrong I am doing to make phase 2 running?

Derelict

Nothing in those logs are helpful. They have nothing to do with establishing or failed connections.

Have you looked at this?

https://doc.pfsense.org/index.php/IPsec_Troubleshooting

Be sure IKE SA, IKE Child SA, and Configuration Backend are all set to Diag in VPN > IPsec, Advanced. Everything else can be Control.

irs

Thx for your kindly reply, though i read that link but still can not figure out how to NAT in ipsec to allow access to three different ip address

Derelict

What do you mean NAT?

Based on this:

access-list acl-vpn-NJB permit ip host 172.17.0.254 172.17.7.0 0.0.0.255
access-list acl-vpn-NJB permit ip host 172.17.0.4 172.17.7.0 0.0.0.255
access-list acl-vpn-NJB permit ip host 172.17.0.51 172.17.7.0 0.0.0.255

You would make three phase 2 tunnel entries:

Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.254

Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.4

Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.51