IPSEC Tunnel to WIN10 behind NAT driving me crazy



  • Hello
    I try to create a IPSEC VPN according to this (https://forum.pfsense.org/index.php?topic=127457.0) howto. Unfortunately it is not working. I tried a lot, but I can not connect. The client has to be behind a NAT. I tried it on two different networks (including T-mobile LTE) but I can not connect.

    This is the log on the PFSense.

    Mar 5 16:37:22 	charon 		16[JOB] <1> deleting half open IKE_SA with 80.187.96.197 after timeout
    Mar 5 16:36:52 	charon 		16[NET] <1> sending packet: from 78.94.x.x[500] to 80.187.96.197[500] (337 bytes)
    Mar 5 16:36:52 	charon 		16[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
    Mar 5 16:36:52 	charon 		16[IKE] <1> sending cert request for "C=DE, ST=BW, L=Tuebingen, O=Bewegte Bilder Medien GmbH, E=post@bewegtebilder.de, CN=internal-ca"
    Mar 5 16:36:52 	charon 		16[IKE] <1> remote host is behind NAT
    Mar 5 16:36:52 	charon 		16[IKE] <1> 80.187.96.197 is initiating an IKE_SA
    Mar 5 16:36:52 	charon 		16[ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Mar 5 16:36:52 	charon 		16[IKE] <1> received Vid-Initial-Contact vendor ID
    Mar 5 16:36:52 	charon 		16[IKE] <1> received MS-Negotiation Discovery Capable vendor ID
    Mar 5 16:36:52 	charon 		16[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Mar 5 16:36:52 	charon 		16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
    Mar 5 16:36:52 	charon 		16[NET] <1> received packet: from 80.187.96.197[500] to 78.94..x.x[500] (616 bytes)
    Mar 5 16:36:25 	charon 		16[CFG] added configuration 'con2'
    Mar 5 16:36:25 	charon 		16[CFG] loaded certificate "C=DE, ST=BW, L=Tuebingen, O=XXXXX, E=XXXXX, CN=XXXX" from '/var/etc/ipsec/ipsec.d/certs/cert-2.crt'
    Mar 5 16:36:25 	charon 		16[CFG] adding virtual IP address pool 192.168.157.10/27
    Mar 5 16:36:25 	charon 		16[CFG] received stroke: add connection 'con2' 
    

    Please help.

    Best regards

    Harald



  • Check, if the udp port 4500 is opened.



  • Double check that you are using IKEv2 on both ends. This looks like IKEv1 with UDP Port 500 :
    Mar 5 16:36:52 charon 16[NET] <1> sending packet: from 78.94.x.x[500] to 80.187.96.197[500] (337 bytes)