IPSEC Tunnel to WIN10 behind NAT driving me crazy
-
Hello
I try to create a IPSEC VPN according to this (https://forum.pfsense.org/index.php?topic=127457.0) howto. Unfortunately it is not working. I tried a lot, but I can not connect. The client has to be behind a NAT. I tried it on two different networks (including T-mobile LTE) but I can not connect.This is the log on the PFSense.
Mar 5 16:37:22 charon 16[JOB] <1> deleting half open IKE_SA with 80.187.96.197 after timeout Mar 5 16:36:52 charon 16[NET] <1> sending packet: from 78.94.x.x[500] to 80.187.96.197[500] (337 bytes) Mar 5 16:36:52 charon 16[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Mar 5 16:36:52 charon 16[IKE] <1> sending cert request for "C=DE, ST=BW, L=Tuebingen, O=Bewegte Bilder Medien GmbH, E=post@bewegtebilder.de, CN=internal-ca" Mar 5 16:36:52 charon 16[IKE] <1> remote host is behind NAT Mar 5 16:36:52 charon 16[IKE] <1> 80.187.96.197 is initiating an IKE_SA Mar 5 16:36:52 charon 16[ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Mar 5 16:36:52 charon 16[IKE] <1> received Vid-Initial-Contact vendor ID Mar 5 16:36:52 charon 16[IKE] <1> received MS-Negotiation Discovery Capable vendor ID Mar 5 16:36:52 charon 16[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID Mar 5 16:36:52 charon 16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Mar 5 16:36:52 charon 16[NET] <1> received packet: from 80.187.96.197[500] to 78.94..x.x[500] (616 bytes) Mar 5 16:36:25 charon 16[CFG] added configuration 'con2' Mar 5 16:36:25 charon 16[CFG] loaded certificate "C=DE, ST=BW, L=Tuebingen, O=XXXXX, E=XXXXX, CN=XXXX" from '/var/etc/ipsec/ipsec.d/certs/cert-2.crt' Mar 5 16:36:25 charon 16[CFG] adding virtual IP address pool 192.168.157.10/27 Mar 5 16:36:25 charon 16[CFG] received stroke: add connection 'con2'
Please help.
Best regards
Harald
-
Check, if the udp port 4500 is opened.
-
Double check that you are using IKEv2 on both ends. This looks like IKEv1 with UDP Port 500 :
Mar 5 16:36:52 charon 16[NET] <1> sending packet: from 78.94.x.x[500] to 80.187.96.197[500] (337 bytes)