IPSec VPN PFSense to PFSense 2.4.3



  • Hi Guys,
    I have recently upgraded to PFSense 2.4.3 on both my Firewalls. I am now having an issue where the IPSec VPN will not establish and just shows as connecting with no connection ever being made. I have been looking at the logs and I can't see anything that 'stands out' as wrong. I have included the VPN Log below (web console) from Firewall A (Cloud) and Firewall B (On Site)

    Firewall A
    3[KNL] creating acquire job for policy 54.0.0.1/32|/0 === 86.0.0.1/32|/0 with reqid {2}
    Sep 18 20:47:04 charon 07[CFG] ignoring acquire, connection attempt pending
    Sep 18 20:47:05 charon 07[JOB] <4> deleting half open IKE_SA with 86.0.0.1 after timeout
    Sep 18 20:47:05 charon 07[IKE] <4> IKE_SA (unnamed)[4] state change: CONNECTING => DESTROYING
    Sep 18 20:47:07 charon 06[CFG] vici client 17 connected
    Sep 18 20:47:07 charon 07[CFG] vici client 17 registered for: list-sa
    Sep 18 20:47:07 charon 07[CFG] vici client 17 requests: list-sas
    Sep 18 20:47:07 charon 07[CFG] vici client 17 disconnected
    Sep 18 20:47:12 charon 06[CFG] vici client 18 connected
    Sep 18 20:47:12 charon 15[CFG] vici client 18 registered for: list-sa
    Sep 18 20:47:12 charon 07[CFG] vici client 18 requests: list-sas
    Sep 18 20:47:12 charon 07[CFG] vici client 18 disconnected
    Sep 18 20:47:13 charon 07[IKE] <con3|1> retransmit 5 of request with message ID 1
    Sep 18 20:47:13 charon 07[NET] <con3|1> sending packet: from 54.0.0.1[4500] to 86.0.0.1[4500] (320 bytes)
    Sep 18 20:47:17 charon 15[CFG] vici client 19 connected
    Sep 18 20:47:17 charon 14[CFG] vici client 19 registered for: list-sa
    Sep 18 20:47:17 charon 07[CFG] vici client 19 requests: list-sas
    Sep 18 20:47:17 charon 07[CFG] vici client 19 disconnected
    Sep 18 20:47:22 charon 14[CFG] vici client 20 connected
    Sep 18 20:47:22 charon 07[CFG] vici client 20 registered for: list-sa
    Sep 18 20:47:22 charon 07[CFG] vici client 20 requests: list-sas
    Sep 18 20:47:22 charon 07[CFG] vici client 20 disconnected
    Sep 18 20:47:25 charon 07[KNL] creating acquire job for policy 54.0.0.1/32|/0 === 86.0.0.1/32|/0 with reqid {2}
    Sep 18 20:47:25 charon 08[CFG] ignoring acquire, connection attempt pending
    Sep 18 20:47:27 charon 07[CFG] vici client 21 connected
    Sep 18 20:47:27 charon 08[CFG] vici client 21 registered for: list-sa
    Sep 18 20:47:27 charon 16[CFG] vici client 21 requests: list-sas
    Sep 18 20:47:27 charon 07[CFG] vici client 21 disconnected
    Sep 18 20:47:32 charon 16[CFG] vici client 22 connected
    Sep 18 20:47:32 charon 07[CFG] vici client 22 registered for: list-sa
    Sep 18 20:47:32 charon 07[CFG] vici client 22 requests: list-sas
    Sep 18 20:47:32 charon 12[CFG] vici client 22 disconnected
    Sep 18 20:47:37 charon 16[CFG] vici client 23 connected
    Sep 18 20:47:37 charon 12[CFG] vici client 23 registered for: list-sa
    Sep 18 20:47:37 charon 12[CFG] vici client 23 requests: list-sas
    Sep 18 20:47:37 charon 12[CFG] vici client 23 disconnected
    Sep 18 20:47:42 charon 05[CFG] vici client 24 connected
    Sep 18 20:47:42 charon 12[CFG] vici client 24 registered for: list-sa
    Sep 18 20:47:42 charon 12[CFG] vici client 24 requests: list-sas
    Sep 18 20:47:42 charon 12[CFG] vici client 24 disconnected
    Sep 18 20:47:47 charon 10[CFG] vici client 25 connected
    Sep 18 20:47:47 charon 12[CFG] vici client 25 registered for: list-sa
    Sep 18 20:47:47 charon 12[CFG] vici client 25 requests: list-sas
    Sep 18 20:47:47 charon 12[CFG] vici client 25 disconnected

    Firewall B
    Sep 18 21:01:05 charon 16[IKE] <6> 0: E2 EC 62 32 AE 3C 2F A5 00 96 59 0C D4 49 F7 F7 ..b2.</...Y..I..
    Sep 18 21:01:05 charon 16[IKE] <6> 16: 67 01 9F 3C g..<
    Sep 18 21:01:05 charon 16[IKE] <6> precalculated dst_hash => 20 bytes @ 0x802198960
    Sep 18 21:01:05 charon 16[IKE] <6> 0: D9 25 AB D7 30 9E D4 E7 80 51 9E B3 A0 59 48 3E .%..0....Q...YH>
    Sep 18 21:01:05 charon 16[IKE] <6> 16: 7F B2 56 D7 ..V.
    Sep 18 21:01:05 charon 16[IKE] <6> received src_hash => 20 bytes @ 0x80d180b00
    Sep 18 21:01:05 charon 16[IKE] <6> 0: E2 EC 62 32 AE 3C 2F A5 00 96 59 0C D4 49 F7 F7 ..b2.</...Y..I..
    Sep 18 21:01:05 charon 16[IKE] <6> 16: 67 01 9F 3C g..<
    Sep 18 21:01:05 charon 16[IKE] <6> received dst_hash => 20 bytes @ 0x80d37de60
    Sep 18 21:01:05 charon 16[IKE] <6> 0: 03 82 DF 9E 60 DB 6E 38 E2 EE 82 FE 1A 4A A6 E4 ....`.n8.....J..
    Sep 18 21:01:05 charon 16[IKE] <6> 16: 0E 1E 6A 83 ..j.
    Sep 18 21:01:05 charon 16[IKE] <6> local host is behind NAT, sending keep alives
    Sep 18 21:01:05 charon 16[CFG] <6> sending supported signature hash algorithms: sha256 sha384 sha512 identity
    Sep 18 21:01:05 charon 16[IKE] <6> natd_chunk => 22 bytes @ 0x802198aa0
    Sep 18 21:01:05 charon 16[IKE] <6> 0: A0 21 BF B7 C7 79 22 EA 3A FE 4E 7F 54 86 3B 58 .!...y".:.N.T.;X
    Sep 18 21:01:05 charon 16[IKE] <6> 16: C0 A8 00 11 01 F4 ......
    Sep 18 21:01:05 charon 16[IKE] <6> natd_hash => 20 bytes @ 0x802198ae0
    Sep 18 21:01:05 charon 16[IKE] <6> 0: A8 E3 9F 3D C9 FA 61 63 35 FC 3B 97 05 EB 0B 56 ...=..ac5.;....V
    Sep 18 21:01:05 charon 16[IKE] <6> 16: AA E4 61 85 ..a.
    Sep 18 21:01:05 charon 16[IKE] <6> natd_chunk => 22 bytes @ 0x802198b20
    Sep 18 21:01:05 charon 16[IKE] <6> 0: A0 21 BF B7 C7 79 22 EA 3A FE 4E 7F 54 86 3B 58 .!...y".:.N.T.;X
    Sep 18 21:01:05 charon 16[IKE] <6> 16: 36 24 C6 F1 01 F4 6$....
    Sep 18 21:01:05 charon 16[IKE] <6> natd_hash => 20 bytes @ 0x802198b00
    Sep 18 21:01:05 charon 16[IKE] <6> 0: 47 6B 1B 95 C7 31 4E F3 05 98 F0 9C 81 29 7C 37 Gk...1N......)|7
    Sep 18 21:01:05 charon 16[IKE] <6> 16: 65 B5 A9 B6 e...
    Sep 18 21:01:05 charon 16[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Sep 18 21:01:05 charon 16[NET] <6> sending packet: from 192.168.0.17[500] to 54.0.0.1[500] (464 bytes)
    Sep 18 21:01:12 charon 16[KNL] creating acquire job for policy 192.168.0.17/32|/0 === 54.0.0.1/32|/0 with reqid {1}
    Sep 18 21:01:12 charon 11[CFG] ignoring acquire, connection attempt pending
    Sep 18 21:01:18 charon 16[IKE] <con1|5> retransmit 4 of request with message ID 1
    Sep 18 21:01:18 charon 16[NET] <con1|5> sending packet: from 192.168.0.17[4500] to 54.0.0.1[4500] (320 bytes)
    Sep 18 21:01:25 charon 16[IKE] <6> sending keep alive to 54.0.0.1[500]
    Sep 18 21:01:27 charon 16[KNL] creating acquire job for policy 192.168.0.17/32|/0 === 54.0.0.1/32|/0 with reqid {1}
    Sep 18 21:01:27 charon 14[CFG] ignoring acquire, connection attempt pending
    Sep 18 21:01:35 charon 14[JOB] <6> deleting half open IKE_SA with 54.0.0.1 after timeout
    Sep 18 21:01:35 charon 14[IKE] <6> IKE_SA (unnamed)[6] state change: CONNECTING => DESTROYING
    Sep 18 21:01:39 charon 14[KNL] creating acquire job for policy 192.168.0.17/32|/0 === 54.0.0.1/32|/0 with reqid {1}
    Sep 18 21:01:39 charon 16[CFG] ignoring acquire, connection attempt pending
    Sep 18 21:01:42 charon 00[DMN] signal of type SIGINT received. Shutting down
    Sep 18 21:01:42 charon 00[IKE] <con1|5> destroying IKE_SA in state CONNECTING without notification
    Sep 18 21:01:42 charon 00[IKE] <con1|5> IKE_SA con1[5] state change: CONNECTING => DESTROYING
    Sep 18 21:01:42 charon 00[CHD] <con1|5> CHILD_SA con1{9} state change: CREATED => DESTROYING
    Sep 18 21:01:42 charon 00[KNL] <con1|5> unable to delete SAD entry with SPI c1b6f98b: No such process (3)
    Sep 18 21:01:42 charon 00[CHD] CHILD_SA con1{1} state change: ROUTED => DESTROYING
    Sep 18 21:01:42 charon 00[CFG] proposing traffic selectors for us:

    i know on Firewall B that it references WAN Address of 192.168.0.17 this is because the Firewall is behind the ISP router which will only give us a internal address, this working before the upgrade as we use the identifier on the Cloud Firewall as the IP 192.168.0.17.

    Is there something that I am completely missing here. Please be aware the Public IP Addresses used in the Config are not the ones that we use they have been changed.

    Any help would be greatly appropriated.



  • Try IKEv2 and another my/peer identifier than ip address. I choose a KeyID tag and created names that identified the two sites.


Log in to reply