IPSec VPN PFSense to PFSense 2.4.3
-
Hi Guys,
I have recently upgraded to PFSense 2.4.3 on both my Firewalls. I am now having an issue where the IPSec VPN will not establish and just shows as connecting with no connection ever being made. I have been looking at the logs and I can't see anything that 'stands out' as wrong. I have included the VPN Log below (web console) from Firewall A (Cloud) and Firewall B (On Site)Firewall A
3[KNL] creating acquire job for policy 54.0.0.1/32|/0 === 86.0.0.1/32|/0 with reqid {2}
Sep 18 20:47:04 charon 07[CFG] ignoring acquire, connection attempt pending
Sep 18 20:47:05 charon 07[JOB] <4> deleting half open IKE_SA with 86.0.0.1 after timeout
Sep 18 20:47:05 charon 07[IKE] <4> IKE_SA (unnamed)[4] state change: CONNECTING => DESTROYING
Sep 18 20:47:07 charon 06[CFG] vici client 17 connected
Sep 18 20:47:07 charon 07[CFG] vici client 17 registered for: list-sa
Sep 18 20:47:07 charon 07[CFG] vici client 17 requests: list-sas
Sep 18 20:47:07 charon 07[CFG] vici client 17 disconnected
Sep 18 20:47:12 charon 06[CFG] vici client 18 connected
Sep 18 20:47:12 charon 15[CFG] vici client 18 registered for: list-sa
Sep 18 20:47:12 charon 07[CFG] vici client 18 requests: list-sas
Sep 18 20:47:12 charon 07[CFG] vici client 18 disconnected
Sep 18 20:47:13 charon 07[IKE] <con3|1> retransmit 5 of request with message ID 1
Sep 18 20:47:13 charon 07[NET] <con3|1> sending packet: from 54.0.0.1[4500] to 86.0.0.1[4500] (320 bytes)
Sep 18 20:47:17 charon 15[CFG] vici client 19 connected
Sep 18 20:47:17 charon 14[CFG] vici client 19 registered for: list-sa
Sep 18 20:47:17 charon 07[CFG] vici client 19 requests: list-sas
Sep 18 20:47:17 charon 07[CFG] vici client 19 disconnected
Sep 18 20:47:22 charon 14[CFG] vici client 20 connected
Sep 18 20:47:22 charon 07[CFG] vici client 20 registered for: list-sa
Sep 18 20:47:22 charon 07[CFG] vici client 20 requests: list-sas
Sep 18 20:47:22 charon 07[CFG] vici client 20 disconnected
Sep 18 20:47:25 charon 07[KNL] creating acquire job for policy 54.0.0.1/32|/0 === 86.0.0.1/32|/0 with reqid {2}
Sep 18 20:47:25 charon 08[CFG] ignoring acquire, connection attempt pending
Sep 18 20:47:27 charon 07[CFG] vici client 21 connected
Sep 18 20:47:27 charon 08[CFG] vici client 21 registered for: list-sa
Sep 18 20:47:27 charon 16[CFG] vici client 21 requests: list-sas
Sep 18 20:47:27 charon 07[CFG] vici client 21 disconnected
Sep 18 20:47:32 charon 16[CFG] vici client 22 connected
Sep 18 20:47:32 charon 07[CFG] vici client 22 registered for: list-sa
Sep 18 20:47:32 charon 07[CFG] vici client 22 requests: list-sas
Sep 18 20:47:32 charon 12[CFG] vici client 22 disconnected
Sep 18 20:47:37 charon 16[CFG] vici client 23 connected
Sep 18 20:47:37 charon 12[CFG] vici client 23 registered for: list-sa
Sep 18 20:47:37 charon 12[CFG] vici client 23 requests: list-sas
Sep 18 20:47:37 charon 12[CFG] vici client 23 disconnected
Sep 18 20:47:42 charon 05[CFG] vici client 24 connected
Sep 18 20:47:42 charon 12[CFG] vici client 24 registered for: list-sa
Sep 18 20:47:42 charon 12[CFG] vici client 24 requests: list-sas
Sep 18 20:47:42 charon 12[CFG] vici client 24 disconnected
Sep 18 20:47:47 charon 10[CFG] vici client 25 connected
Sep 18 20:47:47 charon 12[CFG] vici client 25 registered for: list-sa
Sep 18 20:47:47 charon 12[CFG] vici client 25 requests: list-sas
Sep 18 20:47:47 charon 12[CFG] vici client 25 disconnectedFirewall B
Sep 18 21:01:05 charon 16[IKE] <6> 0: E2 EC 62 32 AE 3C 2F A5 00 96 59 0C D4 49 F7 F7 ..b2.</...Y..I..
Sep 18 21:01:05 charon 16[IKE] <6> 16: 67 01 9F 3C g..<
Sep 18 21:01:05 charon 16[IKE] <6> precalculated dst_hash => 20 bytes @ 0x802198960
Sep 18 21:01:05 charon 16[IKE] <6> 0: D9 25 AB D7 30 9E D4 E7 80 51 9E B3 A0 59 48 3E .%..0....Q...YH>
Sep 18 21:01:05 charon 16[IKE] <6> 16: 7F B2 56 D7 ..V.
Sep 18 21:01:05 charon 16[IKE] <6> received src_hash => 20 bytes @ 0x80d180b00
Sep 18 21:01:05 charon 16[IKE] <6> 0: E2 EC 62 32 AE 3C 2F A5 00 96 59 0C D4 49 F7 F7 ..b2.</...Y..I..
Sep 18 21:01:05 charon 16[IKE] <6> 16: 67 01 9F 3C g..<
Sep 18 21:01:05 charon 16[IKE] <6> received dst_hash => 20 bytes @ 0x80d37de60
Sep 18 21:01:05 charon 16[IKE] <6> 0: 03 82 DF 9E 60 DB 6E 38 E2 EE 82 FE 1A 4A A6 E4 ....`.n8.....J..
Sep 18 21:01:05 charon 16[IKE] <6> 16: 0E 1E 6A 83 ..j.
Sep 18 21:01:05 charon 16[IKE] <6> local host is behind NAT, sending keep alives
Sep 18 21:01:05 charon 16[CFG] <6> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Sep 18 21:01:05 charon 16[IKE] <6> natd_chunk => 22 bytes @ 0x802198aa0
Sep 18 21:01:05 charon 16[IKE] <6> 0: A0 21 BF B7 C7 79 22 EA 3A FE 4E 7F 54 86 3B 58 .!...y".:.N.T.;X
Sep 18 21:01:05 charon 16[IKE] <6> 16: C0 A8 00 11 01 F4 ......
Sep 18 21:01:05 charon 16[IKE] <6> natd_hash => 20 bytes @ 0x802198ae0
Sep 18 21:01:05 charon 16[IKE] <6> 0: A8 E3 9F 3D C9 FA 61 63 35 FC 3B 97 05 EB 0B 56 ...=..ac5.;....V
Sep 18 21:01:05 charon 16[IKE] <6> 16: AA E4 61 85 ..a.
Sep 18 21:01:05 charon 16[IKE] <6> natd_chunk => 22 bytes @ 0x802198b20
Sep 18 21:01:05 charon 16[IKE] <6> 0: A0 21 BF B7 C7 79 22 EA 3A FE 4E 7F 54 86 3B 58 .!...y".:.N.T.;X
Sep 18 21:01:05 charon 16[IKE] <6> 16: 36 24 C6 F1 01 F4 6$....
Sep 18 21:01:05 charon 16[IKE] <6> natd_hash => 20 bytes @ 0x802198b00
Sep 18 21:01:05 charon 16[IKE] <6> 0: 47 6B 1B 95 C7 31 4E F3 05 98 F0 9C 81 29 7C 37 Gk...1N......)|7
Sep 18 21:01:05 charon 16[IKE] <6> 16: 65 B5 A9 B6 e...
Sep 18 21:01:05 charon 16[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 18 21:01:05 charon 16[NET] <6> sending packet: from 192.168.0.17[500] to 54.0.0.1[500] (464 bytes)
Sep 18 21:01:12 charon 16[KNL] creating acquire job for policy 192.168.0.17/32|/0 === 54.0.0.1/32|/0 with reqid {1}
Sep 18 21:01:12 charon 11[CFG] ignoring acquire, connection attempt pending
Sep 18 21:01:18 charon 16[IKE] <con1|5> retransmit 4 of request with message ID 1
Sep 18 21:01:18 charon 16[NET] <con1|5> sending packet: from 192.168.0.17[4500] to 54.0.0.1[4500] (320 bytes)
Sep 18 21:01:25 charon 16[IKE] <6> sending keep alive to 54.0.0.1[500]
Sep 18 21:01:27 charon 16[KNL] creating acquire job for policy 192.168.0.17/32|/0 === 54.0.0.1/32|/0 with reqid {1}
Sep 18 21:01:27 charon 14[CFG] ignoring acquire, connection attempt pending
Sep 18 21:01:35 charon 14[JOB] <6> deleting half open IKE_SA with 54.0.0.1 after timeout
Sep 18 21:01:35 charon 14[IKE] <6> IKE_SA (unnamed)[6] state change: CONNECTING => DESTROYING
Sep 18 21:01:39 charon 14[KNL] creating acquire job for policy 192.168.0.17/32|/0 === 54.0.0.1/32|/0 with reqid {1}
Sep 18 21:01:39 charon 16[CFG] ignoring acquire, connection attempt pending
Sep 18 21:01:42 charon 00[DMN] signal of type SIGINT received. Shutting down
Sep 18 21:01:42 charon 00[IKE] <con1|5> destroying IKE_SA in state CONNECTING without notification
Sep 18 21:01:42 charon 00[IKE] <con1|5> IKE_SA con1[5] state change: CONNECTING => DESTROYING
Sep 18 21:01:42 charon 00[CHD] <con1|5> CHILD_SA con1{9} state change: CREATED => DESTROYING
Sep 18 21:01:42 charon 00[KNL] <con1|5> unable to delete SAD entry with SPI c1b6f98b: No such process (3)
Sep 18 21:01:42 charon 00[CHD] CHILD_SA con1{1} state change: ROUTED => DESTROYING
Sep 18 21:01:42 charon 00[CFG] proposing traffic selectors for us:i know on Firewall B that it references WAN Address of 192.168.0.17 this is because the Firewall is behind the ISP router which will only give us a internal address, this working before the upgrade as we use the identifier on the Cloud Firewall as the IP 192.168.0.17.
Is there something that I am completely missing here. Please be aware the Public IP Addresses used in the Config are not the ones that we use they have been changed.
Any help would be greatly appropriated.
-
Try IKEv2 and another my/peer identifier than ip address. I choose a KeyID tag and created names that identified the two sites.