Phase 2 Not starting until remote sends traffic
joshv last edited by
I need advice troubleshooting an IPSEC problem between our pfsense 2.4.4_1 and a Cisco device. Phase 1 establishes properly, but Phase 2 doesn't appear on my side until they send traffic (ping) to us. Our pings to them aren't causing a Phase 2 to appear and display "Packets_out" like I would expect. After they send us a ping, Phase 2 works as expected, but only the Phase 2 pairs they have pinged. We have 2 Phase 2 configurations, if they only ping one of them, the other doesn't establish. I don't believe this is a Rule issue on either side as all traffic flows as expected once Phase 2 comes up.
We are Phase 2 NAT'ing to a single address (/32) the LAN from our side (which is actually a /24) to a /23 LAN on their side. I mention it because I haven't done a lot of IPSEC NAT and am wondering if I missed something there. Do I need to setup a VIP to make the NAT address exist before they ping it or something like that?
Also, I can't locate anything in the IPSEC logs on pfsense regarding this connection. Can anyone advise which "IPSEC Logging Controls" need increased to "Diag" or maybe "Highest" to troubleshoot Phase 2?
The current defaults should be good.
The current defaults are IKE SA, IKE CHILD SA, and Configuration Backend to Diag. Everything else Control.