IPSec phase 2 not running initiating behind a NATed router

IPsec
Log in to reply
  • H

    Since our main internet line is broken for a while on one location I try to configure an alternative IPSec tunnel to our other location (latest pfsense on both sides) using a different network we have access to but which is also behind a router (NAT) with dynamic IP and DynDNS. Years ago I got this setup running by adding a phase 2 entry with the NATed network seen by the other side but now I can't find a way to get the phase 2 accepting my request.

    I'm able to connect phase 1 but then I get

    parsed CREATE_CHILD_SA response 37 [ N(TS_UNACCEPT) ]

    on the left side and

    traffic selectors 192.168.11.0/24|/0 === 192.168.22.0/24|/0 inacceptable

    on the right side.

    I already created a phase 2 entry on the right side to also allow the NATed network from the left side 192.168.243.0/24 which was the trick the last time but now I don't get it running.

    Environment
    left:

    • LAN1: 192.168.22.0/24
    • pfsense interface IP on other network in same location: 192.168.243.10
      Public IP for this network is 91.1.2.3
    • ipsec phase 1: IKEv2, mutual RSA, AES (256 bits)/SHA256/14 (2048 bit)
      My identifier and Peer identifier: Distingueshed Name
    • ipsec phase 2:
      • 192.168.22.0/24 - 192.168.11.0/24
    • router in 192.168.243.0 has a port forward configured for Ports 500/4500 to our IP 192.168.243.10

    right:

    • LAN2: 192.168.11.0/24
    • public IP2 5.4.3.2
    • ipsec phase 1:
      • IKEv2, mutual RSA, AES (256 bits)/SHA256/14 (2048 bit)
      • responder
      • My identifier and Peer identifier: Distingueshed Name
    • ipsec phase 2:
      • 192.168.22.0/24 - 192.168.11.0/24
      • 192.168.243.0/24 - 192.168.11.0/24

    log left:

    Mar 19 12:08:18 	charon 		15[ENC] <con2000|1> parsed CREATE_CHILD_SA response 37 [ N(TS_UNACCEPT) ]
Mar 19 12:08:18 	charon 		15[ENC] <con2000|1> generating CREATE_CHILD_SA request 37 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Mar 19 12:08:18 	charon 		15[IKE] <con2000|1> establishing CHILD_SA con2000{20} reqid 1
Mar 19 12:08:18 	charon 		08[KNL] creating acquire job for policy 192.168.243.10/32|/0 === 5.4.3.2/32|/0 with reqid {1}
Mar 19 12:08:16 	charon 		08[ENC] <con2000|1> parsed INFORMATIONAL response 36 [ ]
Mar 19 12:08:16 	charon 		13[ENC] <con2000|1> generating INFORMATIONAL request 36 [ ]
Mar 19 12:08:06 	charon 		16[ENC] <con2000|1> parsed CREATE_CHILD_SA response 35 [ N(TS_UNACCEPT) ]
Mar 19 12:08:06 	charon 		16[ENC] <con2000|1> generating CREATE_CHILD_SA request 35 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Mar 19 12:08:06 	charon 		16[IKE] <con2000|1> establishing CHILD_SA con2000{19} reqid 1
Mar 19 12:08:06 	charon 		09[KNL] creating acquire job for policy 192.168.243.10/32|/0 === 5.4.3.2/32|/0 with reqid {1}

    log right:

    Mar 19 12:06:44 	charon 		11[ENC] <bypasslan|1> generating CREATE_CHILD_SA response 21 [ N(TS_UNACCEPT) ]
Mar 19 12:06:44 	charon 		11[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes)
Mar 19 12:06:54 	charon 		07[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (80 bytes)
Mar 19 12:06:54 	charon 		07[ENC] <bypasslan|1> parsed INFORMATIONAL request 22 [ ]
Mar 19 12:06:54 	charon 		07[ENC] <bypasslan|1> generating INFORMATIONAL response 22 [ ]
Mar 19 12:06:54 	charon 		07[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes)
Mar 19 12:06:56 	charon 		07[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (208 bytes)
Mar 19 12:06:56 	charon 		07[ENC] <bypasslan|1> parsed CREATE_CHILD_SA request 23 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Mar 19 12:06:56 	charon 		07[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mar 19 12:06:56 	charon 		07[IKE] <bypasslan|1> traffic selectors 192.168.11.0/24|/0 === 192.168.22.0/24|/0 inacceptable
Mar 19 12:06:56 	charon 		07[IKE] <bypasslan|1> failed to establish CHILD_SA, keeping IKE_SA
Mar 19 12:06:56 	charon 		07[ENC] <bypasslan|1> generating CREATE_CHILD_SA response 23 [ N(TS_UNACCEPT) ]
Mar 19 12:06:56 	charon 		07[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes)
Mar 19 12:07:06 	charon 		16[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (80 bytes)
Mar 19 12:07:06 	charon 		16[ENC] <bypasslan|1> parsed INFORMATIONAL request 24 [ ]
Mar 19 12:07:06 	charon 		16[ENC] <bypasslan|1> generating INFORMATIONAL response 24 [ ]
    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy