Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec phase 2 not running initiating behind a NATed router

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 214 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hi-ko.4711
      last edited by

      Since our main internet line is broken for a while on one location I try to configure an alternative IPSec tunnel to our other location (latest pfsense on both sides) using a different network we have access to but which is also behind a router (NAT) with dynamic IP and DynDNS. Years ago I got this setup running by adding a phase 2 entry with the NATed network seen by the other side but now I can't find a way to get the phase 2 accepting my request.

      I'm able to connect phase 1 but then I get

      parsed CREATE_CHILD_SA response 37 [ N(TS_UNACCEPT) ]

      on the left side and

      traffic selectors 192.168.11.0/24|/0 === 192.168.22.0/24|/0 inacceptable

      on the right side.

      I already created a phase 2 entry on the right side to also allow the NATed network from the left side 192.168.243.0/24 which was the trick the last time but now I don't get it running.

      Environment
      left:

      • LAN1: 192.168.22.0/24
      • pfsense interface IP on other network in same location: 192.168.243.10
        Public IP for this network is 91.1.2.3
      • ipsec phase 1: IKEv2, mutual RSA, AES (256 bits)/SHA256/14 (2048 bit)
        My identifier and Peer identifier: Distingueshed Name
      • ipsec phase 2:
        • 192.168.22.0/24 - 192.168.11.0/24
      • router in 192.168.243.0 has a port forward configured for Ports 500/4500 to our IP 192.168.243.10

      right:

      • LAN2: 192.168.11.0/24
      • public IP2 5.4.3.2
      • ipsec phase 1:
        • IKEv2, mutual RSA, AES (256 bits)/SHA256/14 (2048 bit)
        • responder
        • My identifier and Peer identifier: Distingueshed Name
      • ipsec phase 2:
        • 192.168.22.0/24 - 192.168.11.0/24
        • 192.168.243.0/24 - 192.168.11.0/24

      log left:

      Mar 19 12:08:18 	charon 		15[ENC] <con2000|1> parsed CREATE_CHILD_SA response 37 [ N(TS_UNACCEPT) ]
Mar 19 12:08:18 	charon 		15[ENC] <con2000|1> generating CREATE_CHILD_SA request 37 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Mar 19 12:08:18 	charon 		15[IKE] <con2000|1> establishing CHILD_SA con2000{20} reqid 1
Mar 19 12:08:18 	charon 		08[KNL] creating acquire job for policy 192.168.243.10/32|/0 === 5.4.3.2/32|/0 with reqid {1}
Mar 19 12:08:16 	charon 		08[ENC] <con2000|1> parsed INFORMATIONAL response 36 [ ]
Mar 19 12:08:16 	charon 		13[ENC] <con2000|1> generating INFORMATIONAL request 36 [ ]
Mar 19 12:08:06 	charon 		16[ENC] <con2000|1> parsed CREATE_CHILD_SA response 35 [ N(TS_UNACCEPT) ]
Mar 19 12:08:06 	charon 		16[ENC] <con2000|1> generating CREATE_CHILD_SA request 35 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Mar 19 12:08:06 	charon 		16[IKE] <con2000|1> establishing CHILD_SA con2000{19} reqid 1
Mar 19 12:08:06 	charon 		09[KNL] creating acquire job for policy 192.168.243.10/32|/0 === 5.4.3.2/32|/0 with reqid {1}

      log right:

      Mar 19 12:06:44 	charon 		11[ENC] <bypasslan|1> generating CREATE_CHILD_SA response 21 [ N(TS_UNACCEPT) ]
Mar 19 12:06:44 	charon 		11[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes)
Mar 19 12:06:54 	charon 		07[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (80 bytes)
Mar 19 12:06:54 	charon 		07[ENC] <bypasslan|1> parsed INFORMATIONAL request 22 [ ]
Mar 19 12:06:54 	charon 		07[ENC] <bypasslan|1> generating INFORMATIONAL response 22 [ ]
Mar 19 12:06:54 	charon 		07[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes)
Mar 19 12:06:56 	charon 		07[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (208 bytes)
Mar 19 12:06:56 	charon 		07[ENC] <bypasslan|1> parsed CREATE_CHILD_SA request 23 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
Mar 19 12:06:56 	charon 		07[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mar 19 12:06:56 	charon 		07[IKE] <bypasslan|1> traffic selectors 192.168.11.0/24|/0 === 192.168.22.0/24|/0 inacceptable
Mar 19 12:06:56 	charon 		07[IKE] <bypasslan|1> failed to establish CHILD_SA, keeping IKE_SA
Mar 19 12:06:56 	charon 		07[ENC] <bypasslan|1> generating CREATE_CHILD_SA response 23 [ N(TS_UNACCEPT) ]
Mar 19 12:06:56 	charon 		07[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes)
Mar 19 12:07:06 	charon 		16[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (80 bytes)
Mar 19 12:07:06 	charon 		16[ENC] <bypasslan|1> parsed INFORMATIONAL request 24 [ ]
Mar 19 12:07:06 	charon 		16[ENC] <bypasslan|1> generating INFORMATIONAL response 24 [ ]
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.