IPSec phase 2 not running initiating behind a NATed router



  • Since our main internet line is broken for a while on one location I try to configure an alternative IPSec tunnel to our other location (latest pfsense on both sides) using a different network we have access to but which is also behind a router (NAT) with dynamic IP and DynDNS. Years ago I got this setup running by adding a phase 2 entry with the NATed network seen by the other side but now I can't find a way to get the phase 2 accepting my request.

    I'm able to connect phase 1 but then I get

    parsed CREATE_CHILD_SA response 37 [ N(TS_UNACCEPT) ]
    

    on the left side and

    traffic selectors 192.168.11.0/24|/0 === 192.168.22.0/24|/0 inacceptable
    

    on the right side.

    I already created a phase 2 entry on the right side to also allow the NATed network from the left side 192.168.243.0/24 which was the trick the last time but now I don't get it running.

    Environment
    left:

    • LAN1: 192.168.22.0/24
    • pfsense interface IP on other network in same location: 192.168.243.10
      Public IP for this network is 91.1.2.3
    • ipsec phase 1: IKEv2, mutual RSA, AES (256 bits)/SHA256/14 (2048 bit)
      My identifier and Peer identifier: Distingueshed Name
    • ipsec phase 2:
      • 192.168.22.0/24 - 192.168.11.0/24
    • router in 192.168.243.0 has a port forward configured for Ports 500/4500 to our IP 192.168.243.10

    right:

    • LAN2: 192.168.11.0/24
    • public IP2 5.4.3.2
    • ipsec phase 1:
      • IKEv2, mutual RSA, AES (256 bits)/SHA256/14 (2048 bit)
      • responder
      • My identifier and Peer identifier: Distingueshed Name
    • ipsec phase 2:
      • 192.168.22.0/24 - 192.168.11.0/24
      • 192.168.243.0/24 - 192.168.11.0/24

    log left:

    Mar 19 12:08:18 	charon 		15[ENC] <con2000|1> parsed CREATE_CHILD_SA response 37 [ N(TS_UNACCEPT) ]
    Mar 19 12:08:18 	charon 		15[ENC] <con2000|1> generating CREATE_CHILD_SA request 37 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Mar 19 12:08:18 	charon 		15[IKE] <con2000|1> establishing CHILD_SA con2000{20} reqid 1
    Mar 19 12:08:18 	charon 		08[KNL] creating acquire job for policy 192.168.243.10/32|/0 === 5.4.3.2/32|/0 with reqid {1}
    Mar 19 12:08:16 	charon 		08[ENC] <con2000|1> parsed INFORMATIONAL response 36 [ ]
    Mar 19 12:08:16 	charon 		13[ENC] <con2000|1> generating INFORMATIONAL request 36 [ ]
    Mar 19 12:08:06 	charon 		16[ENC] <con2000|1> parsed CREATE_CHILD_SA response 35 [ N(TS_UNACCEPT) ]
    Mar 19 12:08:06 	charon 		16[ENC] <con2000|1> generating CREATE_CHILD_SA request 35 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Mar 19 12:08:06 	charon 		16[IKE] <con2000|1> establishing CHILD_SA con2000{19} reqid 1
    Mar 19 12:08:06 	charon 		09[KNL] creating acquire job for policy 192.168.243.10/32|/0 === 5.4.3.2/32|/0 with reqid {1}
    

    log right:

    Mar 19 12:06:44 	charon 		11[ENC] <bypasslan|1> generating CREATE_CHILD_SA response 21 [ N(TS_UNACCEPT) ]
    Mar 19 12:06:44 	charon 		11[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes)
    Mar 19 12:06:54 	charon 		07[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (80 bytes)
    Mar 19 12:06:54 	charon 		07[ENC] <bypasslan|1> parsed INFORMATIONAL request 22 [ ]
    Mar 19 12:06:54 	charon 		07[ENC] <bypasslan|1> generating INFORMATIONAL response 22 [ ]
    Mar 19 12:06:54 	charon 		07[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes)
    Mar 19 12:06:56 	charon 		07[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (208 bytes)
    Mar 19 12:06:56 	charon 		07[ENC] <bypasslan|1> parsed CREATE_CHILD_SA request 23 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
    Mar 19 12:06:56 	charon 		07[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Mar 19 12:06:56 	charon 		07[IKE] <bypasslan|1> traffic selectors 192.168.11.0/24|/0 === 192.168.22.0/24|/0 inacceptable
    Mar 19 12:06:56 	charon 		07[IKE] <bypasslan|1> failed to establish CHILD_SA, keeping IKE_SA
    Mar 19 12:06:56 	charon 		07[ENC] <bypasslan|1> generating CREATE_CHILD_SA response 23 [ N(TS_UNACCEPT) ]
    Mar 19 12:06:56 	charon 		07[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes)
    Mar 19 12:07:06 	charon 		16[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (80 bytes)
    Mar 19 12:07:06 	charon 		16[ENC] <bypasslan|1> parsed INFORMATIONAL request 24 [ ]
    Mar 19 12:07:06 	charon 		16[ENC] <bypasslan|1> generating INFORMATIONAL response 24 [ ]
    

Log in to reply