IPSec phase 2 not running initiating behind a NATed router
-
Since our main internet line is broken for a while on one location I try to configure an alternative IPSec tunnel to our other location (latest pfsense on both sides) using a different network we have access to but which is also behind a router (NAT) with dynamic IP and DynDNS. Years ago I got this setup running by adding a phase 2 entry with the NATed network seen by the other side but now I can't find a way to get the phase 2 accepting my request.
I'm able to connect phase 1 but then I get
parsed CREATE_CHILD_SA response 37 [ N(TS_UNACCEPT) ]
on the left side and
traffic selectors 192.168.11.0/24|/0 === 192.168.22.0/24|/0 inacceptable
on the right side.
I already created a phase 2 entry on the right side to also allow the NATed network from the left side 192.168.243.0/24 which was the trick the last time but now I don't get it running.
Environment
left:- LAN1: 192.168.22.0/24
- pfsense interface IP on other network in same location: 192.168.243.10
Public IP for this network is 91.1.2.3 - ipsec phase 1: IKEv2, mutual RSA, AES (256 bits)/SHA256/14 (2048 bit)
My identifier and Peer identifier: Distingueshed Name - ipsec phase 2:
- 192.168.22.0/24 - 192.168.11.0/24
- router in 192.168.243.0 has a port forward configured for Ports 500/4500 to our IP 192.168.243.10
right:
- LAN2: 192.168.11.0/24
- public IP2 5.4.3.2
- ipsec phase 1:
- IKEv2, mutual RSA, AES (256 bits)/SHA256/14 (2048 bit)
- responder
- My identifier and Peer identifier: Distingueshed Name
- ipsec phase 2:
- 192.168.22.0/24 - 192.168.11.0/24
- 192.168.243.0/24 - 192.168.11.0/24
log left:
Mar 19 12:08:18 charon 15[ENC] <con2000|1> parsed CREATE_CHILD_SA response 37 [ N(TS_UNACCEPT) ] Mar 19 12:08:18 charon 15[ENC] <con2000|1> generating CREATE_CHILD_SA request 37 [ N(ESP_TFC_PAD_N) SA No TSi TSr ] Mar 19 12:08:18 charon 15[IKE] <con2000|1> establishing CHILD_SA con2000{20} reqid 1 Mar 19 12:08:18 charon 08[KNL] creating acquire job for policy 192.168.243.10/32|/0 === 5.4.3.2/32|/0 with reqid {1} Mar 19 12:08:16 charon 08[ENC] <con2000|1> parsed INFORMATIONAL response 36 [ ] Mar 19 12:08:16 charon 13[ENC] <con2000|1> generating INFORMATIONAL request 36 [ ] Mar 19 12:08:06 charon 16[ENC] <con2000|1> parsed CREATE_CHILD_SA response 35 [ N(TS_UNACCEPT) ] Mar 19 12:08:06 charon 16[ENC] <con2000|1> generating CREATE_CHILD_SA request 35 [ N(ESP_TFC_PAD_N) SA No TSi TSr ] Mar 19 12:08:06 charon 16[IKE] <con2000|1> establishing CHILD_SA con2000{19} reqid 1 Mar 19 12:08:06 charon 09[KNL] creating acquire job for policy 192.168.243.10/32|/0 === 5.4.3.2/32|/0 with reqid {1}
log right:
Mar 19 12:06:44 charon 11[ENC] <bypasslan|1> generating CREATE_CHILD_SA response 21 [ N(TS_UNACCEPT) ] Mar 19 12:06:44 charon 11[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes) Mar 19 12:06:54 charon 07[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (80 bytes) Mar 19 12:06:54 charon 07[ENC] <bypasslan|1> parsed INFORMATIONAL request 22 [ ] Mar 19 12:06:54 charon 07[ENC] <bypasslan|1> generating INFORMATIONAL response 22 [ ] Mar 19 12:06:54 charon 07[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes) Mar 19 12:06:56 charon 07[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (208 bytes) Mar 19 12:06:56 charon 07[ENC] <bypasslan|1> parsed CREATE_CHILD_SA request 23 [ N(ESP_TFC_PAD_N) SA No TSi TSr ] Mar 19 12:06:56 charon 07[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Mar 19 12:06:56 charon 07[IKE] <bypasslan|1> traffic selectors 192.168.11.0/24|/0 === 192.168.22.0/24|/0 inacceptable Mar 19 12:06:56 charon 07[IKE] <bypasslan|1> failed to establish CHILD_SA, keeping IKE_SA Mar 19 12:06:56 charon 07[ENC] <bypasslan|1> generating CREATE_CHILD_SA response 23 [ N(TS_UNACCEPT) ] Mar 19 12:06:56 charon 07[NET] <bypasslan|1> sending packet: from 5.4.3.2[4500] to 91.1.2.3[4500] (80 bytes) Mar 19 12:07:06 charon 16[NET] <bypasslan|1> received packet: from 91.1.2.3[4500] to 5.4.3.2[4500] (80 bytes) Mar 19 12:07:06 charon 16[ENC] <bypasslan|1> parsed INFORMATIONAL request 24 [ ] Mar 19 12:07:06 charon 16[ENC] <bypasslan|1> generating INFORMATIONAL response 24 [ ]