IPSEC VPN tunnel between pfSense 2.4.4 and Draytek keeps rebuilding



  • Hi,

    I am having trouble with the IPSec between my pfSense and my Draytek. The Draytek is setup as a firewall dialing out and the pfsense has been set up not to initiate the connection. Howevery, when waiting for the connection for some reason it seems the draytek keeps sending an SA DELETE so after that the IPSec keeps rebuilding. I have no idea what and it leaves me clueless. I am attaching my logfile here hoping anyone has any idea what the issue might be :( I am also attaching screenshots of the setup from the Draytek and the pfSense

    Mar 27 07:58:19 charon 08[IKE] <con2000|2287> authentication of 'ImaginaryIP1' (myself) with pre-shared key
    Mar 27 07:58:19 charon 08[IKE] <con2000|2287> authentication of 'CustomerIP' with pre-shared key successful
    Mar 27 07:58:19 charon 08[CFG] <con2000|2287> selected peer config 'con2000'
    Mar 27 07:58:17 charon 08[NET] <con2000|2286> sending packet: from ImaginaryIP1[500] to CustomerIP[500] (76 bytes)
    Mar 27 07:58:17 charon 08[ENC] <con2000|2286> generating INFORMATIONAL response 2 [ D ]
    Mar 27 07:58:17 charon 08[IKE] <con2000|2286> CHILD_SA closed
    Mar 27 07:58:17 charon 08[IKE] <con2000|2286> sending DELETE for ESP CHILD_SA with SPI cc5d620f
    Mar 27 07:58:17 charon 08[IKE] <con2000|2286> closing CHILD_SA con2000{279} with SPIs cc5d620f_i (468 bytes) 9015bb5a_o (152 bytes) and TS 172.16.20.0/24|/0 === 192.168.51.0/24|/0
    Mar 27 07:58:17 charon 08[IKE] <con2000|2286> received DELETE for ESP CHILD_SA with SPI 9015bb5a
    Mar 27 07:58:17 charon 08[ENC] <con2000|2286> parsed INFORMATIONAL request 2 [ D ]
    Mar 27 07:58:17 charon 08[NET] <con2000|2286> received packet: from CustomerIP[500] to ImaginaryIP1[500] (76 bytes)
    Mar 27 07:58:16 charon 12[ENC] <con2000|2286> parsed INFORMATIONAL response 0 [ ]
    Mar 27 07:58:16 charon 12[NET] <con2000|2286> received packet: from CustomerIP[500] to ImaginaryIP1[500] (76 bytes)
    Mar 27 07:58:16 charon 12[NET] <con2000|2286> sending packet: from ImaginaryIP1[500] to CustomerIP[500] (76 bytes)
    Mar 27 07:58:16 charon 12[ENC] <con2000|2286> generating INFORMATIONAL request 0 [ ]
    Mar 27 07:58:16 charon 12[IKE] <con2000|2286> sending DPD request
    Mar 27 07:57:53 charon 06[NET] <con2000|2286> sending packet: from ImaginaryIP1[500] to CustomerIP[500] (204 bytes)
    Mar 27 07:57:53 charon 06[ENC] <con2000|2286> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
    Mar 27 07:57:53 charon 06[IKE] <con2000|2286> CHILD_SA con2000{279} established with SPIs cc5d620f_i 9015bb5a_o and TS 172.16.20.0/24|/0 === 192.168.51.0/24|/0
    Mar 27 07:57:53 charon 06[CFG] <con2000|2286> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
    Mar 27 07:57:53 charon 06[IKE] <con2000|2286> IKE_SA con2000[2286] established between ImaginaryIP1[ImaginaryIP1]...CustomerIP[CustomerIP]
    Mar 27 07:57:53 charon 06[IKE] <con2000|2286> authentication of 'ImaginaryIP1' (myself) with pre-shared key
    Mar 27 07:57:53 charon 06[IKE] <con2000|2286> authentication of 'CustomerIP' with pre-shared key successful
    Mar 27 07:57:53 charon 06[CFG] <con2000|2286> selected peer config 'con2000'
    Mar 27 07:57:40 charon 12[CFG] added configuration 'con2000'
    Mar 27 07:57:40 charon 12[CFG] received stroke: add connection 'con2000'

    Phase1 screen1.PNG Phase1 screen2.PNG Phase2 screen1.PNG

    The settings within the Draytek:
    draytek_rev001.png
    draytek_rev002.png Draytek003.png Draytek004.png
    Draytek005.png



  • @bramqu
    Hey
    Have a Draytek side event log ?
    Because Draytek sends a message about deleting CHILD_SA after receiving a DPD request



  • Hi Konstanti,

    well probably. I should get the logon info to the Draytek handed over today which allows me to login again and check the logs. I will do that and get back to you later today. Good idea by the way ;)

    Regards,
    Bram



  • Hi Konstanti,

    it was not easy getting access to the log files so I have changed the IPSec settings to change IKEv1 g14 instead of IKEv2. Now it's running very stable ;)

    Thanks for your help anyway!

    Regards,
    Bram Quispel


Log in to reply