Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC VPN tunnel between pfSense 2.4.4 and Draytek keeps rebuilding

    IPsec
    4
    6
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bramqu
      last edited by bramqu

      Hi,

      I am having trouble with the IPSec between my pfSense and my Draytek. The Draytek is setup as a firewall dialing out and the pfsense has been set up not to initiate the connection. Howevery, when waiting for the connection for some reason it seems the draytek keeps sending an SA DELETE so after that the IPSec keeps rebuilding. I have no idea what and it leaves me clueless. I am attaching my logfile here hoping anyone has any idea what the issue might be :( I am also attaching screenshots of the setup from the Draytek and the pfSense

      Mar 27 07:58:19 charon 08[IKE] <con2000|2287> authentication of 'ImaginaryIP1' (myself) with pre-shared key
      Mar 27 07:58:19 charon 08[IKE] <con2000|2287> authentication of 'CustomerIP' with pre-shared key successful
      Mar 27 07:58:19 charon 08[CFG] <con2000|2287> selected peer config 'con2000'
      Mar 27 07:58:17 charon 08[NET] <con2000|2286> sending packet: from ImaginaryIP1[500] to CustomerIP[500] (76 bytes)
      Mar 27 07:58:17 charon 08[ENC] <con2000|2286> generating INFORMATIONAL response 2 [ D ]
      Mar 27 07:58:17 charon 08[IKE] <con2000|2286> CHILD_SA closed
      Mar 27 07:58:17 charon 08[IKE] <con2000|2286> sending DELETE for ESP CHILD_SA with SPI cc5d620f
      Mar 27 07:58:17 charon 08[IKE] <con2000|2286> closing CHILD_SA con2000{279} with SPIs cc5d620f_i (468 bytes) 9015bb5a_o (152 bytes) and TS 172.16.20.0/24|/0 === 192.168.51.0/24|/0
      Mar 27 07:58:17 charon 08[IKE] <con2000|2286> received DELETE for ESP CHILD_SA with SPI 9015bb5a
      Mar 27 07:58:17 charon 08[ENC] <con2000|2286> parsed INFORMATIONAL request 2 [ D ]
      Mar 27 07:58:17 charon 08[NET] <con2000|2286> received packet: from CustomerIP[500] to ImaginaryIP1[500] (76 bytes)
      Mar 27 07:58:16 charon 12[ENC] <con2000|2286> parsed INFORMATIONAL response 0 [ ]
      Mar 27 07:58:16 charon 12[NET] <con2000|2286> received packet: from CustomerIP[500] to ImaginaryIP1[500] (76 bytes)
      Mar 27 07:58:16 charon 12[NET] <con2000|2286> sending packet: from ImaginaryIP1[500] to CustomerIP[500] (76 bytes)
      Mar 27 07:58:16 charon 12[ENC] <con2000|2286> generating INFORMATIONAL request 0 [ ]
      Mar 27 07:58:16 charon 12[IKE] <con2000|2286> sending DPD request
      Mar 27 07:57:53 charon 06[NET] <con2000|2286> sending packet: from ImaginaryIP1[500] to CustomerIP[500] (204 bytes)
      Mar 27 07:57:53 charon 06[ENC] <con2000|2286> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
      Mar 27 07:57:53 charon 06[IKE] <con2000|2286> CHILD_SA con2000{279} established with SPIs cc5d620f_i 9015bb5a_o and TS 172.16.20.0/24|/0 === 192.168.51.0/24|/0
      Mar 27 07:57:53 charon 06[CFG] <con2000|2286> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
      Mar 27 07:57:53 charon 06[IKE] <con2000|2286> IKE_SA con2000[2286] established between ImaginaryIP1[ImaginaryIP1]...CustomerIP[CustomerIP]
      Mar 27 07:57:53 charon 06[IKE] <con2000|2286> authentication of 'ImaginaryIP1' (myself) with pre-shared key
      Mar 27 07:57:53 charon 06[IKE] <con2000|2286> authentication of 'CustomerIP' with pre-shared key successful
      Mar 27 07:57:53 charon 06[CFG] <con2000|2286> selected peer config 'con2000'
      Mar 27 07:57:40 charon 12[CFG] added configuration 'con2000'
      Mar 27 07:57:40 charon 12[CFG] received stroke: add connection 'con2000'

      Phase1 screen1.PNG Phase1 screen2.PNG Phase2 screen1.PNG

      The settings within the Draytek:
      draytek_rev001.png
      draytek_rev002.png Draytek003.png Draytek004.png
      Draytek005.png

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @bramqu
        last edited by Konstanti

        @bramqu
        Hey
        Have a Draytek side event log ?
        Because Draytek sends a message about deleting CHILD_SA after receiving a DPD request

        1 Reply Last reply Reply Quote 0
        • B
          bramqu
          last edited by

          Hi Konstanti,

          well probably. I should get the logon info to the Draytek handed over today which allows me to login again and check the logs. I will do that and get back to you later today. Good idea by the way ;)

          Regards,
          Bram

          1 Reply Last reply Reply Quote 0
          • B
            bramqu
            last edited by

            Hi Konstanti,

            it was not easy getting access to the log files so I have changed the IPSec settings to change IKEv1 g14 instead of IKEv2. Now it's running very stable ;)

            Thanks for your help anyway!

            Regards,
            Bram Quispel

            M 1 Reply Last reply Reply Quote 0
            • T
              timboau 0
              last edited by

              Hi Bram,

              How is the connection going to the Draytek. I tried v1 and had far more success but it still randomly dropped the connection and doesn't reconnect in a very timely manner. Super frustrating...

              Do you have the config for both sides you ended up on if its been very stable?

              Thanks,

              1 Reply Last reply Reply Quote 0
              • M
                mark0001 @bramqu
                last edited by

                @bramqu

                I have the same setup and can not get it to work van you please sent me the working config as well?

                Kind regard
                Mark

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.