Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Avaya VPN to Virtual PFSense using IPSec Mobile

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 738 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alastair
      last edited by

      I have been trying to setup the connection between an Avaya VPN handset (9641) and my PFSense.

      I can see the connection getting through to the PFSense but the connection does not establish and I cannot see any reason from the logs why it does not work. I do not see any traffic blocked on the Pfsense on the external Firewall.

      The settings between the phone and the PFSense match.

      IP addresses have been changed in the log entries but this what I am seeing in the log file:
      Sep 11 08:11:41 pfsense charon: 08[CFG] rereading secrets
      Sep 11 08:11:41 pfsense charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
      Sep 11 08:11:41 pfsense charon: 08[CFG] loaded IKE secret for %any
      Sep 11 08:11:41 pfsense charon: 08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
      Sep 11 08:11:41 pfsense charon: 08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
      Sep 11 08:11:41 pfsense charon: 08[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
      Sep 11 08:11:41 pfsense charon: 08[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
      Sep 11 08:11:41 pfsense charon: 08[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
      Sep 11 08:11:41 pfsense charon: 08[CFG] received stroke: unroute 'bypasslan'
      Sep 11 08:11:41 pfsense charon: 08[CFG] proposing traffic selectors for us:
      Sep 11 08:11:41 pfsense charon: 08[CFG] 10.10.10.0/24|/0
      Sep 11 08:11:41 pfsense charon: 08[CFG] proposing traffic selectors for other:
      Sep 11 08:11:41 pfsense charon: 08[CFG] 10.10.10.0/24|/0
      Sep 11 08:11:41 pfsense ipsec_starter[54047]: shunt policy 'bypasslan' uninstalled
      Sep 11 08:11:41 pfsense ipsec_starter[54047]:
      Sep 11 08:11:41 pfsense charon: 15[CFG] received stroke: delete connection 'bypasslan'
      Sep 11 08:11:41 pfsense charon: 15[CFG] deleted connection 'bypasslan'
      Sep 11 08:11:41 pfsense charon: 08[CFG] received stroke: delete connection 'con1'
      Sep 11 08:11:41 pfsense charon: 08[CFG] deleted connection 'con1'
      Sep 11 08:11:41 pfsense charon: 15[CFG] received stroke: add connection 'bypasslan'
      Sep 11 08:11:41 pfsense charon: 15[CFG] conn bypasslan
      Sep 11 08:11:41 pfsense charon: 15[CFG] left=%any
      Sep 11 08:11:41 pfsense charon: 15[CFG] leftsubnet=10.10.10.0/24
      Sep 11 08:11:41 pfsense charon: 15[CFG] right=%any
      Sep 11 08:11:41 pfsense charon: 15[CFG] rightsubnet=10.10.10.0/24
      Sep 11 08:11:41 pfsense charon: 15[CFG] dpddelay=30
      Sep 11 08:11:41 pfsense charon: 15[CFG] dpdtimeout=150
      Sep 11 08:11:41 pfsense charon: 15[CFG] sha256_96=no
      Sep 11 08:11:41 pfsense charon: 15[CFG] mediation=no
      Sep 11 08:11:41 pfsense charon: 15[CFG] added configuration 'bypasslan'
      Sep 11 08:11:41 pfsense charon: 16[CFG] received stroke: route 'bypasslan'
      Sep 11 08:11:41 pfsense charon: 16[CFG] proposing traffic selectors for us:
      Sep 11 08:11:41 pfsense charon: 16[CFG] 10.10.10.0/24|/0
      Sep 11 08:11:41 pfsense charon: 16[CFG] proposing traffic selectors for other:
      Sep 11 08:11:41 pfsense charon: 16[CFG] 10.10.10.0/24|/0
      Sep 11 08:11:41 pfsense ipsec_starter[54047]: 'bypasslan' shunt PASS policy installed
      Sep 11 08:11:41 pfsense ipsec_starter[54047]:
      Sep 11 08:11:41 pfsense charon: 08[CFG] received stroke: add connection 'con1'
      Sep 11 08:11:41 pfsense charon: 08[CFG] conn con1
      Sep 11 08:11:41 pfsense charon: 08[CFG] left=50.50.50.50
      Sep 11 08:11:41 pfsense charon: 08[CFG] leftsubnet=0.0.0.0/0
      Sep 11 08:11:41 pfsense charon: 08[CFG] leftauth=psk
      Sep 11 08:11:41 pfsense charon: 08[CFG] leftid=50.50.50.50
      Sep 11 08:11:41 pfsense charon: 08[CFG] right=%any
      Sep 11 08:11:41 pfsense charon: 08[CFG] rightsourceip=192.168.192.0/24
      Sep 11 08:11:41 pfsense charon: 08[CFG] rightauth=psk
      Sep 11 08:11:41 pfsense charon: 08[CFG] rightauth2=xauth-generic
      Sep 11 08:11:41 pfsense charon: 08[CFG] ike=aes256-sha1-modp1024!
      Sep 11 08:11:41 pfsense charon: 08[CFG] esp=aes256-sha1,aes192-sha1,aes128-sha1!
      Sep 11 08:11:41 pfsense charon: 08[CFG] dpddelay=30
      Sep 11 08:11:41 pfsense charon: 08[CFG] dpdtimeout=180
      Sep 11 08:11:41 pfsense charon: 08[CFG] dpdaction=1
      Sep 11 08:11:41 pfsense charon: 08[CFG] sha256_96=no
      Sep 11 08:11:41 pfsense charon: 08[CFG] mediation=no
      Sep 11 08:11:41 pfsense charon: 08[CFG] keyexchange=ikev1
      Sep 11 08:11:41 pfsense charon: 08[CFG] reusing virtual IP address pool 192.168.192.0/24
      Sep 11 08:11:41 pfsense charon: 08[CFG] added configuration 'con1'
      Sep 11 08:12:00 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
      Sep 11 08:12:00 pfsense charon: 08[MGR] created IKE_SA (unnamed)[1197]
      Sep 11 08:12:00 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
      Sep 11 08:12:00 pfsense charon: 08[NET] <1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
      Sep 11 08:12:00 pfsense charon: 08[ENC] <1197> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> looking for an ike config for 50.50.50.50...60.60.60.60
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate: %any...%any, prio 24
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate: 50.50.50.50...%any, prio 1052
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> found matching ike config: 50.50.50.50...%any with prio 1052
      Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received NAT-T (RFC 3947) vendor ID
      Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Sep 11 08:12:00 pfsense charon: 08[ENC] <1197> received unknown vendor ID: 44:85:15:2d:18:b6:bb:cc:0b:e8:a8:46:95:79:dd:cc
      Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received XAuth vendor ID
      Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> 60.60.60.60 is initiating a Aggressive Mode IKE_SA
      Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> IKE_SA (unnamed)[1197] state change: CREATED => CONNECTING
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> selecting proposal:
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> proposal matches
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Sep 11 08:12:00 pfsense charon: 08[LIB] size of DH secret exponent: 1023 bits
      Sep 11 08:12:00 pfsense charon: 08[LIB] <1197> size of DH secret exponent: 1023 bits
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> looking for XAuthInitPSK peer configs matching 50.50.50.50...60.60.60.60[86.80.78.80]
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate "bypasslan", match: 1/1/24 (me/other/ike)
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate "con1", match: 1/1/1052 (me/other/ike)
      Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> selected peer config "con1"
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> sending XAuth vendor ID
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> sending DPD vendor ID
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> sending NAT-T (RFC 3947) vendor ID
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> shared Diffie Hellman secret => 128 bytes @ 0x80d40f900
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: F0 76 27 18 D7 1E A0 32 D7 9A 97 FE 09 7E 8B 74 .v'....2.....~.t
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 02 26 02 75 A3 69 FA 68 64 02 01 A0 F6 90 BD C3 .&.u.i.hd.......
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 32: 76 00 40 74 39 4B 21 BB 15 AD 69 C0 31 39 DF D0 v.@t9K!...i.19..
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 48: 76 5F 95 97 72 50 FC 7B 5E 59 F0 32 03 BB A7 AB v_..rP.{^Y.2....
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 64: 10 E8 24 BD 4E 83 20 DF 37 C7 D7 B8 2E 60 1B 4F ..$.N. .7.....O Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 80: 64 50 74 FA 44 E0 50 8A 31 1C 75 10 31 60 0A E5 dPt.D.P.1.u.1..
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 96: C0 D7 8D 8B 6F AB E4 F5 19 3F C6 F1 A1 D0 17 4D ....o....?.....M
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 112: 81 08 2E 15 65 4B 15 D9 6D 20 53 F6 0A AB 25 29 ....eK..m S...%)
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID => 20 bytes @ 0x80d83ff60
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 26 2D 02 AF 80 23 C1 D2 42 3B 50 FC 95 0D DF A5 &-...#..B;P.....
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 2E 71 A8 4D .q.M
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID_d => 20 bytes @ 0x80d840000
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 5B DA B4 38 BA CB A6 B8 17 71 F5 51 16 F1 D6 EB [..8.....q.Q....
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 32 D5 58 7B 2.X{
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID_a => 20 bytes @ 0x80d83ff00
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: D0 AF B9 55 59 B4 3E 90 08 19 4B CC CB D1 85 AD ...UY.>...K.....
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 2A 92 E9 73 ..s
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID_e => 20 bytes @ 0x80d83fe20
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: AC 6D 38 15 EA D4 82 D8 E5 BB 74 F1 B1 1D FB 33 .m8.......t....3
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: B1 04 E6 59 ...Y
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> encryption key Ka => 32 bytes @ 0x80d83bdb0
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 7C B7 95 CD 9C 7B 93 B1 22 C1 3F CC B9 DD BA F2 |....{..".?.....
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: D2 B7 B3 0B 38 D3 FC 6B 32 71 19 85 D0 F5 8F 84 ....8..k2q......
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> initial IV => 16 bytes @ 0x80d83fe20
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 92 50 00 87 72 57 8F 2A 28 B1 DF 7E 82 C9 E0 B6 .P..rW.
      (..~....
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> HASH_R data => 336 bytes @ 0x80d0f2c80
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: A2 00 A4 AD 62 68 EF 42 59 06 E1 F1 CA 74 F0 F1 ....bh.BY....t..
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: CF CB 57 AB E9 8F 29 36 90 12 6E 90 95 2E 4F 16 ..W...)6..n...O.
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 32: 21 9D C0 4F A7 50 66 33 A9 67 E7 20 8F D7 1B 28 !..O.Pf3.g. ...(
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 48: D5 6E 34 93 30 4A F3 01 45 BA 61 4A 4D 35 94 6C .n4.0J..E.aJM5.l
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 64: A2 D2 6E 5C 6B 92 EC 04 1D 39 D5 80 13 DE 0E 3E ..n\k....9.....>
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 80: CF B7 20 42 E2 4C 29 B8 19 62 E8 F0 FD F1 46 53 .. B.L)..b....FS
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 96: 21 E0 3F 2D FC AE 00 9D D9 D3 28 11 58 2E CB 14 !.?-......(.X...
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 112: D2 79 51 B5 8B E2 63 AB 6D 30 00 FF E6 A2 B3 BD .yQ...c.m0......
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 128: 2D C8 B2 51 07 11 35 85 67 A3 B4 73 2E A7 2E 87 -..Q..5.g..s....
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 144: 4A 98 AF 33 C8 77 B8 EE D7 09 A4 81 40 CA D0 93 J..3.w......@...
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 160: 99 7C 9D 35 C5 2B 2D 30 B9 33 9D AB D7 4B 44 77 .|.5.+-0.3...KDw
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 176: FA 74 54 B4 87 C3 17 D3 2D 9E C5 EA 2B 8B 83 05 .tT.....-...+...
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 192: 87 26 B3 15 34 36 B2 66 63 F6 AC D2 39 7D 12 B4 .&..46.fc...9}..
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 208: 01 C2 32 40 F6 A1 86 BD 22 B3 04 88 37 7E E2 54 ..2@...."...7~.T
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 224: EA C8 9D 43 E2 4C 2E 17 50 52 BD 4B 65 44 20 B6 ...C.L..PR.KeD .
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 240: 18 4B 5F 2C 42 A3 8C 33 01 51 66 C0 06 DE 52 7E .K_,B..3.Qf...R~
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 256: F1 55 B8 0E ED 45 CF 6C DE 55 F9 16 CC 41 F7 72 .U...E.l.U...A.r
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 272: 00 00 00 01 00 00 00 01 00 00 00 30 01 01 00 01 ...........0....
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 288: 00 00 00 28 01 01 00 00 80 01 00 07 80 0E 01 00 ...(............
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 304: 80 02 00 02 80 04 00 02 80 03 FD E9 80 0B 00 01 ................
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 320: 00 0C 00 04 00 06 97 80 01 00 00 00 05 94 2A EA ..............*.
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> HASH_R => 20 bytes @ 0x80d840040
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: F8 D7 7D 57 51 1C 6F CA 8A 99 15 D3 AA B6 C0 37 ..}WQ.o........7
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 6B 0A AA FD k...
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> natd_chunk => 22 bytes @ 0x7fffdf1f6c90
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: DE 55 F9 16 CC 41 F7 72 F1 55 B8 0E ED 45 CF 6C .U...A.r.U...E.l
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 05 45 D0 61 08 16 .E.a..
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> natd_hash => 20 bytes @ 0x80d840040
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 98 50 70 74 23 D0 FF 28 E9 7A 34 D0 26 91 7F 78 .Ppt#..(.z4.&..x
      Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 9E CF 70 74 ..pt
      Sep 11 08:12:00 pfsense charon: 08[ENC] <con1|1197> generating AGGRESSIVE response 0 [ SA KE No ID V V V NAT-D NAT-D HASH ]
      Sep 11 08:12:00 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:00 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:00 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
      Sep 11 08:12:00 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
      Sep 11 08:12:01 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
      Sep 11 08:12:01 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
      Sep 11 08:12:01 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
      Sep 11 08:12:01 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
      Sep 11 08:12:01 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
      Sep 11 08:12:01 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:01 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:01 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
      Sep 11 08:12:01 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
      Sep 11 08:12:03 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
      Sep 11 08:12:03 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
      Sep 11 08:12:03 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
      Sep 11 08:12:03 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
      Sep 11 08:12:03 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
      Sep 11 08:12:03 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:03 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:03 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
      Sep 11 08:12:03 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
      Sep 11 08:12:04 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
      Sep 11 08:12:04 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
      Sep 11 08:12:04 pfsense charon: 08[IKE] <con1|1197> sending retransmit 1 of response message ID 0, seq 1
      Sep 11 08:12:04 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:04 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:04 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
      Sep 11 08:12:04 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
      Sep 11 08:12:05 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
      Sep 11 08:12:05 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
      Sep 11 08:12:05 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
      Sep 11 08:12:05 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
      Sep 11 08:12:05 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
      Sep 11 08:12:05 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:05 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:05 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
      Sep 11 08:12:05 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
      Sep 11 08:12:07 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
      Sep 11 08:12:07 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
      Sep 11 08:12:07 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
      Sep 11 08:12:07 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
      Sep 11 08:12:07 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
      Sep 11 08:12:07 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:07 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:07 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
      Sep 11 08:12:07 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
      Sep 11 08:12:11 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
      Sep 11 08:12:11 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
      Sep 11 08:12:11 pfsense charon: 08[IKE] <con1|1197> sending retransmit 2 of response message ID 0, seq 1
      Sep 11 08:12:11 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:11 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:11 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
      Sep 11 08:12:11 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
      Sep 11 08:12:24 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
      Sep 11 08:12:24 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
      Sep 11 08:12:24 pfsense charon: 08[IKE] <con1|1197> sending retransmit 3 of response message ID 0, seq 1
      Sep 11 08:12:24 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:24 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
      Sep 11 08:12:24 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
      Sep 11 08:12:24 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
      Sep 11 08:12:30 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
      Sep 11 08:12:30 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
      Sep 11 08:12:30 pfsense charon: 08[JOB] <con1|1197> deleting half open IKE_SA with 60.60.60.60 after timeout
      Sep 11 08:12:30 pfsense charon: 08[MGR] <con1|1197> checkin and destroy IKE_SA con1[1197]
      Sep 11 08:12:30 pfsense charon: 08[IKE] <con1|1197> IKE_SA con1[1197] state change: CONNECTING => DESTROYING
      Sep 11 08:12:30 pfsense charon: 08[MGR] checkin and destroy of IKE_SA successful

      1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate
        last edited by

        Have you tried it in Main mode, not in Aggressive?
        What is pfSense version?

        Please show Avay VPN config and log.
        And pfSense's /usr/local/etc/ipsec.conf

        A 1 Reply Last reply Reply Quote 0
        • A
          Alastair @viktor_g
          last edited by

          @viktor_g thank you
          Main mode is not an option on the Avaya VPN handset.

          pfSense version: 2.4.3-RELEASE (amd64)

          Avaya 9640 does not have any logs to show
          Its config is :

          VPN Phone Settings

          VPN VENDOR - OTHER
          Gateway address - 0.0.0.0 (set by DHCP)
          External Phone IP Address 0.0.0.0 (set (set by DHCP)
          External Subnet - 0.0.0.0 (set by DHCP)
          External DNS - 0.0.0.0 (set by DHCP)
          Encapsulation - 4500-4500 (default, unchanged)
          Copy TOS - No (unchanged)

          Auth Type - PSK with XAUTH

          VPN User TYPE - any
          VPN User -testuser (test user set-up)
          VPN PW - *

          IKE ID (Group Name) - none
          Pre-Shared Key (PSK) - *

          IKE Phase 1

          IKE ID Type - IPV4 ADDRESS
          IKE Xchg Mode - Aggressive
          IKE DH GROUP - 2
          IKE Encryption Alg - AES-256
          IKE Auth Alg - SHA-1
          IKE Config Mode - Enabled.

          IKE Phase 2

          IPSEC PFS DH Group - No PFS
          IPSEC Encryption Alg - AES-256
          IPSec Auth Alg - SHA-1
          Protected Network - 0.0.0.0/0

          /usr/local/etc/ipsec.conf

          This file is automatically generated. Do not edit

          config setup
          uniqueids = yes

          conn bypasslan
          leftsubnet = 10.10.10.0/24
          rightsubnet = 10.10.10.0/24
          authby = never
          type = passthrough
          auto = route

          conn con1
          fragmentation = yes
          keyexchange = ikev1
          reauth = yes
          forceencaps = yes
          mobike = no

          rekey = no
          installpolicy = yes
          type = tunnel
          dpdaction = clear
          dpddelay = 30s
          dpdtimeout = 180s
          auto = add
          left = 50.50.50.50
          right = %any
          leftid = 50.50.50.50
          ikelifetime = 28800s
          lifetime = 28800s
          rightsourceip = 192.168.192.0/24
          ike = aes256-sha1-modp1024!
          esp = aes256-sha1,aes192-sha1,aes128-sha1!
          leftauth = psk
          rightauth = psk
          rightauth2 = xauth-generic
          aggressive = yes
          leftsubnet = 0.0.0.0/0
          
          1 Reply Last reply Reply Quote 0
          • A
            Alastair
            last edited by

            Update

            After doing some wireshark traces I concluded the traffic was not getting back to the phone. I was able to identify a routing issue that was causing the problem and resolve it.
            I have now been able to connect the Avaya VPN handset through the IPSec tunnel to my phone system.

            So just in case anyone else tries to set this up the the following settings in the Avaya handset work:

            VPN VENDOR - OTHER
            Gateway address - 0.0.0.0 (set by DHCP)
            External Phone IP Address 0.0.0.0 (set by DHCP)
            External Subnet - 0.0.0.0 (set by DHCP)
            External DNS - 0.0.0.0 (set by DHCP)
            Encapsulation - 4500-4500
            Copy TOS - No

            Auth Type - PSK with XAUTH

            VPN User TYPE - any
            VPN User -vpnuser
            VPN PW - *

            IKE ID (Group Name) - none
            Pre-Shared Key (PSK) - *

            IKE Phase 1

            IKE ID Type - IPV4 ADDRESS
            IKE Xchg Mode - Aggressive
            IKE DH GROUP - 2
            IKE Encryption Alg - AES-256
            IKE Auth Alg - SHA-1
            IKE Config Mode - Enabled.

            IKE Phase 2

            IPSEC PFS DH Group - No PFS
            IPSEC Encryption Alg - AES-256
            IPSec Auth Alg - SHA-1
            Protected Network - 0.0.0.0/0

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.