Avaya VPN to Virtual PFSense using IPSec Mobile



  • I have been trying to setup the connection between an Avaya VPN handset (9641) and my PFSense.

    I can see the connection getting through to the PFSense but the connection does not establish and I cannot see any reason from the logs why it does not work. I do not see any traffic blocked on the Pfsense on the external Firewall.

    The settings between the phone and the PFSense match.

    IP addresses have been changed in the log entries but this what I am seeing in the log file:
    Sep 11 08:11:41 pfsense charon: 08[CFG] rereading secrets
    Sep 11 08:11:41 pfsense charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Sep 11 08:11:41 pfsense charon: 08[CFG] loaded IKE secret for %any
    Sep 11 08:11:41 pfsense charon: 08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
    Sep 11 08:11:41 pfsense charon: 08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
    Sep 11 08:11:41 pfsense charon: 08[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Sep 11 08:11:41 pfsense charon: 08[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Sep 11 08:11:41 pfsense charon: 08[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
    Sep 11 08:11:41 pfsense charon: 08[CFG] received stroke: unroute 'bypasslan'
    Sep 11 08:11:41 pfsense charon: 08[CFG] proposing traffic selectors for us:
    Sep 11 08:11:41 pfsense charon: 08[CFG] 10.10.10.0/24|/0
    Sep 11 08:11:41 pfsense charon: 08[CFG] proposing traffic selectors for other:
    Sep 11 08:11:41 pfsense charon: 08[CFG] 10.10.10.0/24|/0
    Sep 11 08:11:41 pfsense ipsec_starter[54047]: shunt policy 'bypasslan' uninstalled
    Sep 11 08:11:41 pfsense ipsec_starter[54047]:
    Sep 11 08:11:41 pfsense charon: 15[CFG] received stroke: delete connection 'bypasslan'
    Sep 11 08:11:41 pfsense charon: 15[CFG] deleted connection 'bypasslan'
    Sep 11 08:11:41 pfsense charon: 08[CFG] received stroke: delete connection 'con1'
    Sep 11 08:11:41 pfsense charon: 08[CFG] deleted connection 'con1'
    Sep 11 08:11:41 pfsense charon: 15[CFG] received stroke: add connection 'bypasslan'
    Sep 11 08:11:41 pfsense charon: 15[CFG] conn bypasslan
    Sep 11 08:11:41 pfsense charon: 15[CFG] left=%any
    Sep 11 08:11:41 pfsense charon: 15[CFG] leftsubnet=10.10.10.0/24
    Sep 11 08:11:41 pfsense charon: 15[CFG] right=%any
    Sep 11 08:11:41 pfsense charon: 15[CFG] rightsubnet=10.10.10.0/24
    Sep 11 08:11:41 pfsense charon: 15[CFG] dpddelay=30
    Sep 11 08:11:41 pfsense charon: 15[CFG] dpdtimeout=150
    Sep 11 08:11:41 pfsense charon: 15[CFG] sha256_96=no
    Sep 11 08:11:41 pfsense charon: 15[CFG] mediation=no
    Sep 11 08:11:41 pfsense charon: 15[CFG] added configuration 'bypasslan'
    Sep 11 08:11:41 pfsense charon: 16[CFG] received stroke: route 'bypasslan'
    Sep 11 08:11:41 pfsense charon: 16[CFG] proposing traffic selectors for us:
    Sep 11 08:11:41 pfsense charon: 16[CFG] 10.10.10.0/24|/0
    Sep 11 08:11:41 pfsense charon: 16[CFG] proposing traffic selectors for other:
    Sep 11 08:11:41 pfsense charon: 16[CFG] 10.10.10.0/24|/0
    Sep 11 08:11:41 pfsense ipsec_starter[54047]: 'bypasslan' shunt PASS policy installed
    Sep 11 08:11:41 pfsense ipsec_starter[54047]:
    Sep 11 08:11:41 pfsense charon: 08[CFG] received stroke: add connection 'con1'
    Sep 11 08:11:41 pfsense charon: 08[CFG] conn con1
    Sep 11 08:11:41 pfsense charon: 08[CFG] left=50.50.50.50
    Sep 11 08:11:41 pfsense charon: 08[CFG] leftsubnet=0.0.0.0/0
    Sep 11 08:11:41 pfsense charon: 08[CFG] leftauth=psk
    Sep 11 08:11:41 pfsense charon: 08[CFG] leftid=50.50.50.50
    Sep 11 08:11:41 pfsense charon: 08[CFG] right=%any
    Sep 11 08:11:41 pfsense charon: 08[CFG] rightsourceip=192.168.192.0/24
    Sep 11 08:11:41 pfsense charon: 08[CFG] rightauth=psk
    Sep 11 08:11:41 pfsense charon: 08[CFG] rightauth2=xauth-generic
    Sep 11 08:11:41 pfsense charon: 08[CFG] ike=aes256-sha1-modp1024!
    Sep 11 08:11:41 pfsense charon: 08[CFG] esp=aes256-sha1,aes192-sha1,aes128-sha1!
    Sep 11 08:11:41 pfsense charon: 08[CFG] dpddelay=30
    Sep 11 08:11:41 pfsense charon: 08[CFG] dpdtimeout=180
    Sep 11 08:11:41 pfsense charon: 08[CFG] dpdaction=1
    Sep 11 08:11:41 pfsense charon: 08[CFG] sha256_96=no
    Sep 11 08:11:41 pfsense charon: 08[CFG] mediation=no
    Sep 11 08:11:41 pfsense charon: 08[CFG] keyexchange=ikev1
    Sep 11 08:11:41 pfsense charon: 08[CFG] reusing virtual IP address pool 192.168.192.0/24
    Sep 11 08:11:41 pfsense charon: 08[CFG] added configuration 'con1'
    Sep 11 08:12:00 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
    Sep 11 08:12:00 pfsense charon: 08[MGR] created IKE_SA (unnamed)[1197]
    Sep 11 08:12:00 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
    Sep 11 08:12:00 pfsense charon: 08[NET] <1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
    Sep 11 08:12:00 pfsense charon: 08[ENC] <1197> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> looking for an ike config for 50.50.50.50...60.60.60.60
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate: %any...%any, prio 24
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate: 50.50.50.50...%any, prio 1052
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> found matching ike config: 50.50.50.50...%any with prio 1052
    Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received NAT-T (RFC 3947) vendor ID
    Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Sep 11 08:12:00 pfsense charon: 08[ENC] <1197> received unknown vendor ID: 44:85:15:2d:18:b6:bb:cc:0b:e8:a8:46:95:79:dd:cc
    Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> received XAuth vendor ID
    Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> 60.60.60.60 is initiating a Aggressive Mode IKE_SA
    Sep 11 08:12:00 pfsense charon: 08[IKE] <1197> IKE_SA (unnamed)[1197] state change: CREATED => CONNECTING
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> selecting proposal:
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> proposal matches
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Sep 11 08:12:00 pfsense charon: 08[LIB] size of DH secret exponent: 1023 bits
    Sep 11 08:12:00 pfsense charon: 08[LIB] <1197> size of DH secret exponent: 1023 bits
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> looking for XAuthInitPSK peer configs matching 50.50.50.50...60.60.60.60[86.80.78.80]
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> candidate "con1", match: 1/1/1052 (me/other/ike)
    Sep 11 08:12:00 pfsense charon: 08[CFG] <1197> selected peer config "con1"
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> sending XAuth vendor ID
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> sending DPD vendor ID
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> sending NAT-T (RFC 3947) vendor ID
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> shared Diffie Hellman secret => 128 bytes @ 0x80d40f900
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: F0 76 27 18 D7 1E A0 32 D7 9A 97 FE 09 7E 8B 74 .v'....2.....~.t
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 02 26 02 75 A3 69 FA 68 64 02 01 A0 F6 90 BD C3 .&.u.i.hd.......
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 32: 76 00 40 74 39 4B 21 BB 15 AD 69 C0 31 39 DF D0 v.@t9K!...i.19..
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 48: 76 5F 95 97 72 50 FC 7B 5E 59 F0 32 03 BB A7 AB v_..rP.{^Y.2....
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 64: 10 E8 24 BD 4E 83 20 DF 37 C7 D7 B8 2E 60 1B 4F ..$.N. .7.....O Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 80: 64 50 74 FA 44 E0 50 8A 31 1C 75 10 31 60 0A E5 dPt.D.P.1.u.1..
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 96: C0 D7 8D 8B 6F AB E4 F5 19 3F C6 F1 A1 D0 17 4D ....o....?.....M
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 112: 81 08 2E 15 65 4B 15 D9 6D 20 53 F6 0A AB 25 29 ....eK..m S...%)
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID => 20 bytes @ 0x80d83ff60
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 26 2D 02 AF 80 23 C1 D2 42 3B 50 FC 95 0D DF A5 &-...#..B;P.....
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 2E 71 A8 4D .q.M
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID_d => 20 bytes @ 0x80d840000
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 5B DA B4 38 BA CB A6 B8 17 71 F5 51 16 F1 D6 EB [..8.....q.Q....
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 32 D5 58 7B 2.X{
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID_a => 20 bytes @ 0x80d83ff00
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: D0 AF B9 55 59 B4 3E 90 08 19 4B CC CB D1 85 AD ...UY.>...K.....
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 2A 92 E9 73 ..s
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> SKEYID_e => 20 bytes @ 0x80d83fe20
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: AC 6D 38 15 EA D4 82 D8 E5 BB 74 F1 B1 1D FB 33 .m8.......t....3
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: B1 04 E6 59 ...Y
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> encryption key Ka => 32 bytes @ 0x80d83bdb0
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 7C B7 95 CD 9C 7B 93 B1 22 C1 3F CC B9 DD BA F2 |....{..".?.....
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: D2 B7 B3 0B 38 D3 FC 6B 32 71 19 85 D0 F5 8F 84 ....8..k2q......
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> initial IV => 16 bytes @ 0x80d83fe20
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 92 50 00 87 72 57 8F 2A 28 B1 DF 7E 82 C9 E0 B6 .P..rW.
    (..~....
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> HASH_R data => 336 bytes @ 0x80d0f2c80
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: A2 00 A4 AD 62 68 EF 42 59 06 E1 F1 CA 74 F0 F1 ....bh.BY....t..
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: CF CB 57 AB E9 8F 29 36 90 12 6E 90 95 2E 4F 16 ..W...)6..n...O.
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 32: 21 9D C0 4F A7 50 66 33 A9 67 E7 20 8F D7 1B 28 !..O.Pf3.g. ...(
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 48: D5 6E 34 93 30 4A F3 01 45 BA 61 4A 4D 35 94 6C .n4.0J..E.aJM5.l
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 64: A2 D2 6E 5C 6B 92 EC 04 1D 39 D5 80 13 DE 0E 3E ..n\k....9.....>
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 80: CF B7 20 42 E2 4C 29 B8 19 62 E8 F0 FD F1 46 53 .. B.L)..b....FS
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 96: 21 E0 3F 2D FC AE 00 9D D9 D3 28 11 58 2E CB 14 !.?-......(.X...
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 112: D2 79 51 B5 8B E2 63 AB 6D 30 00 FF E6 A2 B3 BD .yQ...c.m0......
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 128: 2D C8 B2 51 07 11 35 85 67 A3 B4 73 2E A7 2E 87 -..Q..5.g..s....
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 144: 4A 98 AF 33 C8 77 B8 EE D7 09 A4 81 40 CA D0 93 J..3.w......@...
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 160: 99 7C 9D 35 C5 2B 2D 30 B9 33 9D AB D7 4B 44 77 .|.5.+-0.3...KDw
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 176: FA 74 54 B4 87 C3 17 D3 2D 9E C5 EA 2B 8B 83 05 .tT.....-...+...
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 192: 87 26 B3 15 34 36 B2 66 63 F6 AC D2 39 7D 12 B4 .&..46.fc...9}..
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 208: 01 C2 32 40 F6 A1 86 BD 22 B3 04 88 37 7E E2 54 ..2@...."...7~.T
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 224: EA C8 9D 43 E2 4C 2E 17 50 52 BD 4B 65 44 20 B6 ...C.L..PR.KeD .
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 240: 18 4B 5F 2C 42 A3 8C 33 01 51 66 C0 06 DE 52 7E .K_,B..3.Qf...R~
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 256: F1 55 B8 0E ED 45 CF 6C DE 55 F9 16 CC 41 F7 72 .U...E.l.U...A.r
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 272: 00 00 00 01 00 00 00 01 00 00 00 30 01 01 00 01 ...........0....
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 288: 00 00 00 28 01 01 00 00 80 01 00 07 80 0E 01 00 ...(............
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 304: 80 02 00 02 80 04 00 02 80 03 FD E9 80 0B 00 01 ................
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 320: 00 0C 00 04 00 06 97 80 01 00 00 00 05 94 2A EA ..............*.
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> HASH_R => 20 bytes @ 0x80d840040
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: F8 D7 7D 57 51 1C 6F CA 8A 99 15 D3 AA B6 C0 37 ..}WQ.o........7
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 6B 0A AA FD k...
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> natd_chunk => 22 bytes @ 0x7fffdf1f6c90
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: DE 55 F9 16 CC 41 F7 72 F1 55 B8 0E ED 45 CF 6C .U...A.r.U...E.l
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 05 45 D0 61 08 16 .E.a..
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> natd_hash => 20 bytes @ 0x80d840040
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 0: 98 50 70 74 23 D0 FF 28 E9 7A 34 D0 26 91 7F 78 .Ppt#..(.z4.&..x
    Sep 11 08:12:00 pfsense charon: 08[IKE] <con1|1197> 16: 9E CF 70 74 ..pt
    Sep 11 08:12:00 pfsense charon: 08[ENC] <con1|1197> generating AGGRESSIVE response 0 [ SA KE No ID V V V NAT-D NAT-D HASH ]
    Sep 11 08:12:00 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:00 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:00 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
    Sep 11 08:12:00 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
    Sep 11 08:12:01 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
    Sep 11 08:12:01 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
    Sep 11 08:12:01 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
    Sep 11 08:12:01 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
    Sep 11 08:12:01 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
    Sep 11 08:12:01 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:01 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:01 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
    Sep 11 08:12:01 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
    Sep 11 08:12:03 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
    Sep 11 08:12:03 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
    Sep 11 08:12:03 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
    Sep 11 08:12:03 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
    Sep 11 08:12:03 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
    Sep 11 08:12:03 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:03 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:03 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
    Sep 11 08:12:03 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
    Sep 11 08:12:04 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
    Sep 11 08:12:04 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
    Sep 11 08:12:04 pfsense charon: 08[IKE] <con1|1197> sending retransmit 1 of response message ID 0, seq 1
    Sep 11 08:12:04 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:04 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:04 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
    Sep 11 08:12:04 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
    Sep 11 08:12:05 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
    Sep 11 08:12:05 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
    Sep 11 08:12:05 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
    Sep 11 08:12:05 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
    Sep 11 08:12:05 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
    Sep 11 08:12:05 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:05 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:05 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
    Sep 11 08:12:05 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
    Sep 11 08:12:07 pfsense charon: 08[MGR] checkout IKEv1 SA by message with SPIs de55f916cc41f772_i 0000000000000000_r
    Sep 11 08:12:07 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
    Sep 11 08:12:07 pfsense charon: 08[NET] received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
    Sep 11 08:12:07 pfsense charon: 08[NET] <con1|1197> received packet: from 60.60.60.60[2070] to 50.50.50.50[500] (372 bytes)
    Sep 11 08:12:07 pfsense charon: 08[IKE] <con1|1197> received retransmit of request with ID 0, retransmitting response
    Sep 11 08:12:07 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:07 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:07 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
    Sep 11 08:12:07 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
    Sep 11 08:12:11 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
    Sep 11 08:12:11 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
    Sep 11 08:12:11 pfsense charon: 08[IKE] <con1|1197> sending retransmit 2 of response message ID 0, seq 1
    Sep 11 08:12:11 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:11 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:11 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
    Sep 11 08:12:11 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
    Sep 11 08:12:24 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
    Sep 11 08:12:24 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
    Sep 11 08:12:24 pfsense charon: 08[IKE] <con1|1197> sending retransmit 3 of response message ID 0, seq 1
    Sep 11 08:12:24 pfsense charon: 08[NET] sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:24 pfsense charon: 08[NET] <con1|1197> sending packet: from 50.50.50.50[500] to 60.60.60.60[2070] (392 bytes)
    Sep 11 08:12:24 pfsense charon: 08[MGR] <con1|1197> checkin IKE_SA con1[1197]
    Sep 11 08:12:24 pfsense charon: 08[MGR] <con1|1197> checkin of IKE_SA successful
    Sep 11 08:12:30 pfsense charon: 08[MGR] checkout IKEv1 SA with SPIs de55f916cc41f772_i f155b80eed45cf6c_r
    Sep 11 08:12:30 pfsense charon: 08[MGR] IKE_SA con1[1197] successfully checked out
    Sep 11 08:12:30 pfsense charon: 08[JOB] <con1|1197> deleting half open IKE_SA with 60.60.60.60 after timeout
    Sep 11 08:12:30 pfsense charon: 08[MGR] <con1|1197> checkin and destroy IKE_SA con1[1197]
    Sep 11 08:12:30 pfsense charon: 08[IKE] <con1|1197> IKE_SA con1[1197] state change: CONNECTING => DESTROYING
    Sep 11 08:12:30 pfsense charon: 08[MGR] checkin and destroy of IKE_SA successful


  • Global Moderator

    Have you tried it in Main mode, not in Aggressive?
    What is pfSense version?

    Please show Avay VPN config and log.
    And pfSense's /usr/local/etc/ipsec.conf



  • @viktor_g thank you
    Main mode is not an option on the Avaya VPN handset.

    pfSense version: 2.4.3-RELEASE (amd64)

    Avaya 9640 does not have any logs to show
    Its config is :

    VPN Phone Settings

    VPN VENDOR - OTHER
    Gateway address - 0.0.0.0 (set by DHCP)
    External Phone IP Address 0.0.0.0 (set (set by DHCP)
    External Subnet - 0.0.0.0 (set by DHCP)
    External DNS - 0.0.0.0 (set by DHCP)
    Encapsulation - 4500-4500 (default, unchanged)
    Copy TOS - No (unchanged)

    Auth Type - PSK with XAUTH

    VPN User TYPE - any
    VPN User -testuser (test user set-up)
    VPN PW - *

    IKE ID (Group Name) - none
    Pre-Shared Key (PSK) - *

    IKE Phase 1

    IKE ID Type - IPV4 ADDRESS
    IKE Xchg Mode - Aggressive
    IKE DH GROUP - 2
    IKE Encryption Alg - AES-256
    IKE Auth Alg - SHA-1
    IKE Config Mode - Enabled.

    IKE Phase 2

    IPSEC PFS DH Group - No PFS
    IPSEC Encryption Alg - AES-256
    IPSec Auth Alg - SHA-1
    Protected Network - 0.0.0.0/0

    /usr/local/etc/ipsec.conf

    This file is automatically generated. Do not edit

    config setup
    uniqueids = yes

    conn bypasslan
    leftsubnet = 10.10.10.0/24
    rightsubnet = 10.10.10.0/24
    authby = never
    type = passthrough
    auto = route

    conn con1
    fragmentation = yes
    keyexchange = ikev1
    reauth = yes
    forceencaps = yes
    mobike = no

    rekey = no
    installpolicy = yes
    type = tunnel
    dpdaction = clear
    dpddelay = 30s
    dpdtimeout = 180s
    auto = add
    left = 50.50.50.50
    right = %any
    leftid = 50.50.50.50
    ikelifetime = 28800s
    lifetime = 28800s
    rightsourceip = 192.168.192.0/24
    ike = aes256-sha1-modp1024!
    esp = aes256-sha1,aes192-sha1,aes128-sha1!
    leftauth = psk
    rightauth = psk
    rightauth2 = xauth-generic
    aggressive = yes
    leftsubnet = 0.0.0.0/0


  • Update

    After doing some wireshark traces I concluded the traffic was not getting back to the phone. I was able to identify a routing issue that was causing the problem and resolve it.
    I have now been able to connect the Avaya VPN handset through the IPSec tunnel to my phone system.

    So just in case anyone else tries to set this up the the following settings in the Avaya handset work:

    VPN VENDOR - OTHER
    Gateway address - 0.0.0.0 (set by DHCP)
    External Phone IP Address 0.0.0.0 (set by DHCP)
    External Subnet - 0.0.0.0 (set by DHCP)
    External DNS - 0.0.0.0 (set by DHCP)
    Encapsulation - 4500-4500
    Copy TOS - No

    Auth Type - PSK with XAUTH

    VPN User TYPE - any
    VPN User -vpnuser
    VPN PW - *

    IKE ID (Group Name) - none
    Pre-Shared Key (PSK) - *

    IKE Phase 1

    IKE ID Type - IPV4 ADDRESS
    IKE Xchg Mode - Aggressive
    IKE DH GROUP - 2
    IKE Encryption Alg - AES-256
    IKE Auth Alg - SHA-1
    IKE Config Mode - Enabled.

    IKE Phase 2

    IPSEC PFS DH Group - No PFS
    IPSEC Encryption Alg - AES-256
    IPSec Auth Alg - SHA-1
    Protected Network - 0.0.0.0/0


Log in to reply