Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site To Site Vpn using ipsec ikev2, how to troubleshoot

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 498 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hoygen83
      last edited by

      Hello,
      I am trying to configure an ipsec vpn between a pfsense 2.4.4-RELEASE-p3 and a zyel firewall.
      Is there a way to start the phases from pfsense and have intelligible information of what's not working?
      I need to be guided where to look to make a proper troubleshoot.
      Kindest Regards

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        This is one area that is much nicer in 2.5.0 but you can try it on 2.4.4 as well:

        Get a list of connections: swanctl --list-conns

        Initiate an IKE connection (Phase 1): swanctl --initiate --ike <name> where <name> is something like con1000.

        Initiate a child SA (Phase 2): swanctl --initiate --child <name> where <name> is something like con1000.

        The exact names will vary depending on your setup, whether or not you use split connections, etc.

        When you initiate that way at the CLI, it shows you the relevant log entries on the console right when they happen, which is neat.

        For example:

        : swanctl --initiate --child con4000
[IKE] establishing CHILD_SA con4000{101}
[ENC] generating CREATE_CHILD_SA request 921 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
[NET] sending packet: from 198.51.100.3[500] to 198.51.100.20[500] (608 bytes)
[NET] received packet: from 198.51.100.20[500] to 198.51.100.3[500] (560 bytes)
[ENC] parsed CREATE_CHILD_SA response 921 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
[IKE] CHILD_SA con4000{101} established with SPIs cb0bc474_i c70424f1_o and TS 0.0.0.0/0|/0 2001:db8:3:1111::1/128|/0 === 0.0.0.0/0|/0 2001:db8:3:1111::2/128|/0
initiate completed successfully

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • H
          Hoygen83
          last edited by

          Thank you sir.
          Sadly I have only access to the web interface.
          So I have found that I can see that output initiating the connection from:
          Status -> Ipsec -> connect
          and then reading the logs in :
          System -> System Logs -> Ipsec.
          Thank you for your answer though that is really useful if I will be able to ssh into the device.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.