Site To Site Vpn using ipsec ikev2, how to troubleshoot

  • Hello,
    I am trying to configure an ipsec vpn between a pfsense 2.4.4-RELEASE-p3 and a zyel firewall.
    Is there a way to start the phases from pfsense and have intelligible information of what's not working?
    I need to be guided where to look to make a proper troubleshoot.
    Kindest Regards

  • Rebel Alliance Developer Netgate

    This is one area that is much nicer in 2.5.0 but you can try it on 2.4.4 as well:

    Get a list of connections: swanctl --list-conns

    Initiate an IKE connection (Phase 1): swanctl --initiate --ike <name> where <name> is something like con1000.

    Initiate a child SA (Phase 2): swanctl --initiate --child <name> where <name> is something like con1000.

    The exact names will vary depending on your setup, whether or not you use split connections, etc.

    When you initiate that way at the CLI, it shows you the relevant log entries on the console right when they happen, which is neat.

    For example:

    : swanctl --initiate --child con4000
    [IKE] establishing CHILD_SA con4000{101}
    [ENC] generating CREATE_CHILD_SA request 921 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    [NET] sending packet: from[500] to[500] (608 bytes)
    [NET] received packet: from[500] to[500] (560 bytes)
    [ENC] parsed CREATE_CHILD_SA response 921 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    [IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    [CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
    [IKE] CHILD_SA con4000{101} established with SPIs cb0bc474_i c70424f1_o and TS|/0 2001:db8:3:1111::1/128|/0 ===|/0 2001:db8:3:1111::2/128|/0
    initiate completed successfully

  • Thank you sir.
    Sadly I have only access to the web interface.
    So I have found that I can see that output initiating the connection from:
    Status -> Ipsec -> connect
    and then reading the logs in :
    System -> System Logs -> Ipsec.
    Thank you for your answer though that is really useful if I will be able to ssh into the device.

Log in to reply