pfsense 2.4.5-RELEASE-p1 - Cisco - constraint check failed: identity IP
-
This post is deleted! -
@biely2 said in pfsense 2.4.5-RELEASE-p1 - Cisco - constraint check failed: identity IP:
162.168.175.251
Is that a public IP, or a mis-typed 192.168.* private address?
-
@biely2 said in pfsense 2.4.5-RELEASE-p1 - Cisco - constraint check failed: identity IP:
i suspect the problem is here
Apr 7 14:13:19 ipsec charon: 06[IKE] <con3000|5> received cert request for unknown ca with keyid 3e:06:f1:4b:7f:d8:75:e1:62:28:e1:fe:25:a1:19:74:f5:b5:1d:23 Apr 7 14:13:19 ipsec charon: 06[IKE] <con3000|5> received cert request for unknown ca with keyid bc:1c:21:56:b3:8c:56:7d:b9:2b:85:1d:67:4b:6a:b5:07:ad:ed:d6 Apr 7 14:13:19 ipsec charon: 06[IKE] <con3000|5> received 2 cert requests for an unknown cawrong/bad certificate or a mismatch on phase 1
-
@rolytheflycatcher said in pfsense 2.4.5-RELEASE-p1 - Cisco - constraint check failed: identity IP:
@biely2 said in pfsense 2.4.5-RELEASE-p1 - Cisco - constraint check failed: identity IP:
162.168.175.251
Is that a public IP, or a mis-typed 192.168.* private address?
It is public address on interface WAN. It is anonnimizes not real for this chat.
-
@kiokoman said in pfsense 2.4.5-RELEASE-p1 - Cisco - constraint check failed: identity IP:
@biely2 said in pfsense 2.4.5-RELEASE-p1 - Cisco - constraint check failed: identity IP:
i suspect the problem is here
Apr 7 14:13:19 ipsec charon: 06[IKE] <con3000|5> received cert request for unknown ca with keyid 3e:06:f1:4b:7f:d8:75:e1:62:28:e1:fe:25:a1:19:74:f5:b5:1d:23 Apr 7 14:13:19 ipsec charon: 06[IKE] <con3000|5> received cert request for unknown ca with keyid bc:1c:21:56:b3:8c:56:7d:b9:2b:85:1d:67:4b:6a:b5:07:ad:ed:d6 Apr 7 14:13:19 ipsec charon: 06[IKE] <con3000|5> received 2 cert requests for an unknown cawrong/bad certificate or a mismatch on phase 1
do I have to use a CA for IPsec? -
@biely2 I'm
I tried IKE1 aes 256, SHA1 ... and the same problem.log:
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> queueing ISAKMP_CERT_POST task
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> queueing ISAKMP_NATD task
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> queueing QUICK_MODE task
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> activating new tasks
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> activating ISAKMP_VENDOR task
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> activating ISAKMP_CERT_PRE task
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> activating AGGRESSIVE_MODE task
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> activating ISAKMP_CERT_POST task
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> activating ISAKMP_NATD task
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> sending XAuth vendor ID
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> sending DPD vendor ID
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> sending FRAGMENTATION vendor ID
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> sending NAT-T (RFC 3947) vendor ID
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> initiating Aggressive Mode IKE_SA con6000[4] toX.X.X.251
Apr 12 15:33:08 vintsec2 charon: 15[IKE] <con6000|4> IKE_SA con6000[4] state change: CREATED => CONNECTING
Apr 12 15:33:08 vintsec2 charon: 15[ENC] <con6000|4> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Apr 12 15:33:08 vintsec2 charon: 15[NET] <con6000|4> sending packet: from X.X.X.75[500] to X.X.X.251[500] (488 bytes)
Apr 12 15:33:08 vintsec2 charon: 08[NET] <con6000|4> received packet: from X.X.X..251[500] to X.X.X.75[500] (109 bytes)
Apr 12 15:33:08 vintsec2 charon: 08[ENC] <con6000|4> parsed AGGRESSIVE response 0 [ FRAG(2/2) ]
Apr 12 15:33:08 vintsec2 charon: 08[ENC] <con6000|4> received fragment #2, waiting for complete IKE message
Apr 12 15:33:08 vintsec2 charon: 08[NET] <con6000|4> received packet: from X.X.X.251[500] to X.X.X.75[500] (548 bytes)
Apr 12 15:33:08 vintsec2 charon: 08[ENC] <con6000|4> parsed AGGRESSIVE response 0 [ FRAG(1) ]
Apr 12 15:33:08 vintsec2 charon: 08[ENC] <con6000|4> received fragment #1, reassembled fragmented IKE message (585 bytes)
Apr 12 15:33:08 vintsec2 charon: 08[NET] <con6000|4> received packet: from X.X.X.75.251[500] to X.X.X.75[500] (585 bytes)
Apr 12 15:33:08 vintsec2 charon: 08[ENC] <con6000|4> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V V ]
Apr 12 15:33:08 vintsec2 charon: 08[IKE] <con6000|4> received Cisco Unity vendor ID
Apr 12 15:33:08 vintsec2 charon: 08[IKE] <con6000|4> received XAuth vendor ID
Apr 12 15:33:08 vintsec2 charon: 08[IKE] <con6000|4> received DPD vendor ID
Apr 12 15:33:08 vintsec2 charon: 08[IKE] <con6000|4> received NAT-T (RFC 3947) vendor ID
Apr 12 15:33:08 vintsec2 charon: 08[IKE] <con6000|4> received FRAGMENTATION vendor ID
Apr 12 15:33:08 vintsec2 charon: 08[ENC] <con6000|4> received unknown vendor ID: ae:fa:c1:1b:1b:2a:8f:57:c9:94:8c:0a:06:44:29:65
Apr 12 15:33:08 vintsec2 charon: 08[ENC] <con6000|4> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Apr 12 15:33:08 vintsec2 charon: 08[CFG] <con6000|4> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Apr 12 15:33:08 vintsec2 charon: 08[IKE] <con6000|4> IDir 'firepower' does not match to 'X.X.X.251'
Apr 12 15:33:08 vintsec2 charon: 08[IKE] <con6000|4> queueing INFORMATIONAL task
Apr 12 15:33:08 vintsec2 charon: 08[IKE] <con6000|4> activating new tasks
Apr 12 15:33:08 vintsec2 charon: 08[IKE] <con6000|4> activating INFORMATIONAL task -
Not the same : this is new :
@biely2 said in pfsense 2.4.5-RELEASE-p1 - Cisco - constraint check failed: identity IP:
Apr 12 15:33:08 vintsec2 charon: 08[IKE] <con6000|4> IDir 'firepower' does not match to 'X.X.X.251'
-
@gertjan said in pfsense 2.4.5-RELEASE-p1 - Cisco - constraint check failed: identity IP:
Cisco - constraint check failed: identity IP:
for IKE2 ->constraint check failed: identity IP
i the same for IKE1-> IDir 'firepower' does not match to 'X.X.X.251'
