VPN IPSEC start connecting but link not etablishing

Aymeric

Hello everyone,

You'll find the link for the french support : https://forum.netgate.com/topic/166393/pb-vpn-ipsec-commence-a-se-connecter-mais-ne-va-pas-au-bout

As you can see, i'm french. So sorry if my english is not very good.

First, this is my infrastructure :

---------------Company network---------------- | --- INTERNET --- | -----------Remote network------------
|PC1| --- |PFsense02| --- |router1| --- |fortigate| --- {Internet} --- |router/box2| --- |PFsense03| --- |PC2|
LAN : 10.1.1.0/24 -------------------------------------------------------------------------------------LAN : 10.200.1.0/24

this are my routers/FW modification:

Like we already have a IPsec VPN for our software provider, the port 500 and 4500 are already used.
So I add a Virtual IP on our fortigate for redirect the public IP to my PFsense02 WAN IP (from Public-IP:60500 to WAN-IP:500 and Public-IP:64500 to WAN-IP:4500)

My router2 is a Orange BOX without fixe Public IP, so I've configured a DynDNS tha works perfectly.
I also add 2 NAT/PAT rules in my router2 (from Public-IP:60500 to WAN-IP:500 and Public-IP:64500 to WAN-IP:4500).

I don't know if there is an inpact, but my WAN on PFsense02 and PFsense03 are the same.

Configuration of the PFsense :

PFsense02 :

Phase1 :
-IKEv2
-IPv4
-WAN
-mon dynDNS
Proposal authentication:
-Mutual PSK
-My IP address
-Any (pour les tests)
-PSK : XXXX
Proposal encryption :
-AES / 256 / SHA1 / 2
Expiration ... :
-28800
-auto
-auto
-auto
Advanced ... :
Everythings else is with default value except the custom IKE/NAT-T Ports : 60500 and 64500

Phase2 :
-Tunnel IPV4
-LAN
-None
-Network (Mon LAN PFsense03)
Proposal:
SA ... :
-ESP
-AES auto
-SHA1 SHA256
-PFS key Group :5
Expiration :
Everythings else is with default value

My PFsense03 have the same configuration except for the company's Public IP instead of my dynDNS.

When I start the connection, My remote Pfsense have a new line that appear with "IKEv2 Responder", but thez don't go futher.

this is my Pfsense02 logs (The IP are hidden):
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating new tasks
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_VENDOR task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_INIT task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_NATD task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_CERT_PRE task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_AUTH task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_CERT_POST task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_CONFIG task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating CHILD_CREATE task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> activating IKE_AUTH_LIFETIME task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> initiating IKE_SA con100000[13] to 109.219.6.2
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> IKE_SA con100000[13] state change: CREATED => CONNECTING
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[ENC] <con100000|13> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[NET] <con100000|13> sending packet: from WAN-PFsense02[500] to IP-Public-Router2[60500] (336 bytes)
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[NET] <con100000|13> received packet: from IP-Public-Router2[60500] to WAN-PFsense02[500] (344 bytes)
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[ENC] <con100000|13> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> received FRAGMENTATION_SUPPORTED notify
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> received SIGNATURE_HASH_ALGORITHMS notify
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> received CHILDLESS_IKEV2_SUPPORTED notify
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> selecting proposal:
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> proposal matches
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> received supported signature hash algorithms: sha256 sha384 sha512 identity
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> local host is behind NAT, sending keep alives
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> remote host is behind NAT
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> reinitiating already active tasks
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> IKE_CERT_PRE task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> IKE_AUTH task
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> authentication of 'WAN-PFsense02' (myself) with pre-shared key
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> successfully created shared key MAC
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> proposing traffic selectors for us:
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> 10.1.1.0/24|/0
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> proposing traffic selectors for other:
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> 10.200.1.0/24|/0
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[CFG] <con100000|13> configured proposals: AH:HMAC_SHA1_96/NO_EXT_SEQ, AH:HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[IKE] <con100000|13> establishing CHILD_SA con100000{12}
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[ENC] <con100000|13> generating IKE_AUTH request 1 [ IDi AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 8 09:49:36 pfSense-02 charon[93010]: 09[NET] <con100000|13> sending packet: from WAN-PFsense02[4500] to IP-Public-Router2[4500] (252 bytes)
Sep 8 09:49:37 pfSense-02 charon[93010]: 11[CFG] vici client 394 connected
Sep 8 09:49:37 pfSense-02 charon[93010]: 09[CFG] vici client 394 registered for: list-sa
Sep 8 09:49:37 pfSense-02 charon[93010]: 09[CFG] vici client 394 requests: list-sas
Sep 8 09:49:37 pfSense-02 charon[93010]: 09[CFG] vici client 394 disconnected
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[NET] <14> received packet: from IP-Public-Router2[1024] to WAN-PFsense02[500] (336 bytes)
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[ENC] <14> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> looking for an IKEv2 config for WAN-PFsense02...IP-Public-Router2
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> candidate: WAN-PFsense02...monddns, prio 3100
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> found matching ike config: WAN-PFsense02...myddns with prio 3100
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> IP-Publique-Routeur2 is initiating an IKE_SA
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> IKE_SA (unnamed)[14] state change: CREATED => CONNECTING
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> selecting proposal:
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> proposal matches
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> received supported signature hash algorithms: sha256 sha384 sha512 identity
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> local host is behind NAT, sending keep alives
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[IKE] <14> remote host is behind NAT
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[CFG] <14> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[ENC] <14> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[NET] <14> sending packet: from WAN-PFsense02[500] to IP-Public-Router2[1024] (344 bytes)
Sep 8 09:49:40 pfSense-02 charon[93010]: 09[IKE] <con100000|13> retransmit 1 of request with message ID 1
Sep 8 09:49:40 pfSense-02 charon[93010]: 09[NET] <con100000|13> sending packet: from WAN-PFsense02[4500] to IP-Public-Router2[4500] (252 bytes)
Sep 8 09:49:42 pfSense-02 charon[93010]: 09[CFG] vici client 395 connected
Sep 8 09:49:42 pfSense-02 charon[93010]: 14[CFG] vici client 395 registered for: list-sa
Sep 8 09:49:42 pfSense-02 charon[93010]: 14[CFG] vici client 395 requests: list-sas
Sep 8 09:49:42 pfSense-02 charon[93010]: 08[CFG] vici client 395 disconnected
Sep 8 09:49:47 pfSense-02 charon[93010]: 14[CFG] vici client 396 connected
Sep 8 09:49:47 pfSense-02 charon[93010]: 08[CFG] vici client 396 registered for: list-sa
Sep 8 09:49:47 pfSense-02 charon[93010]: 08[CFG] vici client 396 requests: list-sas
Sep 8 09:49:47 pfSense-02 charon[93010]: 08[CFG] vici client 396 disconnected
Sep 8 09:49:48 pfSense-02 charon[93010]: 08[IKE] <con100000|13> retransmit 2 of request with message ID 1
...

I think this is probably the cause of the error :
Sep 8 09:49:38 pfSense-02 charon[93010]: 09[ENC] <14> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]

I tried to switch to IKEv1, by putting 1 of the 2 PFsense in "Responde Only", I tried to redirect the ports 1024 or 1011 but each time, the same thing, the other PFsense receives the information but blocks at a time that I do not know.

I don't know enough about IPsec VPN to find the solution and the problematic step.
I therefore appeal to anyone who has already had this problem or who has knowledge on the subject, to succeed in setting it up and allowing future people to unblock themselves.

If you need more information, don't hesitate to ask me.
Thanks in advance.