• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Ipsec Configuration not Working!

Scheduled Pinned Locked Moved IPsec
66 Posts 6 Posters 14.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    ibnkamala @rcoleman-netgate
    last edited by Jun 7, 2022, 7:33 PM

    @rcoleman-netgate since I am not very strong on how to read the logs and understand what is wrong, could you please help me on that?

    concerning the version is that mean I must have same version on both sides?

    1 Reply Last reply Reply Quote 0
    • I
      ibnkamala
      last edited by Jun 10, 2022, 10:01 AM

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • I
        ibnkamala
        last edited by Jun 10, 2022, 12:33 PM

        Anyone can help me please, I am 100% sure that use in both sides IKEv2, simplest PSK which is "123" and everything is matched but still I am not able to establish the connection?!!!

        Jun 10 11:57:55 charon 08[IKE] <con2000|146> IKE_SA con2000[146] state change: CONNECTING => DESTROYING
        Jun 10 11:57:55 charon 08[CHD] <con2000|146> CHILD_SA con2000{165} state change: CREATED => DESTROYING
        Jun 10 11:57:55 charon 08[IKE] <con2000|146> received AUTHENTICATION_FAILED notify error
        Jun 10 11:57:55 charon 08[ENC] <con2000|146> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

        Any help would be really appreciated :)

        S 1 Reply Last reply Jun 10, 2022, 2:23 PM Reply Quote 0
        • S
          SteveITS Galactic Empire @ibnkamala
          last edited by Jun 10, 2022, 2:23 PM

          @ibnkamala I don't have direct advice for you but note 2.6 made several changes to IPSec, did you review those?

          Possibly, upgrade the 2.4.5 which is a few versions old?

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • G
            gabacho4 Rebel Alliance
            last edited by Jun 10, 2022, 3:02 PM

            Would be super helpful if you would show screenshots of the P1 and P2 settings for both sides. And while you’re at it, update the 2.4.5 box. Not really interested in trying to troubleshoot an unsupported version of pfsense.

            I 1 Reply Last reply Jun 11, 2022, 10:16 AM Reply Quote 0
            • I
              ibnkamala @gabacho4
              last edited by Jun 11, 2022, 10:16 AM

              @gabacho4 thanks for your reply I am going to share both sites configurations and here is the screenshot when I try to connect the tunnel.

              SIte-A-phases.png SIte-A.png
              SiteB.png

              Thanks for your help, for sure I am going to update to a newer version but I wanted to test it first.

              G 1 Reply Last reply Jun 11, 2022, 10:24 AM Reply Quote 0
              • G
                gabacho4 Rebel Alliance @ibnkamala
                last edited by Jun 11, 2022, 10:24 AM

                @ibnkamala those are not the p1 and p2 settings. What you’ve sent is a screenshot of the ipsec status. It tells me nothing other than the fact that your IPSec connection isn’t working which has already been established by your other posts. Please send screenshots of the actual p1 and p2 configurations for both sides of the tunnel. Those are what you configured when you went to VPN - IPSec and then created the p1 and p2.

                I 1 Reply Last reply Jun 11, 2022, 12:02 PM Reply Quote 1
                • I
                  ibnkamala @gabacho4
                  last edited by ibnkamala Jun 11, 2022, 12:08 PM Jun 11, 2022, 12:02 PM

                  @gabacho4 I am sorry, here are phase 1 and 2 configs for siteA:

                  Phase 1:
                  1.png
                  2.png 3.png 4.png

                  Phase 2
                  phase2-1.png phase2-2.png phase2-3.png

                  G 1 Reply Last reply Jun 11, 2022, 12:10 PM Reply Quote 0
                  • G
                    gabacho4 Rebel Alliance @ibnkamala
                    last edited by Jun 11, 2022, 12:10 PM

                    @ibnkamala you’re killing me bro. And what about side B?! I need both sides to compare. Come on.

                    1 Reply Last reply Reply Quote 1
                    • I
                      ibnkamala
                      last edited by Jun 11, 2022, 12:12 PM

                      here are phase 1 and 2 configs for siteB:
                      Phase 1:
                      1.png 2.png 3.png 4.png

                      Phase 2

                      Phase2-1.png Phase2-2.png Phase2-3.png

                      Thanks a lot for your help

                      G 1 Reply Last reply Jun 11, 2022, 12:21 PM Reply Quote 0
                      • G
                        gabacho4 Rebel Alliance @ibnkamala
                        last edited by gabacho4 Jun 11, 2022, 12:22 PM Jun 11, 2022, 12:21 PM

                        @ibnkamala ok so one side is behind NAT if I recall right. Try this. For the “my identifier” and “peer identifier” change from IP address to KeyID tag for both. Then make the id for the local router “SideA” and the remote “SideB”. On the remote side make the my identifier “SideB” and the peer identifier “SideA”. Be sure to change the other side to use KeyID tag as well of course.

                        I 1 Reply Last reply Jun 11, 2022, 12:23 PM Reply Quote 0
                        • I
                          ibnkamala @gabacho4
                          last edited by Jun 11, 2022, 12:23 PM

                          @gabacho4 both sides are behind the NAT

                          G 1 Reply Last reply Jun 11, 2022, 12:24 PM Reply Quote 0
                          • G
                            gabacho4 Rebel Alliance @ibnkamala
                            last edited by Jun 11, 2022, 12:24 PM

                            @ibnkamala ok. Make those changes. Also you’re positive that the routers in front of the pfsense boxes allows IPSec pass through?

                            I G 2 Replies Last reply Jun 11, 2022, 12:28 PM Reply Quote 1
                            • I
                              ibnkamala @gabacho4
                              last edited by Jun 11, 2022, 12:28 PM

                              @gabacho4 in both side routers IPsec is allowed to pass through,
                              Could you please tell me, what do you mean by "Then make the id for the local router “SideA” and the remote “SideB""?

                              I really appreciate you great help

                              G 1 Reply Last reply Jun 11, 2022, 12:33 PM Reply Quote 0
                              • G
                                gabacho4 Rebel Alliance @gabacho4
                                last edited by Jun 11, 2022, 12:29 PM

                                Also, just to emphasize, you really need to update the other side to pfsense 2.6.0. The IPSec settings and configuration between 2.4.5 and 2.6 have changed. It’s possible this will never work until you update.

                                1 Reply Last reply Reply Quote 1
                                • G
                                  gabacho4 Rebel Alliance @ibnkamala
                                  last edited by Jun 11, 2022, 12:33 PM

                                  @ibnkamala said in Ipsec Configuration not Working!:

                                  @gabacho4 in both side routers IPsec is allowed to pass through,
                                  Could you please tell me, what do you mean by "Then make the id for the local router “SideA” and the remote “SideB""?

                                  I really appreciate you great help

                                  Under:

                                  Phase 1 Proposal (Authentication) - change My Identifier to KeyID tag from My IP Address. Also change the Peer identifier to KeyID. Make My identifier KeyID tag value SiteA and peer identifier KeyID tag value SiteB. Then do the same thing on the other router except the My identifier will be SiteB and the peer will be SiteA

                                  I 1 Reply Last reply Jun 11, 2022, 12:53 PM Reply Quote 0
                                  • I
                                    ibnkamala @gabacho4
                                    last edited by Jun 11, 2022, 12:53 PM

                                    @gabacho4 is this correct?
                                    siteA-KeyTag.png siteB-KeyTag.png

                                    G 1 Reply Last reply Jun 11, 2022, 12:54 PM Reply Quote 0
                                    • G
                                      gabacho4 Rebel Alliance @ibnkamala
                                      last edited by gabacho4 Jun 11, 2022, 12:59 PM Jun 11, 2022, 12:54 PM

                                      @ibnkamala almost. Don't use the public IP. Literally just put SiteA and SiteB on the local machine and SiteB and SiteA on the remote one.

                                      98e868de-7e87-4fce-9227-7e598f513878-image.png

                                      I G 2 Replies Last reply Jun 11, 2022, 1:24 PM Reply Quote 1
                                      • I
                                        ibnkamala @gabacho4
                                        last edited by ibnkamala Jun 11, 2022, 1:24 PM Jun 11, 2022, 1:24 PM

                                        @gabacho4 still not working,

                                        siteA KeyTag values.png siteB-KeyTag values.png

                                        For more information I am already having a tunnel active on Pfsense 2.4.5 as we can see in the below photo!
                                        established.png

                                        G 1 Reply Last reply Jun 11, 2022, 1:28 PM Reply Quote 0
                                        • G
                                          gabacho4 Rebel Alliance @ibnkamala
                                          last edited by gabacho4 Jun 11, 2022, 1:29 PM Jun 11, 2022, 1:28 PM

                                          @ibnkamala can you disable the other ipsec connection and see if the one we're working on comes up? What version of PfSense is the S2S-VPN device running?

                                          Also would like to see the ipsec logs for both sides. You can get them at Status - System Logs - then click on IPsec.

                                          I 1 Reply Last reply Jun 11, 2022, 1:49 PM Reply Quote 0
                                          14 out of 66
                                          • First post
                                            14/66
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received