Had To Manually Specify Identifier IP Address, No NAT Involved (bug?)
-
Came across a very odd VPN issue today between 2 pfSense boxes and I'm honestly baffled as to what the issue was, so figured I'd post to see if I could get more info.
VPN settings were configured identical in IPSec, but on the responder I kept getting MAC mismatched after 13 tries, seemed very odd to me since everything was 100% identical.
After some more digging I came across a post from a while back talking about having to manually specify the peer IP address on Phase 1 due to someones setup being behind NAT, I am NOT behind NAT and DO have a public IP address, but figured why not give it a shot, doing so and everything worked perfectly.
Is this indicative of a bug somewhere in pfSense where it wasn't actually using the peer IP address as the address for the identifier? I'm going to dig through more logs but when I was doing so I didn't see any IP mismatches or anything weird like that.
-
@planedrop As some additional information, I was seeing this on the initiator side of things, notice the %any in the logs, is this normal for something that is on a dynamic IP? I've setup the EXACT same setup on another pfSense box which is on a dynamic IP address and didn't have to specify the peer IP manually like I did here. By exact I mean the only difference being the physical pfSense box, even the same ISP is being used with the same exact modem and modem config.
Dec 15 15:27:45 charon 10972 06[CFG] local_addrs = %any Dec 15 15:27:45 charon 10972 01[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'CorrectPublicIP' Dec 15 15:25:51 charon 10972 05[CFG] local_addrs = %any Dec 15 15:25:51 charon 10972 05[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'CorrectPublicIP'
-
@planedrop When I don't specify the peer IP manually I do get authentication failure replies back to the initiator box as well, so seems one pfSense unit isn't actually using it's IP as the identifier when it's supposed to, which is why I think this might be a bug.
Will try to do some more digging but really curious if anyone has seen this before.
-
-