Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Had To Manually Specify Identifier IP Address, No NAT Involved (bug?)

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 922 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • planedropP
      planedrop
      last edited by

      Came across a very odd VPN issue today between 2 pfSense boxes and I'm honestly baffled as to what the issue was, so figured I'd post to see if I could get more info.

      VPN settings were configured identical in IPSec, but on the responder I kept getting MAC mismatched after 13 tries, seemed very odd to me since everything was 100% identical.

      After some more digging I came across a post from a while back talking about having to manually specify the peer IP address on Phase 1 due to someones setup being behind NAT, I am NOT behind NAT and DO have a public IP address, but figured why not give it a shot, doing so and everything worked perfectly.

      Is this indicative of a bug somewhere in pfSense where it wasn't actually using the peer IP address as the address for the identifier? I'm going to dig through more logs but when I was doing so I didn't see any IP mismatches or anything weird like that.

      planedropP 1 Reply Last reply Reply Quote 0
      • planedropP
        planedrop @planedrop
        last edited by

        @planedrop As some additional information, I was seeing this on the initiator side of things, notice the %any in the logs, is this normal for something that is on a dynamic IP? I've setup the EXACT same setup on another pfSense box which is on a dynamic IP address and didn't have to specify the peer IP manually like I did here. By exact I mean the only difference being the physical pfSense box, even the same ISP is being used with the same exact modem and modem config.

        Dec 15 15:27:45 	charon 	10972 	06[CFG] local_addrs = %any
Dec 15 15:27:45 	charon 	10972 	01[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'CorrectPublicIP'
Dec 15 15:25:51 	charon 	10972 	05[CFG] local_addrs = %any
Dec 15 15:25:51 	charon 	10972 	05[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'CorrectPublicIP'
        planedropP 1 Reply Last reply Reply Quote 0
        • planedropP
          planedrop @planedrop
          last edited by

          @planedrop When I don't specify the peer IP manually I do get authentication failure replies back to the initiator box as well, so seems one pfSense unit isn't actually using it's IP as the identifier when it's supposed to, which is why I think this might be a bug.

          Will try to do some more digging but really curious if anyone has seen this before.

          1 Reply Last reply Reply Quote 0
          • planedropP planedrop referenced this topic on
          • planedropP planedrop referenced this topic on
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.