Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec DNAT not working

    Scheduled Pinned Locked Moved NAT
    47 Posts 2 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @Matt_Sharpe
      last edited by

      @Matt_Sharpe
      OK, the virtual IP should not really be needed. You can apply NAT rules also without it.
      You have to switch the IPsec Filter Mode in the IPsec Advanced Settings to "Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic".
      However, this only works, if all your IPSec tunnels are VTI! If this is not given you cannot use it.

      M 1 Reply Last reply Reply Quote 0
      • M
        Matt_Sharpe @viragomann
        last edited by

        @viragomann Unfortunately, we have 2 tunnels, the other one into Azure is a tunnel-based IPsec.

        Do we have any other options ?

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @Matt_Sharpe
          last edited by

          @Matt_Sharpe
          This is the only way to get traditional NAT rules working on IPSec.

          The only other option is routed IPSec with BINAT. But I don't know if this works simultaneously with a VTI tunnel. I assume, it should.
          Maybe the setting and the log can shed some light.

          M 1 Reply Last reply Reply Quote 0
          • M
            Matt_Sharpe @viragomann
            last edited by

            @viragomann I added the second Phase 2 IPsec (tunnel mode). Here are the IPsec logs shortly after enabling the tunnel. I've changed IP addresses for security.

            PART 1

            Last 500 IPsec Log Entries. (Maximum 500)
            Jan 16 14:40:07 charon 75651 06[CFG] vici client 1276 disconnected
            Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: con2
            Jan 16 14:40:07 charon 75651 12[CFG] id = CUSTOMER_WAN_IP
            Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
            Jan 16 14:40:07 charon 75651 12[CFG] remote:
            Jan 16 14:40:07 charon 75651 12[CFG] id = PROVIDER_WAN_IP
            Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
            Jan 16 14:40:07 charon 75651 12[CFG] local:
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
            Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
            Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 2880
            Jan 16 14:40:07 charon 75651 12[CFG] over_time = 2880
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 25920
            Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 0
            Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
            Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_REPLACE
            Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
            Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
            Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 0
            Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 30
            Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
            Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
            Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
            Jan 16 14:40:07 charon 75651 12[CFG] mobike = 0
            Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
            Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
            Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
            Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
            Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
            Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = CUSTOMER_WAN_IP
            Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = PROVIDER_WAN_IP
            Jan 16 14:40:07 charon 75651 12[CFG] version = 2
            Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
            Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
            Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
            Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
            Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
            Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = CUSTOMER_LAN_RANGE|/0 0.0.0.0/0|/0 ::/0|/0
            Jan 16 14:40:07 charon 75651 12[CFG] local_ts = SITE2_LAN_IP/32|SITE2_ISOLATED_LAN_IP/32 0.0.0.0/0|/0 ::/0|/0
            Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
            Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
            Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
            Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
            Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
            Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
            Jan 16 14:40:07 charon 75651 12[CFG] reqid = 5003
            Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
            Jan 16 14:40:07 charon 75651 12[CFG] start_action = start
            Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = start
            Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
            Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
            Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
            Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
            Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
            Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
            Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
            Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
            Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
            Jan 16 14:40:07 charon 75651 12[CFG] child con2_3:
            Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
            Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
            Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
            Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
            Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
            Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = VTI_CUSTOMER_IP/32|/0 0.0.0.0/0|/0 ::/0|/0
            Jan 16 14:40:07 charon 75651 12[CFG] local_ts = VTI_SITE2_IP/32|/0 0.0.0.0/0|/0 ::/0|/0
            Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
            Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
            Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
            Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
            Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
            Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
            Jan 16 14:40:07 charon 75651 12[CFG] reqid = 5002
            Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
            Jan 16 14:40:07 charon 75651 12[CFG] start_action = start
            Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = start
            Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
            Jan 16 14:40:07 charon 75651 12[CFG] policies = 0
            Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
            Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
            Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
            Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
            Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
            Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
            Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
            Jan 16 14:40:07 charon 75651 12[CFG] child con2_2:
            Jan 16 14:40:07 charon 75651 12[CFG] conn con2:
            Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
            Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: con1
            Jan 16 14:40:07 charon 75651 12[CFG] id = AZURE_IP
            Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
            Jan 16 14:40:07 charon 75651 12[CFG] remote:
            Jan 16 14:40:07 charon 75651 12[CFG] id = PROVIDER_WAN_IP
            Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
            Jan 16 14:40:07 charon 75651 12[CFG] local:
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
            Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
            Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 2880
            Jan 16 14:40:07 charon 75651 12[CFG] over_time = 2880
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 0
            Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 25920
            Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
            Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_REPLACE
            Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
            Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
            Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 60
            Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 10
            Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
            Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
            Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
            Jan 16 14:40:07 charon 75651 12[CFG] mobike = 0
            Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
            Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
            Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
            Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
            Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
            Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = AZURE_IP
            Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = PROVIDER_WAN_IP
            Jan 16 14:40:07 charon 75651 12[CFG] version = 1
            Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
            Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
            Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
            Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
            Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
            Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = AZURE_LAN|/0
            Jan 16 14:40:07 charon 75651 12[CFG] local_ts = SITE2_LAN|/0
            Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
            Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
            Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
            Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
            Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
            Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
            Jan 16 14:40:07 charon 75651 12[CFG] reqid = 0
            Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
            Jan 16 14:40:07 charon 75651 12[CFG] start_action = trap
            Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = trap
            Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
            Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
            Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
            Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
            Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
            Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
            Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
            Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
            Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
            Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
            Jan 16 14:40:07 charon 75651 12[CFG] child con1_1:
            Jan 16 14:40:07 charon 75651 12[CFG] conn con1:
            Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
            Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: bypass
            Jan 16 14:40:07 charon 75651 12[CFG] remote:
            Jan 16 14:40:07 charon 75651 12[CFG] local:
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
            Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
            Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 1440
            Jan 16 14:40:07 charon 75651 12[CFG] over_time = 1440
            Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 14400
            Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 0
            Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
            Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_NO
            Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
            Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
            Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 0
            Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 0
            Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
            Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
            Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
            Jan 16 14:40:07 charon 75651 12[CFG] mobike = 1
            Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
            Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
            Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
            Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
            Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
            Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = 127.0.0.1
            Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = %any
            Jan 16 14:40:07 charon 75651 12[CFG] version = 0
            Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
            Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
            Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
            Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
            Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
            Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = SITE2_LAN|/0
            Jan 16 14:40:07 charon 75651 12[CFG] local_ts = SITE2_LAN|/0
            Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
            Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
            Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
            Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
            Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
            Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
            Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
            Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
            Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
            Jan 16 14:40:07 charon 75651 12[CFG] reqid = 0
            Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
            Jan 16 14:40:07 charon 75651 12[CFG] start_action = trap
            Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = none
            Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0

            M 1 Reply Last reply Reply Quote 0
            • M
              Matt_Sharpe @Matt_Sharpe
              last edited by

              PART 2

              Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
              Jan 16 14:40:07 charon 75651 12[CFG] mode = PASS
              Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
              Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
              Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
              Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
              Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
              Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
              Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
              Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
              Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
              Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
              Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3960
              Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3600
              Jan 16 14:40:07 charon 75651 12[CFG] child bypasslan:
              Jan 16 14:40:07 charon 75651 12[CFG] conn bypass:
              Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
              Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-conns
              Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-pools
              Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-authorities
              Jan 16 14:40:07 charon 75651 12[CFG] loaded IKE shared key with id 'ike-1' for: '%any', 'CUSTOMER_WAN_IP'
              Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-shared
              Jan 16 14:40:07 charon 75651 12[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'AZURE_IP'
              Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-shared
              Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-shared
              Jan 16 14:40:07 charon 75651 14[CFG] vici client 1276 requests: get-keys
              Jan 16 14:40:07 charon 75651 14[CFG] vici client 1276 connected
              Jan 16 14:40:07 charon 75651 07[CFG] vici client 1275 disconnected
              Jan 16 14:40:07 charon 75651 07[CFG] loaded 0 RADIUS server configurations
              Jan 16 14:40:07 charon 75651 07[CFG] loaded 0 entries for attr plugin configuration
              Jan 16 14:40:07 charon 75651 07[CFG] ipseckey plugin is disabled
              Jan 16 14:40:07 charon 75651 07[CFG] vici client 1275 requests: reload-settings
              Jan 16 14:40:07 charon 75651 14[CFG] vici client 1275 connected
              Jan 16 14:40:07 charon 75651 05[IKE] <con2|4> keeping statically configured path PROVIDER_WAN_IP - CUSTOMER_WAN_IP
              Jan 16 14:40:07 charon 75651 05[KNL] VTI_SITE2_IP appeared on ipsec2
              Jan 16 14:40:07 charon 75651 13[KNL] interface ipsec2 appeared
              Jan 16 14:40:07 charon 75651 13[KNL] interface ipsec2 disappeared
              Jan 16 14:40:07 charon 75651 09[KNL] interface ipsec2 deactivated
              Jan 16 14:40:07 charon 75651 09[KNL] VTI_SITE2_IP disappeared from ipsec2
              Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> nothing to initiate
              Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating new tasks
              Jan 16 14:40:06 charon 75651 09[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_IP[500] (92 bytes)
              Jan 16 14:40:06 charon 75651 09[ENC] <con1|3> generating INFORMATIONAL_V1 request 2819744997 [ HASH N(DPD_ACK) ]
              Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating ISAKMP_DPD task
              Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating new tasks
              Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> queueing ISAKMP_DPD task
              Jan 16 14:40:06 charon 75651 09[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1404219913 [ HASH N(DPD) ]
              Jan 16 14:40:06 charon 75651 09[NET] <con1|3> received packet: from AZURE_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
              Jan 16 14:40:05 charon 75651 09[CFG] vici client 1274 disconnected
              Jan 16 14:40:05 charon 75651 09[CFG] vici client 1274 requests: list-sas
              Jan 16 14:40:05 charon 75651 15[CFG] vici client 1274 registered for: list-sa
              Jan 16 14:40:05 charon 75651 15[CFG] vici client 1274 connected
              Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> nothing to initiate
              Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
              Jan 16 14:40:02 charon 75651 09[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1532146135 [ HASH N(DPD_ACK) ]
              Jan 16 14:40:02 charon 75651 09[NET] <con1|3> received packet: from AZURE_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
              Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> nothing to initiate
              Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
              Jan 16 14:40:02 charon 75651 09[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_IP[500] (92 bytes)
              Jan 16 14:40:02 charon 75651 09[ENC] <con1|3> generating INFORMATIONAL_V1 request 1473236439 [ HASH N(DPD) ]
              Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating ISAKMP_DPD task
              Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
              Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> queueing ISAKMP_DPD task
              Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> sending DPD request
              Jan 16 14:40:00 charon 75651 09[CFG] vici client 1273 disconnected
              Jan 16 14:40:00 charon 75651 15[CFG] vici client 1273 requests: list-sas
              Jan 16 14:40:00 charon 75651 11[CFG] vici client 1273 registered for: list-sa
              Jan 16 14:40:00 charon 75651 11[CFG] vici client 1273 connected
              Jan 16 14:39:55 charon 75651 15[CFG] vici client 1272 disconnected
              Jan 16 14:39:55 charon 75651 11[CFG] vici client 1272 requests: list-sas
              Jan 16 14:39:55 charon 75651 08[CFG] vici client 1272 registered for: list-sa
              Jan 16 14:39:55 charon 75651 11[CFG] vici client 1272 connected
              Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> nothing to initiate
              Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating new tasks
              Jan 16 14:39:52 charon 75651 08[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_IP[500] (92 bytes)
              Jan 16 14:39:52 charon 75651 08[ENC] <con1|3> generating INFORMATIONAL_V1 request 316903062 [ HASH N(DPD_ACK) ]
              Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating ISAKMP_DPD task
              Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating new tasks
              Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> queueing ISAKMP_DPD task
              Jan 16 14:39:52 charon 75651 08[ENC] <con1|3> parsed INFORMATIONAL_V1 request 2810856974 [ HASH N(DPD) ]
              Jan 16 14:39:52 charon 75651 08[NET] <con1|3> received packet: from AZURE_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
              Jan 16 14:39:50 charon 75651 08[CFG] vici client 1271 disconnected
              Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 requests: list-sas
              Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 registered for: list-sa
              Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 connected
              Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> nothing to initiate
              Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
              Jan 16 14:39:48 charon 75651 11[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1390613614 [ HASH N(DPD_ACK) ]
              Jan 16 14:39:48 charon 75651 11[NET] <con1|3> received packet: from AZURE_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
              Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> nothing to initiate
              Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
              Jan 16 14:39:48 charon 75651 11[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_IP[500] (92 bytes)
              Jan 16 14:39:48 charon 75651 11[ENC] <con1|3> generating INFORMATIONAL_V1 request 2462119987 [ HASH N(DPD) ]
              Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating ISAKMP_DPD task
              Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
              Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> queueing ISAKMP_DPD task
              Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> sending DPD request
              Jan 16 14:39:45 charon 75651 11[CFG] vici client 1270 disconnected
              Jan 16 14:39:45 charon 75651 16[CFG] vici client 1270 requests: list-sas
              Jan 16 14:39:45 charon 75651 06[CFG] vici client 1270 registered for: list-sa
              Jan 16 14:39:45 charon 75651 06[CFG] vici client 1270 connected
              Jan 16 14:39:39 charon 75651 06[CFG] vici client 1269 disconnected
              Jan 16 14:39:39 charon 75651 16[CFG] vici client 1269 requests: list-sas
              Jan 16 14:39:39 charon 75651 10[CFG] vici client 1269 registered for: list-sa
              Jan 16 14:39:39 charon 75651 10[CFG] vici client 1269 connected
              Jan 16 14:39:38 charon 75651 16[IKE] <con1|3> nothing to initiate
              Jan 16 14:39:38 charon 75651 16[IKE] <con1|3> activating new tasks
              Jan 16 14:39:38 charon 75651 16[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_IP[500] (92 bytes)
              Jan 16 14:39:38 charon 75651 16[ENC] <con1|3> generating INFORMATIONAL_V1 request 1385749720 [ HASH N(DPD_ACK) ]
              Jan 16 14:39:38 charon 75651 16[IKE] <con1|3> activating ISAKMP_DPD task
              Jan 16 14:39:38 charon 75651 16[IKE] <con1|3> activating new tasks
              Jan 16 14:39:38 charon 75651 16[IKE] <con1|3> queueing ISAKMP_DPD task
              Jan 16 14:39:38 charon 75651 16[ENC] <con1|3> parsed INFORMATIONAL_V1 request 2165448184 [ HASH N(DPD) ]
              Jan 16 14:39:38 charon 75651 16[NET] <con1|3> received packet: from AZURE_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
              Jan 16 14:39:35 charon 75651 16[IKE] <con2|4> nothing to initiate
              Jan 16 14:39:35 charon 75651 16[IKE] <con2|4> activating new tasks
              Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> CHILD_SA con2_3{16} state change: INSTALLING => INSTALLED
              Jan 16 14:39:35 charon 75651 16[IKE] <con2|4> CHILD_SA con2_3{16} established with SPIs c0c56a7e_i bf8002fd_o and TS 0.0.0.0/0|/0 === 0.0.0.0/0|/0
              Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> SPI 0xbf8002fd, src PROVIDER_WAN_IP dst CUSTOMER_WAN_IP
              Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> adding outbound ESP SA
              Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> SPI 0xc0c56a7e, src CUSTOMER_WAN_IP dst PROVIDER_WAN_IP
              Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> adding inbound ESP SA
              Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> using HMAC_SHA2_256_128 for integrity
              Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> using AES_CBC for encryption
              Jan 16 14:39:35 charon 75651 16[CHD] <con2|4> CHILD_SA con2_3{16} state change: CREATED => INSTALLING
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: ::/0|/0, received: 0.0.0.0/0|/0 => no match
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: CUSTOMER_LAN_RANGE|/0, received: 0.0.0.0/0|/0 => match: CUSTOMER_LAN_RANGE|/0
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> selecting traffic selectors for other:
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: ::/0|/0, received: 0.0.0.0/0|/0 => no match
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: 0.0.0.0/0|/0, received: 0.0.0.0/0|/0 => match: 0.0.0.0/0|/0
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> config: SITE2_LAN_IP/32|SITE2_ISOLATED_LAN_IP/32, received: 0.0.0.0/0|/0 => match: SITE2_LAN_IP/32|SITE2_ISOLATED_LAN_IP/32
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> selecting traffic selectors for us:
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> proposal matches
              Jan 16 14:39:35 charon 75651 16[CFG] <con2|4> selecting proposal:
              Jan 16 14:39:35 charon 75651 16[ENC] <con2|4> parsed CREATE_CHILD_SA response 398 [ SA No KE TSi TSr ]
              Jan 16 14:39:35 charon 75651 16[NET] <con2|4> received packet: from CUSTOMER_WAN_IP[500] to PROVIDER_WAN_IP[500] (464 bytes)
              Jan 16 14:39:35 charon 75651 16[CFG] vici client 1268 disconnected
              Jan 16 14:39:35 charon 75651 07[NET] <con2|4> sending packet: from PROVIDER_WAN_IP[500] to CUSTOMER_WAN_IP[500] (560 bytes)
              Jan 16 14:39:35 charon 75651 07[ENC] <con2|4> generating CREATE_CHILD_SA request 398 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
              Jan 16 14:39:35 charon 75651 07[IKE] <con2|4> establishing CHILD_SA con2_3{16}
              Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
              Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> ::/0|/0
              Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> 0.0.0.0/0|/0
              Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> CUSTOMER_LAN_RANGE|/0
              Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> proposing traffic selectors for other:
              Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> ::/0|/0
              Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> 0.0.0.0/0|/0
              Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> SITE2_LAN_IP/32|SITE2_ISOLATED_LAN_IP/32
              Jan 16 14:39:35 charon 75651 07[CFG] <con2|4> proposing traffic selectors for us:
              Jan 16 14:39:35 charon 75651 07[IKE] <con2|4> activating CHILD_CREATE task
              Jan 16 14:39:35 charon 75651 07[IKE] <con2|4> activating new tasks
              Jan 16 14:39:35 charon 75651 07[IKE] <con2|4> queueing CHILD_CREATE task
              Jan 16 14:39:35 charon 75651 07[CFG] initiating 'con2_3'
              Jan 16 14:39:35 charon 75651 07[CFG] updated vici connection: con2
              Jan 16 14:39:35 charon 75651 07[CFG] class = pre-shared key
              Jan 16 14:39:35 charon 75651 07[CFG] local:
              Jan 16 14:39:35 charon 75651 07[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
              Jan 16 14:39:35 charon 75651 07[CFG] rekey_time = 25920
              Jan 16 14:39:35 charon 75651 07[CFG] fragmentation = 2
              Jan 16 14:39:35 charon 75651 07[CFG] dscp = 0x00
              Jan 16 14:39:35 charon 75651 07[CFG] ppk_id = (null)
              Jan 16 14:39:35 charon 75651 07[CFG] local_port = 500
              Jan 16 14:39:35 charon 75651 07[CFG] remote_addrs = CUSTOMER_WAN_IP
              Jan 16 14:39:35 charon 75651 07[CFG] local_addrs = PROVIDER_WAN_IP
              Jan 16 14:39:35 charon 75651 07[CFG] version = 2
              Jan 16 14:39:35 charon 75651 07[CFG] copy_dscp = out
              Jan 16 14:39:35 charon 75651 07[CFG] copy_ecn = 1
              Jan 16 14:39:35 charon 75651 07[CFG] copy_df = 1
              Jan 16 14:39:35 charon 75651 07[CFG] sha256_96 = 0
              Jan 16 14:39:35 charon 75651 07[CFG] hw_offload = no
              Jan 16 14:39:35 charon 75651 07[CFG] remote_ts = CUSTOMER_LAN_RANGE|/0 0.0.0.0/0|/0 ::/0|/0
              Jan 16 14:39:35 charon 75651 07[CFG] local_ts = SITE2_LAN_IP/32|SITE2_ISOLATED_LAN_IP/32 0.0.0.0/0|/0 ::/0|/0
              Jan 16 14:39:35 charon 75651 07[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
              Jan 16 14:39:35 charon 75651 07[CFG] inactivity = 0
              Jan 16 14:39:35 charon 75651 07[CFG] label_mode = system
              Jan 16 14:39:35 charon 75651 07[CFG] label = (null)
              Jan 16 14:39:35 charon 75651 07[CFG] set_mark_out = 0/0
              Jan 16 14:39:35 charon 75651 07[CFG] set_mark_in = 0/0
              Jan 16 14:39:35 charon 75651 07[CFG] mark_out = 0/0
              Jan 16 14:39:35 charon 75651 07[CFG] mark_in_sa = 0
              Jan 16 14:39:35 charon 75651 07[CFG] mark_in = 0/0
              Jan 16 14:39:35 charon 75651 07[CFG] if_id_out = 0
              Jan 16 14:39:35 charon 75651 07[CFG] if_id_in = 0
              Jan 16 14:39:35 charon 75651 07[CFG] interface = (null)
              Jan 16 14:39:35 charon 75651 07[CFG] priority = 0
              Jan 16 14:39:35 charon 75651 07[CFG] tfc = 0
              Jan 16 14:39:35 charon 75651 07[CFG] reqid = 5003
              Jan 16 14:39:35 charon 75651 07[CFG] close_action = none
              Jan 16 14:39:35 charon 75651 07[CFG] start_action = start
              Jan 16 14:39:35 charon 75651 07[CFG] dpd_action = start
              Jan 16 14:39:35 charon 75651 07[CFG] policies_fwd_out = 0
              Jan 16 14:39:35 charon 75651 07[CFG] policies = 1
              Jan 16 14:39:35 charon 75651 07[CFG] mode = TUNNEL
              Jan 16 14:39:35 charon 75651 07[CFG] ipcomp = 0
              Jan 16 14:39:35 charon 75651 07[CFG] hostaccess = 0
              Jan 16 14:39:35 charon 75651 07[CFG] updown = (null)
              Jan 16 14:39:35 charon 75651 07[CFG] rand_packets = 0
              Jan 16 14:39:35 charon 75651 07[CFG] life_packets = 0
              Jan 16 14:39:35 charon 75651 07[CFG] rekey_packets = 0
              Jan 16 14:39:35 charon 75651 07[CFG] rand_bytes = 0
              Jan 16 14:39:35 charon 75651 07[CFG] life_bytes = 0
              Jan 16 14:39:35 charon 75651 07[CFG] rekey_bytes = 0
              Jan 16 14:39:35 charon 75651 07[CFG] rand_time = 360
              Jan 16 14:39:35 charon 75651 07[CFG] life_time = 3600
              Jan 16 14:39:35 charon 75651 07[CFG] rekey_time = 3240
              Jan 16 14:39:35 charon 75651 07[CFG] child con2_3:
              Jan 16 14:39:35 charon 75651 07[CFG] copy_dscp = out
              Jan 16 14:39:35 charon 75651 07[CFG] copy_ecn = 1
              Jan 16 14:39:35 charon 75651 07[CFG] copy_df = 1
              Jan 16 14:39:35 charon 75651 07[CFG] sha256_96 = 0
              Jan 16 14:39:35 charon 75651 07[CFG] hw_offload = no
              Jan 16 14:39:35 charon 75651 07[CFG] remote_ts = VTI_CUSTOMER_IP/32|/0 0.0.0.0/0|/0 ::/0|/0
              Jan 16 14:39:35 charon 75651 07[CFG] local_ts = VTI_SITE2_IP/32|/0 0.0.0.0/0|/0 ::/0|/0
              Jan 16 14:39:35 charon 75651 07[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
              Jan 16 14:39:35 charon 75651 07[CFG] inactivity = 0
              Jan 16 14:39:35 charon 75651 07[CFG] label_mode = system
              Jan 16 14:39:35 charon 75651 07[CFG] label = (null)
              Jan 16 14:39:35 charon 75651 07[CFG] set_mark_out = 0/0
              Jan 16 14:39:35 charon 75651 07[CFG] set_mark_in = 0/0
              Jan 16 14:39:35 charon 75651 07[CFG] mark_out = 0/0
              Jan 16 14:39:35 charon 75651 07[CFG] mark_in_sa = 0
              Jan 16 14:39:35 charon 75651 07[CFG] mark_in = 0/0
              Jan 16 14:39:35 charon 75651 07[CFG] if_id_out = 0
              Jan 16 14:39:35 charon 75651 07[CFG] if_id_in = 0
              Jan 16 14:39:35 charon 75651 07[CFG] interface = (null)
              Jan 16 14:39:35 charon 75651 07[CFG] priority = 0
              Jan 16 14:39:35 charon 75651 07[CFG] tfc = 0
              Jan 16 14:39:35 charon 75651 07[CFG] reqid = 5002
              Jan 16 14:39:35 charon 75651 07[CFG] close_action = none
              Jan 16 14:39:35 charon 75651 07[CFG] start_action = start
              Jan 16 14:39:35 charon 75651 07[CFG] dpd_action = start
              Jan 16 14:39:35 charon 75651 07[CFG] policies_fwd_out = 0
              Jan 16 14:39:35 charon 75651 07[CFG] policies = 0
              Jan 16 14:39:35 charon 75651 07[CFG] mode = TUNNEL
              Jan 16 14:39:35 charon 75651 07[CFG] ipcomp = 0
              Jan 16 14:39:35 charon 75651 07[CFG] hostaccess = 0
              Jan 16 14:39:35 charon 75651 07[CFG] updown = (null)
              Jan 16 14:39:35 charon 75651 07[CFG] rand_packets = 0
              Jan 16 14:39:35 charon 75651 07[CFG] life_packets = 0
              Jan 16 14:39:35 charon 75651 07[CFG] rekey_packets = 0
              Jan 16 14:39:35 charon 75651 07[CFG] rand_bytes = 0
              Jan 16 14:39:35 charon 75651 07[CFG] life_bytes = 0
              Jan 16 14:39:35 charon 75651 07[CFG] rekey_bytes = 0
              Jan 16 14:39:35 charon 75651 07[CFG] rand_time = 360
              Jan 16 14:39:35 charon 75651 07[CFG] life_time = 3600
              Jan 16 14:39:35 charon 75651 07[CFG] rekey_time = 3240
              Jan 16 14:39:35 charon 75651 07[CFG] child con2_2:

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @Matt_Sharpe
                last edited by

                @Matt_Sharpe
                Did you as well replace local and remote networks for any reason?

                M 1 Reply Last reply Reply Quote 0
                • M
                  Matt_Sharpe @viragomann
                  last edited by

                  @viragomann if you're referring to me replacing the networks in the text above, I replaced all networks, both public and private so not exposing any part of the infrastructure.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @Matt_Sharpe
                    last edited by

                    @Matt_Sharpe
                    I see. But without the info about which networks should be routed in IPSec, troubleshooting is not possible.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      Matt_Sharpe @viragomann
                      last edited by

                      @viragomann OK, allow me to simply exclude the WAN addresses. I will substitute the ranges from the logs to match this forum post:

                      172.16.100.1 > IPsec tunnel > 172.16.200.253 (NATs to) 172.16.210.253

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        Matt_Sharpe @Matt_Sharpe
                        last edited by

                        @Matt_Sharpe

                        10.199.47.1 = Provider VTI
                        10.199.47.2 = Customer VTI

                        PART 1

                        Last 500 IPsec Log Entries. (Maximum 500)
                        Jan 16 14:40:07 charon 75651 06[CFG] vici client 1276 disconnected
                        Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: con2
                        Jan 16 14:40:07 charon 75651 12[CFG] id = CUSTOMER_WAN_IP
                        Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
                        Jan 16 14:40:07 charon 75651 12[CFG] remote:
                        Jan 16 14:40:07 charon 75651 12[CFG] id = PROVIDER_WAN_IP
                        Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
                        Jan 16 14:40:07 charon 75651 12[CFG] local:
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 2880
                        Jan 16 14:40:07 charon 75651 12[CFG] over_time = 2880
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 25920
                        Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_REPLACE
                        Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
                        Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 30
                        Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
                        Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] mobike = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
                        Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
                        Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
                        Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = CUSTOMER_WAN_IP
                        Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = PROVIDER_WAN_IP
                        Jan 16 14:40:07 charon 75651 12[CFG] version = 2
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
                        Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = 172.16.100.0/24|/0 0.0.0.0/0|/0 ::/0|/0
                        Jan 16 14:40:07 charon 75651 12[CFG] local_ts = 172.16.200.253/32|172.16.210.253/32 0.0.0.0/0|/0 ::/0|/0
                        Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
                        Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
                        Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] reqid = 5003
                        Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
                        Jan 16 14:40:07 charon 75651 12[CFG] start_action = start
                        Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = start
                        Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
                        Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
                        Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
                        Jan 16 14:40:07 charon 75651 12[CFG] child con2_3:
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
                        Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = 10.199.47.2/32|/0 0.0.0.0/0|/0 ::/0|/0
                        Jan 16 14:40:07 charon 75651 12[CFG] local_ts = 10.199.47.1/32|/0 0.0.0.0/0|/0 ::/0|/0
                        Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
                        Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
                        Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] reqid = 5002
                        Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
                        Jan 16 14:40:07 charon 75651 12[CFG] start_action = start
                        Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = start
                        Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] policies = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
                        Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
                        Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
                        Jan 16 14:40:07 charon 75651 12[CFG] child con2_2:
                        Jan 16 14:40:07 charon 75651 12[CFG] conn con2:
                        Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
                        Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: con1
                        Jan 16 14:40:07 charon 75651 12[CFG] id = AZURE_WAN_IP
                        Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
                        Jan 16 14:40:07 charon 75651 12[CFG] remote:
                        Jan 16 14:40:07 charon 75651 12[CFG] id = PROVIDER_WAN_IP
                        Jan 16 14:40:07 charon 75651 12[CFG] class = pre-shared key
                        Jan 16 14:40:07 charon 75651 12[CFG] local:
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 2880
                        Jan 16 14:40:07 charon 75651 12[CFG] over_time = 2880
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 25920
                        Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_REPLACE
                        Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
                        Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 60
                        Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 10
                        Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
                        Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] mobike = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
                        Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
                        Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
                        Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = AZURE_WAN_IP
                        Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = PROVIDER_WAN_IP
                        Jan 16 14:40:07 charon 75651 12[CFG] version = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
                        Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = AZURE_LAN|/0
                        Jan 16 14:40:07 charon 75651 12[CFG] local_ts = 172.16.200.0/24|/0
                        Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
                        Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
                        Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] reqid = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
                        Jan 16 14:40:07 charon 75651 12[CFG] start_action = trap
                        Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = trap
                        Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] mode = TUNNEL
                        Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
                        Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3600
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3240
                        Jan 16 14:40:07 charon 75651 12[CFG] child con1_1:
                        Jan 16 14:40:07 charon 75651 12[CFG] conn con1:
                        Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
                        Jan 16 14:40:07 charon 75651 12[CFG] updated vici connection: bypass
                        Jan 16 14:40:07 charon 75651 12[CFG] remote:
                        Jan 16 14:40:07 charon 75651 12[CFG] local:
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
                        Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 1440
                        Jan 16 14:40:07 charon 75651 12[CFG] over_time = 1440
                        Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 14400
                        Jan 16 14:40:07 charon 75651 12[CFG] reauth_time = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] keyingtries = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] unique = UNIQUE_NO
                        Jan 16 14:40:07 charon 75651 12[CFG] childless = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] fragmentation = 2
                        Jan 16 14:40:07 charon 75651 12[CFG] dpd_timeout = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] dpd_delay = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] encap = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] dscp = 0x00
                        Jan 16 14:40:07 charon 75651 12[CFG] aggressive = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] mobike = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] ppk_required = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] ppk_id = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] send_cert = CERT_SEND_IF_ASKED
                        Jan 16 14:40:07 charon 75651 12[CFG] send_certreq = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] remote_port = 500
                        Jan 16 14:40:07 charon 75651 12[CFG] local_port = 500
                        Jan 16 14:40:07 charon 75651 12[CFG] remote_addrs = 127.0.0.1
                        Jan 16 14:40:07 charon 75651 12[CFG] local_addrs = %any
                        Jan 16 14:40:07 charon 75651 12[CFG] version = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_dscp = out
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_ecn = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] copy_df = 1
                        Jan 16 14:40:07 charon 75651 12[CFG] sha256_96 = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] hw_offload = no
                        Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = 172.16.200.0/24|/0
                        Jan 16 14:40:07 charon 75651 12[CFG] local_ts = 172.16.200.0/24|/0
                        Jan 16 14:40:07 charon 75651 12[CFG] proposals = ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
                        Jan 16 14:40:07 charon 75651 12[CFG] inactivity = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] label_mode = system
                        Jan 16 14:40:07 charon 75651 12[CFG] label = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] set_mark_out = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] set_mark_in = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_out = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_in_sa = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] mark_in = 0/0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_out = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] if_id_in = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] interface = (null)
                        Jan 16 14:40:07 charon 75651 12[CFG] priority = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] tfc = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] reqid = 0
                        Jan 16 14:40:07 charon 75651 12[CFG] close_action = none
                        Jan 16 14:40:07 charon 75651 12[CFG] start_action = trap
                        Jan 16 14:40:07 charon 75651 12[CFG] dpd_action = none
                        Jan 16 14:40:07 charon 75651 12[CFG] policies_fwd_out = 0

                        M V 2 Replies Last reply Reply Quote 0
                        • M
                          Matt_Sharpe @Matt_Sharpe
                          last edited by

                          Jan 16 14:40:07 charon 75651 12[CFG] policies = 1
                          Jan 16 14:40:07 charon 75651 12[CFG] mode = PASS
                          Jan 16 14:40:07 charon 75651 12[CFG] ipcomp = 0
                          Jan 16 14:40:07 charon 75651 12[CFG] hostaccess = 0
                          Jan 16 14:40:07 charon 75651 12[CFG] updown = (null)
                          Jan 16 14:40:07 charon 75651 12[CFG] rand_packets = 0
                          Jan 16 14:40:07 charon 75651 12[CFG] life_packets = 0
                          Jan 16 14:40:07 charon 75651 12[CFG] rekey_packets = 0
                          Jan 16 14:40:07 charon 75651 12[CFG] rand_bytes = 0
                          Jan 16 14:40:07 charon 75651 12[CFG] life_bytes = 0
                          Jan 16 14:40:07 charon 75651 12[CFG] rekey_bytes = 0
                          Jan 16 14:40:07 charon 75651 12[CFG] rand_time = 360
                          Jan 16 14:40:07 charon 75651 12[CFG] life_time = 3960
                          Jan 16 14:40:07 charon 75651 12[CFG] rekey_time = 3600
                          Jan 16 14:40:07 charon 75651 12[CFG] child bypasslan:
                          Jan 16 14:40:07 charon 75651 12[CFG] conn bypass:
                          Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-conn
                          Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-conns
                          Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-pools
                          Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-authorities
                          Jan 16 14:40:07 charon 75651 12[CFG] loaded IKE shared key with id 'ike-1' for: '%any', 'CUSTOMER_WAN_IP'
                          Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-shared
                          Jan 16 14:40:07 charon 75651 12[CFG] loaded IKE shared key with id 'ike-0' for: '%any', 'AZURE_WAN_IP'
                          Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: load-shared
                          Jan 16 14:40:07 charon 75651 12[CFG] vici client 1276 requests: get-shared
                          Jan 16 14:40:07 charon 75651 14[CFG] vici client 1276 requests: get-keys
                          Jan 16 14:40:07 charon 75651 14[CFG] vici client 1276 connected
                          Jan 16 14:40:07 charon 75651 07[CFG] vici client 1275 disconnected
                          Jan 16 14:40:07 charon 75651 07[CFG] loaded 0 RADIUS server configurations
                          Jan 16 14:40:07 charon 75651 07[CFG] loaded 0 entries for attr plugin configuration
                          Jan 16 14:40:07 charon 75651 07[CFG] ipseckey plugin is disabled
                          Jan 16 14:40:07 charon 75651 07[CFG] vici client 1275 requests: reload-settings
                          Jan 16 14:40:07 charon 75651 14[CFG] vici client 1275 connected
                          Jan 16 14:40:07 charon 75651 05[IKE] <con2|4> keeping statically configured path PROVIDER_WAN_IP - CUSTOMER_WAN_IP
                          Jan 16 14:40:07 charon 75651 05[KNL] 10.199.47.1 appeared on ipsec2
                          Jan 16 14:40:07 charon 75651 13[KNL] interface ipsec2 appeared
                          Jan 16 14:40:07 charon 75651 13[KNL] interface ipsec2 disappeared
                          Jan 16 14:40:07 charon 75651 09[KNL] interface ipsec2 deactivated
                          Jan 16 14:40:07 charon 75651 09[KNL] 10.199.47.1 disappeared from ipsec2
                          Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> nothing to initiate
                          Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating new tasks
                          Jan 16 14:40:06 charon 75651 09[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_WAN_IP[500] (92 bytes)
                          Jan 16 14:40:06 charon 75651 09[ENC] <con1|3> generating INFORMATIONAL_V1 request 2819744997 [ HASH N(DPD_ACK) ]
                          Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating ISAKMP_DPD task
                          Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> activating new tasks
                          Jan 16 14:40:06 charon 75651 09[IKE] <con1|3> queueing ISAKMP_DPD task
                          Jan 16 14:40:06 charon 75651 09[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1404219913 [ HASH N(DPD) ]
                          Jan 16 14:40:06 charon 75651 09[NET] <con1|3> received packet: from AZURE_WAN_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
                          Jan 16 14:40:05 charon 75651 09[CFG] vici client 1274 disconnected
                          Jan 16 14:40:05 charon 75651 09[CFG] vici client 1274 requests: list-sas
                          Jan 16 14:40:05 charon 75651 15[CFG] vici client 1274 registered for: list-sa
                          Jan 16 14:40:05 charon 75651 15[CFG] vici client 1274 connected
                          Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> nothing to initiate
                          Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
                          Jan 16 14:40:02 charon 75651 09[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1532146135 [ HASH N(DPD_ACK) ]
                          Jan 16 14:40:02 charon 75651 09[NET] <con1|3> received packet: from AZURE_WAN_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
                          Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> nothing to initiate
                          Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
                          Jan 16 14:40:02 charon 75651 09[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_WAN_IP[500] (92 bytes)
                          Jan 16 14:40:02 charon 75651 09[ENC] <con1|3> generating INFORMATIONAL_V1 request 1473236439 [ HASH N(DPD) ]
                          Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating ISAKMP_DPD task
                          Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> activating new tasks
                          Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> queueing ISAKMP_DPD task
                          Jan 16 14:40:02 charon 75651 09[IKE] <con1|3> sending DPD request
                          Jan 16 14:40:00 charon 75651 09[CFG] vici client 1273 disconnected
                          Jan 16 14:40:00 charon 75651 15[CFG] vici client 1273 requests: list-sas
                          Jan 16 14:40:00 charon 75651 11[CFG] vici client 1273 registered for: list-sa
                          Jan 16 14:40:00 charon 75651 11[CFG] vici client 1273 connected
                          Jan 16 14:39:55 charon 75651 15[CFG] vici client 1272 disconnected
                          Jan 16 14:39:55 charon 75651 11[CFG] vici client 1272 requests: list-sas
                          Jan 16 14:39:55 charon 75651 08[CFG] vici client 1272 registered for: list-sa
                          Jan 16 14:39:55 charon 75651 11[CFG] vici client 1272 connected
                          Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> nothing to initiate
                          Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating new tasks
                          Jan 16 14:39:52 charon 75651 08[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_WAN_IP[500] (92 bytes)
                          Jan 16 14:39:52 charon 75651 08[ENC] <con1|3> generating INFORMATIONAL_V1 request 316903062 [ HASH N(DPD_ACK) ]
                          Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating ISAKMP_DPD task
                          Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> activating new tasks
                          Jan 16 14:39:52 charon 75651 08[IKE] <con1|3> queueing ISAKMP_DPD task
                          Jan 16 14:39:52 charon 75651 08[ENC] <con1|3> parsed INFORMATIONAL_V1 request 2810856974 [ HASH N(DPD) ]
                          Jan 16 14:39:52 charon 75651 08[NET] <con1|3> received packet: from AZURE_WAN_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
                          Jan 16 14:39:50 charon 75651 08[CFG] vici client 1271 disconnected
                          Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 requests: list-sas
                          Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 registered for: list-sa
                          Jan 16 14:39:50 charon 75651 16[CFG] vici client 1271 connected
                          Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> nothing to initiate
                          Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
                          Jan 16 14:39:48 charon 75651 11[ENC] <con1|3> parsed INFORMATIONAL_V1 request 1390613614 [ HASH N(DPD_ACK) ]
                          Jan 16 14:39:48 charon 75651 11[NET] <con1|3> received packet: from AZURE_WAN_IP[500] to PROVIDER_WAN_IP[500] (92 bytes)
                          Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> nothing to initiate
                          Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
                          Jan 16 14:39:48 charon 75651 11[NET] <con1|3> sending packet: from PROVIDER_WAN_IP[500] to AZURE_WAN_IP[500] (92 bytes)
                          Jan 16 14:39:48 charon 75651 11[ENC] <con1|3> generating INFORMATIONAL_V1 request 2462119987 [ HASH N(DPD) ]
                          Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating ISAKMP_DPD task
                          Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> activating new tasks
                          Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> queueing ISAKMP_DPD task
                          Jan 16 14:39:48 charon 75651 11[IKE] <con1|3> sending DPD request
                          Jan 16 14:39:45 charon 75651 11[CFG] vici client 1270 disconnected
                          Jan 16 14:39:45 charon 75651 16[CFG] vici client 1270 requests: list-sas
                          Jan 16 14:39:45 charon 75651 06[CFG] vici client 1270 registered for: list-sa
                          Jan 16 14:39:45 charon 75651 06[CFG] vici client 1270 connected
                          Jan 16 14:39:39 charon 75651 06[CFG] vici client 1269 disconnected
                          Jan 16 14:39:39 charon 75651 16[CFG] vici client 1269 requests: list-sas
                          Jan 16 14:39:39 charon 75651 10[CFG] vici client 1269 registered for: list-sa
                          Jan 16 14:39:39 charon 75651 10[CFG] vici client 1269 connected

                          1 Reply Last reply Reply Quote 0
                          • V
                            viragomann @Matt_Sharpe
                            last edited by

                            @Matt_Sharpe said in IPSec DNAT not working:

                            Jan 16 14:40:07 charon 75651 12[CFG] remote_ts = 172.16.200.0/24|/0
                            Jan 16 14:40:07 charon 75651 12[CFG] local_ts = 172.16.200.0/24|/0

                            Did you replace one of these wrongly?
                            Remote and local network cannot be the same.

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              Matt_Sharpe @viragomann
                              last edited by

                              @viragomann It appears in the log several times, can you confirm what line number you're looking at? I have this open in N++

                              V 1 Reply Last reply Reply Quote 0
                              • V
                                viragomann @Matt_Sharpe
                                last edited by

                                @Matt_Sharpe
                                Check your tunnel settings. Both local network or BINAT network must not overlap the remote network.

                                M 1 Reply Last reply Reply Quote 0
                                • M
                                  Matt_Sharpe @viragomann
                                  last edited by

                                  @viragomann The VTI tunnel is set with a random/unique IP subnet we used for the VTI routing on both sides:

                                  b166a4f8-7ccf-44a7-94a1-08837888259a-image.png

                                  This doesn't overlap with any of the local/remote/isolated ranges?

                                  V 1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann @Matt_Sharpe
                                    last edited by

                                    @Matt_Sharpe
                                    What's with the other tunnel?

                                    M 1 Reply Last reply Reply Quote 0
                                    • M
                                      Matt_Sharpe @viragomann
                                      last edited by

                                      @viragomann The Azure tunnel?

                                      V 1 Reply Last reply Reply Quote 0
                                      • V
                                        viragomann @Matt_Sharpe
                                        last edited by

                                        @Matt_Sharpe
                                        No, the one doing NAT.
                                        But obviously you've deleted it already. So do you still see these log entries?

                                        M 1 Reply Last reply Reply Quote 0
                                        • M
                                          Matt_Sharpe @viragomann
                                          last edited by

                                          @viragomann the other tunnel has been removed, as it impacts the live IPsec when enabled. If we tweak it to include the ranges in this forum post:

                                          172.16.100.1 > IPsec tunnel > 172.16.200.253 (NATs to) 172.16.210.253

                                          ae6d6c6e-5c61-4db4-9d59-4ca89068c2f7-image.png

                                          V 1 Reply Last reply Reply Quote 0
                                          • V
                                            viragomann @Matt_Sharpe
                                            last edited by

                                            @Matt_Sharpe
                                            This looks well for what you try to achieve.

                                            And I cannot find a hint for the disconnection of the other tunnel in the log.
                                            But maybe there is an issue if you route the remote subnet over the VTI and also state it in the policy-based tunnel as remote network.

                                            M 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.