IPsec Tunnel Green Local Only - No Traffic Passes



  • Hi All,

    I'm having problems with an IPsec site-to-site tunnel.

    My symptoms are that the "Status" indicator goes green on the local side only and no traffic passes between the sites.

    I have a firewall rule on both boxes' IPsec interfaces to allow all protocols to and from "all"

    My racoon.conf file is below…

    Thanks!  I appreciate any help you can provide.

    cat racoon.conf

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    listen
    {
    adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    isakmp {LOCAL WAN IP} [500];
    isakmp_natt {LOCAL WAN IP} [4500];
    }

    remote {REMOTE WAN IP}
    {
    ph1id 1;
    exchange_mode aggressive;
    my_identifier user_fqdn "pat@sj.local";
    peers_identifier user_fqdn "pat@pa.local";
    ike_frag on;
    generate_policy = require;
    initial_contact = on;
    nat_traversal = on;

    dpd_delay = 10;
    dpd_maxfail = 5;
    support_proxy on;
    proposal_check strict;

    proposal
    {
    authentication_method pre_shared_key;
    encryption_algorithm 3des;
    hash_algorithm sha1;
    dh_group 2;
    lifetime time 28800 secs;
    }
    }

    sainfo subnet 172.16.1.0/24 any subnet 10.1.1.0/24 any
    {
    remoteid 1;
    encryption_algorithm blowfish 128;
    authentication_algorithm hmac_sha1;
    pfs_group 2;
    lifetime time 86400 secs;
    compression_algorithm deflate;

    Here is what the IPsec log looks like on the local box when the sites connect and I'm sending ICMP:

    Oct 9 17:02:41 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
    Oct 9 17:02:41 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=209101818(0xc76a3fa)
    Oct 9 17:02:41 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=229382563(0xdac19a3)
    Oct 9 17:02:53 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
    Oct 9 17:02:53 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=166867411(0x9f231d3)
    Oct 9 17:02:53 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=6083078(0x5cd206)
    Oct 9 17:03:05 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
    Oct 9 17:03:05 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=15487077(0xec5065)
    Oct 9 17:03:05 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=150453300(0x8f7bc34)
    Oct 9 17:03:17 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
    Oct 9 17:03:17 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=24904323(0x17c0283)
    Oct 9 17:03:17 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=6897838(0x6940ae)



  • I use the following setup for about 30 tunnels with no issue!

    Try this:

    Phase 1

    Auth Method: Mutual PSK
    Negotiation Mode: Main
    My Identifier:  My IP Address
    Peer Identifier: Peer IP Address or IP address and enter the remote public IP

    Preshared key:  You know the answer

    Policy Generation: Default
    Proposal Checking: Obey
    Encryption: Blowfish
    Hash SHA1
    DH: 2
    Lifetim: 28800
    NAT-T: Disabled
    DPD: No

    Phase 2:

    Protocol: ESP
    Encryption: Blowfish (Auto)
    Hash SHA1
    PFS: 2
    Liftime: 3600

    Make sure for testing purposes to allow all on ipsec rule on both ends.



  • Not sure if this will help –

    But I had to add an address to ping on the other end to my configs before traffic would pass.

    Also, if if you have multiple Gateways or a load share of some sort be sure the traffic is going to the right route / gateway.

    ==============


Log in to reply