IPsec Tunnel Green Local Only - No Traffic Passes
-
Hi All,
I'm having problems with an IPsec site-to-site tunnel.
My symptoms are that the "Status" indicator goes green on the local side only and no traffic passes between the sites.
I have a firewall rule on both boxes' IPsec interfaces to allow all protocols to and from "all"
My racoon.conf file is below…
Thanks! I appreciate any help you can provide.
cat racoon.conf
This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp {LOCAL WAN IP} [500];
isakmp_natt {LOCAL WAN IP} [4500];
}remote {REMOTE WAN IP}
{
ph1id 1;
exchange_mode aggressive;
my_identifier user_fqdn "pat@sj.local";
peers_identifier user_fqdn "pat@pa.local";
ike_frag on;
generate_policy = require;
initial_contact = on;
nat_traversal = on;dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check strict;proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}sainfo subnet 172.16.1.0/24 any subnet 10.1.1.0/24 any
{
remoteid 1;
encryption_algorithm blowfish 128;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 86400 secs;
compression_algorithm deflate;Here is what the IPsec log looks like on the local box when the sites connect and I'm sending ICMP:
Oct 9 17:02:41 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
Oct 9 17:02:41 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=209101818(0xc76a3fa)
Oct 9 17:02:41 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=229382563(0xdac19a3)
Oct 9 17:02:53 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
Oct 9 17:02:53 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=166867411(0x9f231d3)
Oct 9 17:02:53 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=6083078(0x5cd206)
Oct 9 17:03:05 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
Oct 9 17:03:05 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=15487077(0xec5065)
Oct 9 17:03:05 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=150453300(0x8f7bc34)
Oct 9 17:03:17 racoon: []: INFO: initiate new phase 2 negotiation: {LOCAL WAN IP}[500]<=>{REMOTE WAN IP}[500]
Oct 9 17:03:17 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=24904323(0x17c0283)
Oct 9 17:03:17 racoon: []: INFO: IPsec-SA established: ESP {LOCAL WAN IP}[500]->{REMOTE WAN IP}[500] spi=6897838(0x6940ae) -
I use the following setup for about 30 tunnels with no issue!
Try this:
Phase 1
Auth Method: Mutual PSK
Negotiation Mode: Main
My Identifier: My IP Address
Peer Identifier: Peer IP Address or IP address and enter the remote public IPPreshared key: You know the answer
Policy Generation: Default
Proposal Checking: Obey
Encryption: Blowfish
Hash SHA1
DH: 2
Lifetim: 28800
NAT-T: Disabled
DPD: NoPhase 2:
Protocol: ESP
Encryption: Blowfish (Auto)
Hash SHA1
PFS: 2
Liftime: 3600Make sure for testing purposes to allow all on ipsec rule on both ends.
-
Not sure if this will help –
But I had to add an address to ping on the other end to my configs before traffic would pass.
Also, if if you have multiple Gateways or a load share of some sort be sure the traffic is going to the right route / gateway.
==============