IPSec Traffic Issue/Question
I have created an IPSec tunnel, and according to the logs, all goes smoothing. I get a log entry in racoon as follows:
INFO: IPsec-SA established: ESP xxx.xxx.xxx.xxx->yyy.yyy.yyy.yyy spi=2387206220(0x8e49e04c)
The other end of the tunnel shows it as being up, but in the Status > IPSec screen, it shows a yellow "X" with an error.
I am using my LAN subnet with a NAT address in Local Network. I am unable to ping the "Remote Network" IP address, and at one point, the firewall logs showed traffic being blocked with a source of the Remote Network IP address, and a Destination of my NAT address. I added a rule allowing this traffic, but the other end that was pinging the NAT address was still unable to get through.
The rule has since been disabled, but the firewall logs are not showing the blocked traffic anyone. Also, there is no traffic on interface "enc0" at all.
What am I missing? I don't believe I need to define a static route for the IPSec tunnel to be NATted through.
Further information! :)
racoon is giving me the following:
racoon: WARNING: no outbound policy found: 172.25.50.243/32 10.140.10.8/32 proto=any dir=out
In my Phase2, I have my Local Network as "LAN Subnet", and the NAT/BINAT as "Address" - 172.20.60.243.
On the other end of the tunnel, the machine is continuously pinging 172.25.50.243. In the firewall logs, I can see exactly one entry for the ping (I created the firewall rule to allow it, and turned on logging for that rule). Then nothing else. Nothing is blocked, nothing gets through.
In the Status: IPsec: SAD screen, I see 2 entries for the tunnel, and the Data column for data coming from the other end is gradually increasing. The Data from my end is always at 0.
It seems that racoon is not creating the outbound policy. Do I require a specific firewall rule? I have already created a rule to allow any traffic in the IPsec tab, for troubleshooting purposes.
With much trepidation and carelessly reckless abandon I will see if using the filer package will work. Not sure if it will overwrite the conf file or not, but hey, nothing ventured and all that jazz. I am leaning much more towards just telling the support staff that they will just have to get OpenVPN installed on all the client systems and to deal with the time it will take to do this. That seems like it will be a much better option in the end.
After working closely with the other end, we were able to get a tunnel going by not using NAT. Once we removed that, and change their configuration accordingly, the tunnel came up.
The only problem now, is that only their end can bring the tunnel. Whenever my end tries to initiate the tunnel, it gives Phase2 errors. The wonderful "NO PROPOSAL CHOSEN" error ID.
Would anyone know what I'm doing wrong in this situation? I have confirmed on their end that the tunnel is configured as Bidirectional, and should be able to be brought up from either end.
Not sure if it matters, but I am connecting this tunnel to a Cisco ASA.