IPsec fails to connect after upgrade from 2.1.5 (IDir does not match)


  • I have a perfectly working IPsec tunnel to two different locations. However; after upgrading to 2.2BETA the tunnels failed to come up with the following errors:

    using 2.2-BETA-amd64-20140923-0500 snapshot

    Sep 25 10:11:10 pfsense charon: 09[KNL] creating acquire job for policy xx.xx.xx.xx/32|/0 === yy.yy.yy.yy/32|/0 with reqid {1}
    Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>initiating Aggressive Mode IKE_SA con1[21] to yy.yy.yy.yy
    Sep 25 10:11:10 pfsense charon: 08[IKE] initiating Aggressive Mode IKE_SA con1[21] to yy.yy.yy.yy
    Sep 25 10:11:10 pfsense charon: 08[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
    Sep 25 10:11:10 pfsense charon: 08[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (374 bytes)
    Sep 25 10:11:10 pfsense charon: 08[NET] received packet: from yy.yy.yy.yy[500] to xx.xx.xx.xx[500] (447 bytes)
    Sep 25 10:11:10 pfsense charon: 08[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
    Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>received Cisco Unity vendor ID
    Sep 25 10:11:10 pfsense charon: 08[IKE] received Cisco Unity vendor ID
    Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>received XAuth vendor ID
    Sep 25 10:11:10 pfsense charon: 08[IKE] received XAuth vendor ID
    Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>received DPD vendor ID
    Sep 25 10:11:10 pfsense charon: 08[IKE] received DPD vendor ID
    Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Sep 25 10:11:10 pfsense charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>received FRAGMENTATION vendor ID
    Sep 25 10:11:10 pfsense charon: 08[IKE] received FRAGMENTATION vendor ID
    Sep 25 10:11:10 pfsense charon: 08[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
    Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>IDir 'LAB-FW1.acmy.com' does not match to 'yy.yy.yy.yy'
    Sep 25 10:11:10 pfsense charon: 08[IKE] IDir 'LAB-FW1.acmy.com' does not match to 'yy.yy.yy.yy'
    Sep 25 10:11:10 pfsense charon: 08[ENC] generating INFORMATIONAL_V1 request 3665657818 [ N(INVAL_ID) ]
    Sep 25 10:11:10 pfsense charon: 08[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (56 bytes)</con1|21></con1|21></con1|21></con1|21></con1|21></con1|21></con1|21>


  • Can you describe your configuration?
    I would assume that if you send as peer ID its dns name would match that, no?


  • site-to-site using peer ip


  • I need details!
    I need to see your configration to replicate.


  • Please tell me what to send you


  • Same Problem here, IDir 'Domain.name' does not match to 'IP address'.

    But I can Access the remote Firewall over Domain Name or IP address (using zoneedit).

    The Domain Name does have another reverse IP Name as it is from the Internet Provider.

    It's a ipseq pfsense <-> m0n0wall.