Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec fails to connect after upgrade from 2.1.5 (IDir does not match)

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    6 Posts 3 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      samham
      last edited by

      I have a perfectly working IPsec tunnel to two different locations. However; after upgrading to 2.2BETA the tunnels failed to come up with the following errors:

      using 2.2-BETA-amd64-20140923-0500 snapshot

      Sep 25 10:11:10 pfsense charon: 09[KNL] creating acquire job for policy xx.xx.xx.xx/32|/0 === yy.yy.yy.yy/32|/0 with reqid {1}
      Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>initiating Aggressive Mode IKE_SA con1[21] to yy.yy.yy.yy
      Sep 25 10:11:10 pfsense charon: 08[IKE] initiating Aggressive Mode IKE_SA con1[21] to yy.yy.yy.yy
      Sep 25 10:11:10 pfsense charon: 08[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
      Sep 25 10:11:10 pfsense charon: 08[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (374 bytes)
      Sep 25 10:11:10 pfsense charon: 08[NET] received packet: from yy.yy.yy.yy[500] to xx.xx.xx.xx[500] (447 bytes)
      Sep 25 10:11:10 pfsense charon: 08[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
      Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>received Cisco Unity vendor ID
      Sep 25 10:11:10 pfsense charon: 08[IKE] received Cisco Unity vendor ID
      Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>received XAuth vendor ID
      Sep 25 10:11:10 pfsense charon: 08[IKE] received XAuth vendor ID
      Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>received DPD vendor ID
      Sep 25 10:11:10 pfsense charon: 08[IKE] received DPD vendor ID
      Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Sep 25 10:11:10 pfsense charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>received FRAGMENTATION vendor ID
      Sep 25 10:11:10 pfsense charon: 08[IKE] received FRAGMENTATION vendor ID
      Sep 25 10:11:10 pfsense charon: 08[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
      Sep 25 10:11:10 pfsense charon: 08[IKE] <con1|21>IDir 'LAB-FW1.acmy.com' does not match to 'yy.yy.yy.yy'
      Sep 25 10:11:10 pfsense charon: 08[IKE] IDir 'LAB-FW1.acmy.com' does not match to 'yy.yy.yy.yy'
      Sep 25 10:11:10 pfsense charon: 08[ENC] generating INFORMATIONAL_V1 request 3665657818 [ N(INVAL_ID) ]
      Sep 25 10:11:10 pfsense charon: 08[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (56 bytes)</con1|21></con1|21></con1|21></con1|21></con1|21></con1|21></con1|21>

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Can you describe your configuration?
        I would assume that if you send as peer ID its dns name would match that, no?

        1 Reply Last reply Reply Quote 0
        • S
          samham
          last edited by

          site-to-site using peer ip

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            I need details!
            I need to see your configration to replicate.

            1 Reply Last reply Reply Quote 0
            • S
              samham
              last edited by

              Please tell me what to send you

              1 Reply Last reply Reply Quote 0
              • C
                Clown
                last edited by

                Same Problem here, IDir 'Domain.name' does not match to 'IP address'.

                But I can Access the remote Firewall over Domain Name or IP address (using zoneedit).

                The Domain Name does have another reverse IP Name as it is from the Internet Provider.

                It's a ipseq pfsense <-> m0n0wall.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.