IPsec tunnel problem with 2.1.5 and 2.2rc



  • Hi,
    I can't get my tunnels connected anymore since build from 7th of Jan.
    before it was working good with Aggressive Mode, but even switching to Main didn't help.
    I have 2 phase 2 policies.
    The other side of course is a pfsense 2.1.5
    I'm using Main, AES/256, with SHA, DH Key2 with NAT-T enabled.
    Phase2: ESP, AES(auto) with SHA1, MD5, PFS key2
    Additional info: I'm dual homed, already tried to switch the tunnel to other WAN, same result.

    Updated to build 11th of Jan.

    Errors on the 2.1.5:

    
    Jan 10 17:17:16 	racoon: ERROR: phase1 negotiation failed due to time up. 14607675c166a280:0000000000000000
    Jan 10 17:17:10 	racoon: [mchome kabel]: [9.1.176.100] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 10 17:17:07 	racoon: [mchome kabel]: [9.1.176.100] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jan 10 17:17:02 	racoon: INFO: delete phase 2 handler.
    Jan 10 17:17:02 	racoon: [mchome kabel]: [9.1.176.100] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 9.1.176.100[0]->6.1.47.71[0]
    
    


  • This is the log from 2.2build 11th of Jan:

    
    Jan 11 12:29:46 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Jan 11 12:29:46 	charon: 16[KNL] creating acquire job for policy 9.1.188.120/32|/0 === 6.1.47.71/32|/0 with reqid {5}
    Jan 11 12:29:40 	charon: 16[NET] sending packet: from 9.1.188.120[500] to 6.1.47.71[500] (184 bytes)
    Jan 11 12:29:40 	charon: 16[ENC] generating ID_PROT response 0 [ SA V V V V V ]
    Jan 11 12:29:40 	charon: 16[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 11 12:29:40 	charon: 16[IKE] <95> 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 11 12:29:40 	charon: 16[IKE] received DPD vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] <95> received DPD vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] received FRAGMENTATION vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] <95> received FRAGMENTATION vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] <95> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] <95> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] <95> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 11 12:29:40 	charon: 16[IKE] <95> received NAT-T (RFC 3947) vendor ID
    Jan 11 12:29:40 	charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
    Jan 11 12:29:40 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.188.120[500] (212 bytes)
    
    

    This one is 9.1.188.120 and trying to reach the .47.71

    The ipsec status shows this:

    Any identifier 9.1.188.120
    Port: 500 Any identifier 6.1.47.71
    Port: 500 IKEv1
    responder AES_CBC:256
    HMAC_SHA1_96:0
    PRF_HMAC_SHA1
    MODP_1024

    connecting

    Connect

    inetra_LAN-DMZ Any identifier 9.1.188.120
    Port: 500 Any identifier 6.1.47.71
    Port: 500 IKEv1
    initiator

    connecting

    Any help greatly appreciated.
    Marc



  • Update:
    The tunnel is defined to use IF WAN, but when I do a packetcapture with filter on IF KABEL (o pf2.2) I can see packets with WAN public ipaddess to my remote peer with port 500 (UDP).

    Either there's something wrong with the Packetcapture or chron is sending right packets on wrong if out.
    With 'right' I mean they do have the IP of the IF they should leave from but are showing on the wrong IF (KABEL).



  • Hmm, just found that I'm using advanced outbound NAT with these two rules:
    ( Hybrid Outbound NAT rule generation
    (Automatic Outbound NAT + rules below)

    KABELDE  192.168.24.0/24 * * * KABELDE address * NO  
    WAN  any * * * WAN address * NO

    Could this be my problem with charon ?



  • Your WAN NAT with source "any" is definitely a problem, that's NATing the IPsec, which you can't do.

    You'll also want to be on something newer than the 7th with IPsec and multi-WAN, there were issues there that were resolved a day or so after that.



  • Thanks for the hint.
    I updated to the evening build of the 11th, removed the "any" NAT rule and still get stuck.



  • You need something from today late or wait or tomorrow ones.



  • Now seeing:

    Jan 12 21:07:29 	racoon: [mchome kabel]: [93.104.176.148] ERROR: couldn't find the pskey for 93.104.176.148.
    Jan 12 21:07:29 	racoon: INFO: Adding xauth VID payload.
    Jan 12 21:07:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jan 12 21:07:29 	racoon: INFO: received Vendor ID: RFC 3947
    Jan 12 21:07:29 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Jan 12 21:07:29 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Jan 12 21:07:29 	racoon: INFO: received Vendor ID: DPD
    Jan 12 21:07:29 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jan 12 21:07:29 	racoon: INFO: begin Identity Protection mode.
    
    
    Jan 12 21:07:28 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.24.0/24[0] 10.0.48.0/24[0] proto=any dir=in
    Jan 12 21:07:28 	racoon: ERROR: such policy already exists. anyway replace it: 10.0.48.0/24[0] 192.168.24.0/24[0] proto=any dir=out
    Jan 12 21:07:28 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.24.0/24[0] 10.0.47.0/24[0] proto=any dir=in
    Jan 12 21:07:28 	racoon: ERROR: such policy already exists. anyway replace it: 10.0.47.0/24[0] 192.168.24.0/24[0] proto=any dir=out
    Jan 12 21:07:28 	racoon: INFO: unsupported PF_KEY message REGISTER
    Jan 12 21:07:28 	racoon: INFO: unsupported PF_KEY message REGISTER
    Jan 12 21:07:28 	racoon: INFO: unsupported PF_KEY message REGISTER
    
    


  • @Ermal:
    I took the latest availabled thru my autoupdater 20mins ago.
    Will check again for the next 2hours… UPDATED to todays release:
    Still getting above errors and :

    Jan 12 21:27:55 	racoon: INFO: delete phase 2 handler.
    Jan 12 21:27:55 	racoon: [mchome kabel]: [9.1.180.217] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 9.1.180.217[0]->6.1.47.71[0]
    

    Anymore ideas ?



  • You're still getting the "ERROR: couldn't find the pskey" log from your post earlier today? Likely you have a config mismatch of some sort, maybe after changing the WANs around things weren't set back to match appropriately.



  • Hi Chris,

    yes, that's what I see on the 2.1.5 side on the 2.2 I see the log below:
    I just updated to the todays build.

    
    Jan 13 20:16:53 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
    Jan 13 20:16:53 	charon: 16[ENC] generating ID_PROT response 0 [ KE No ]
    Jan 13 20:16:53 	charon: 16[ENC] parsed ID_PROT request 0 [ KE No ]
    Jan 13 20:16:53 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
    Jan 13 20:16:53 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
    Jan 13 20:16:53 	charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
    Jan 13 20:16:53 	charon: 16[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 13 20:16:53 	charon: 16[IKE] <205> 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 13 20:16:53 	charon: 16[IKE] received DPD vendor ID
    Jan 13 20:16:53 	charon: 16[IKE] <205> received DPD vendor ID
    Jan 13 20:16:53 	charon: 16[IKE] received FRAGMENTATION vendor ID
    Jan 13 20:16:53 	charon: 16[IKE] <205> received FRAGMENTATION vendor ID
    Jan 13 20:16:53 	charon: 16[ENC] parsed ID_PROT request 0 [ SA V V ]
    Jan 13 20:16:53 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (132 bytes)
    Jan 13 20:16:50 	charon: 16[CFG] ignoring acquire, connection attempt pending
    Jan 13 20:16:50 	charon: 09[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
    Jan 13 20:16:46 	charon: 09[JOB] deleting half open IKE_SA after timeout
    Jan 13 20:16:45 	charon: 09[CFG] ignoring acquire, connection attempt pending
    Jan 13 20:16:45 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
    Jan 13 20:16:43 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
    Jan 13 20:16:43 	charon: 16[IKE] sending retransmit 5 of request message ID 0, seq 3
    Jan 13 20:16:43 	charon: 16[IKE] <con1000|192> sending retransmit 5 of request message ID 0, seq 3
    Jan 13 20:16:29 	charon: 16[CFG] ignoring acquire, connection attempt pending
    Jan 13 20:16:29 	charon: 10[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
    Jan 13 20:16:16 	charon: 10[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
    Jan 13 20:16:16 	charon: 10[ENC] generating ID_PROT response 0 [ KE No ]
    Jan 13 20:16:16 	charon: 10[ENC] parsed ID_PROT request 0 [ KE No ]
    Jan 13 20:16:16 	charon: 10[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
    Jan 13 20:16:16 	charon: 10[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
    Jan 13 20:16:16 	charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
    Jan 13 20:16:16 	charon: 10[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 13 20:16:16 	charon: 10[IKE] <204> 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 13 20:16:16 	charon: 10[IKE] received DPD vendor ID
    Jan 13 20:16:16 	charon: 10[IKE] <204> received DPD vendor ID
    Jan 13 20:16:16 	charon: 10[IKE] received FRAGMENTATION vendor ID
    Jan 13 20:16:16 	charon: 10[IKE] <204> received FRAGMENTATION vendor ID
    Jan 13 20:16:16 	charon: 10[ENC] parsed ID_PROT request 0 [ SA V V ]
    Jan 13 20:16:16 	charon: 10[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (132 bytes)
    Jan 13 20:16:15 	charon: 10[JOB] deleting half open IKE_SA after timeout
    Jan 13 20:16:01 	charon: 10[CFG] ignoring acquire, connection attempt pending
    Jan 13 20:16:01 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
    Jan 13 20:16:01 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
    Jan 13 20:16:01 	charon: 16[IKE] sending retransmit 4 of request message ID 0, seq 3
    Jan 13 20:16:01 	charon: 16[IKE] <con1000|192> sending retransmit 4 of request message ID 0, seq 3
    Jan 13 20:15:54 	charon: 16[CFG] ignoring acquire, connection attempt pending
    Jan 13 20:15:54 	charon: 10[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
    Jan 13 20:15:45 	charon: 10[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
    Jan 13 20:15:45 	charon: 10[ENC] generating ID_PROT response 0 [ KE No ]
    Jan 13 20:15:45 	charon: 10[ENC] parsed ID_PROT request 0 [ KE No ]
    Jan 13 20:15:45 	charon: 10[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
    Jan 13 20:15:45 	charon: 10[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
    Jan 13 20:15:45 	charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
    Jan 13 20:15:45 	charon: 10[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 13 20:15:45 	charon: 10[IKE] <203> 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 13 20:15:45 	charon: 10[IKE] received DPD vendor ID
    Jan 13 20:15:45 	charon: 10[IKE] <203> received DPD vendor ID
    Jan 13 20:15:45 	charon: 10[IKE] received FRAGMENTATION vendor ID
    Jan 13 20:15:45 	charon: 10[IKE] <203> received FRAGMENTATION vendor ID
    Jan 13 20:15:45 	charon: 10[ENC] parsed ID_PROT request 0 [ SA V V ]
    Jan 13 20:15:45 	charon: 10[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (132 bytes)
    Jan 13 20:15:42 	charon: 10[JOB] deleting half open IKE_SA after timeout
    Jan 13 20:15:39 	charon: 10[CFG] ignoring acquire, connection attempt pending
    Jan 13 20:15:39 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
    Jan 13 20:15:37 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
    Jan 13 20:15:37 	charon: 16[IKE] sending retransmit 3 of request message ID 0, seq 3
    Jan 13 20:15:37 	charon: 16[IKE] <con1000|192> sending retransmit 3 of request message ID 0, seq 3
    Jan 13 20:15:33 	charon: 16[JOB] deleting half open IKE_SA after timeout
    Jan 13 20:15:24 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
    Jan 13 20:15:24 	charon: 12[IKE] sending retransmit 2 of request message ID 0, seq 3
    Jan 13 20:15:24 	charon: 12[IKE] <con1000|192> sending retransmit 2 of request message ID 0, seq 3
    Jan 13 20:15:17 	charon: 12[CFG] ignoring acquire, connection attempt pending
    Jan 13 20:15:17 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
    Jan 13 20:15:17 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
    Jan 13 20:15:17 	charon: 16[IKE] sending retransmit 1 of request message ID 0, seq 3
    Jan 13 20:15:17 	charon: 16[IKE] <con1000|192> sending retransmit 1 of request message ID 0, seq 3
    Jan 13 20:15:13 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (108 bytes)
    Jan 13 20:15:13 	charon: 12[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Jan 13 20:15:13 	charon: 12[ENC] parsed ID_PROT response 0 [ KE No ]
    Jan 13 20:15:13 	charon: 12[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
    Jan 13 20:15:13 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
    Jan 13 20:15:13 	charon: 12[ENC] generating ID_PROT request 0 [ KE No ]
    Jan 13 20:15:13 	charon: 12[IKE] received FRAGMENTATION vendor ID
    Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> received FRAGMENTATION vendor ID
    Jan 13 20:15:13 	charon: 12[IKE] received DPD vendor ID
    Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> received DPD vendor ID
    Jan 13 20:15:13 	charon: 12[IKE] received XAuth vendor ID
    Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> received XAuth vendor ID
    Jan 13 20:15:13 	charon: 12[ENC] parsed ID_PROT response 0 [ SA V V V ]
    Jan 13 20:15:13 	charon: 12[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (144 bytes)
    Jan 13 20:15:13 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (184 bytes)
    Jan 13 20:15:13 	charon: 12[ENC] generating ID_PROT request 0 [ SA V V V V V ]
    Jan 13 20:15:13 	charon: 12[IKE] initiating Main Mode IKE_SA con1000[192] to 6.1.47.71
    Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> initiating Main Mode IKE_SA con1000[192] to 6.1.47.71
    Jan 13 20:15:13 	charon: 12[IKE] peer not responding, trying again (3/3)
    Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> peer not responding, trying again (3/3)
    Jan 13 20:15:13 	charon: 12[IKE] giving up after 5 retransmits
    Jan 13 20:15:13 	charon: 12[IKE] <con1000|192> giving up after 5 retransmits
    Jan 13 20:15:12 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
    Jan 13 20:15:12 	charon: 12[ENC] generating ID_PROT response 0 [ KE No ]
    Jan 13 20:15:12 	charon: 12[ENC] parsed ID_PROT request 0 [ KE No ]
    Jan 13 20:15:12 	charon: 12[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
    Jan 13 20:15:12 	charon: 12[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
    Jan 13 20:15:12 	charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
    Jan 13 20:15:12 	charon: 12[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 13 20:15:12 	charon: 12[IKE] <202> 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 13 20:15:12 	charon: 12[IKE] received DPD vendor ID
    Jan 13 20:15:12 	charon: 12[IKE] <202> received DPD vendor ID
    Jan 13 20:15:12 	charon: 12[IKE] received FRAGMENTATION vendor ID
    Jan 13 20:15:12 	charon: 12[IKE] <202> received FRAGMENTATION vendor ID
    Jan 13 20:15:12 	charon: 12[ENC] parsed ID_PROT request 0 [ SA V V ]
    Jan 13 20:15:12 	charon: 12[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (132 bytes)
    Jan 13 20:15:08 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {22}
    Jan 13 20:15:08 	charon: 16[JOB] deleting half open IKE_SA after timeout
    Jan 13 20:15:03 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
    Jan 13 20:15:03 	charon: 16[ENC] generating ID_PROT response 0 [ KE No ]
    Jan 13 20:15:03 	charon: 16[ENC] parsed ID_PROT request 0 [ KE No ]
    Jan 13 20:15:03 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
    Jan 13 20:15:03 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
    Jan 13 20:15:03 	charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
    Jan 13 20:15:03 	charon: 16[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 13 20:15:03 	charon: 16[IKE] <201> 6.1.47.71 is initiating a Main Mode IKE_SA
    Jan 13 20:15:03 	charon: 16[IKE] received DPD vendor ID
    Jan 13 20:15:03 	charon: 16[IKE] <201> received DPD vendor ID
    Jan 13 20:15:03 	charon: 16[IKE] received FRAGMENTATION vendor ID
    Jan 13 20:15:03 	charon: 16[IKE] <201> received FRAGMENTATION vendor ID
    Jan 13 20:15:03 	charon: 16[ENC] parsed ID_PROT request 0 [ SA V V ]
    Jan 13 20:15:03 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (132 bytes)
    Jan 13 20:15:03 	charon: 08[CFG] ignoring acquire, connection attempt pending
    Jan 13 20:15:03 	charon: 08[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
    Jan 13 20:14:51 	charon: 08[CFG] ignoring acquire, connection attempt pending
    Jan 13 20:14:51 	charon: 16[KNL] creating acquire job for policy 9.1.180.214/32|/0 === 6.1.47.71/32|/0 with reqid {21}
    Jan 13 20:14:38 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (196 bytes)
    Jan 13 20:14:38 	charon: 16[ENC] generating ID_PROT response 0 [ KE No ]
    Jan 13 20:14:38 	charon: 16[ENC] parsed ID_PROT request 0 [ KE No ]
    Jan 13 20:14:38 	charon: 16[NET] received packet: from 6.1.47.71[500] to 9.1.180.214[500] (180 bytes)
    Jan 13 20:14:38 	charon: 16[NET] sending packet: from 9.1.180.214[500] to 6.1.47.71[500] (144 bytes)
    Jan 13 20:14:38 	charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
    Jan 13 20:14:38 	charon: 16[IKE] 6.1.47.71 is initiating a Main Mode IKE_SA</con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192></con1000|192>
    

    This is a more complete excerpt from charon.
    But I don't know which error levels need to be set in the IPsec debug section, please advice.

    TIA
    Marc



  • Just changed my outbound NAT to

    In the IPsec status I continuously see

    
    inetra_LAN-DMZ 	net.dyndns.org 	9.1.180.214
    Port: 500 	Any identifier 	6.1.47.71
    Port: 500 	IKEv1
    initiator 		AES_CBC:256
    HMAC_SHA1_96:0
    PRF_HMAC_SHA1
    MODP_1024 	
    
    connecting
    

    but at the same time I see a another line with responder coming in…

    And no, I checked thoroughly that the profiles match.

    Some more questions on the settings:

    How should they be set to ensure compatibility between 2.1.5 and 2.2 ?

    Prefer older IPsec SAs 
    Enable IPCompression
    Accept unencrypted ID and HASH payloads in IKEv1 Main Mode



  • Please upgrade to the next coming snapshot and re-test.



  • I did:
    2.2-RC (amd64)
    built on Tue Jan 13 09:02:41 CST 2015

    but still same issue.



  • This is the latest one that you should be on actually.
    built on Tue Jan 13 14:58:02 CST 2015

    But can you be more detailed on what is not working.



  • It is still all the same errors as documented in the above posts.
    What else can I deliver you ?

    netstat -f inet -sp esp

    esp:
            0 packets shorter than header shows
            0 packets dropped; protocol family not supported
            0 packets dropped; no TDB
            0 packets dropped; bad KCR
            0 packets dropped; queue full
            0 packets dropped; no transform
            0 packets dropped; bad ilen
            0 replay counter wraps
            0 packets dropped; bad encryption detected
            0 packets dropped; bad authentication detected
            0 possible replay packets detected
            0 packets in
            0 packets out
            0 packets dropped; invalid TDB
            0 bytes in
            0 bytes out
            0 packets dropped; larger than IP_MAXPACKET
            0 packets blocked due to policy
            0 crypto processing failures
            0 tunnel sanity check failures
    
    


  • If there's nothing else I can do, I would switch back to 2.1.5  :(



  • we switched back to strongswan 5.2.1 yesterday after some issues with 5.2.2 (the change to which coincides with the date of the problems you're seeing). Upgrade to the latest available now and let us know.



  • thanks again for you hard work !
    Updated on:
    built on Thu Jan 15 12:12:32 CST 2015

    But still seeing half open connections deleted and no tunnels are connected.



  • Can you post your rules.debug and ipsec.conf?



  • set optimization normal
    set timeout { adaptive.start 0, adaptive.end 0 }
    set limit states 324000
    set limit src-nodes 324000
    
    #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ pppoe2 }"
    LAN = "{ em0 }"
    KABELDE = "{ em1 }"
    IPsec = "{ enc0 }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons"
    table <bogonsv6>persist file "/etc/bogonsv6"
    table <vpn_networks>{ 10.0.47.0/24 10.0.48.0/24 }
    table <negate_networks>{ 10.0.47.0/24 10.0.48.0/24 }
    
    # User Aliases 
    table <bad_peers>{   84.72.100.85  88.217.16.69 } 
    bad_peers = "<bad_peers>"
    table <blockedhosts>persist
    blockedhosts = "<blockedhosts>"
    table <easyruleblockhostsopt2>{   fe80::1/128 } 
    EasyRuleBlockHostsOPT2 = "<easyruleblockhostsopt2>"
    table <gamenetworks>{   107.21.244.12/32  23.21.42.15/16  216.74.41.14/32  50.16.200.11/32  107.20.146.165/32  23.20.61.27/32  23.14.93.41/32  23.23.142.220/32  107.20.99.121/32  75.101.200.255/32  54.243.91.151/32  174.129.59.97/32  50.17.29.77/32  54.242.56.44/32  204.236.253.208/32  23.20.27.49/32  23.22.164.163/32  50.17.243.27/32  50.19.6.207/32  17.149.32.49/32  50.19.44.186/32  50.19.50.48/32  54.224.124.89/32  23.22.107.155/32  95.100.249.19/32 } 
    gamenetworks = "<gamenetworks>"
    guest_ports = "{   25  53  80  443  993  995  123  16385  16386  16384  5222  5223 }"
    GWPorts = "{   1677  7100 }"
    ineports = "{   80  443  1677  8300  7191 }"
    table <kabelhosts>{   192.168.24.106  192.168.24.112  192.168.24.175  192.168.24.131  192.168.24.152  192.168.24.108  192.168.24.145  192.168.24.133 } 
    Kabelhosts = "<kabelhosts>"
    table <macmini>{   192.168.24.175  192.168.24.176  192.168.24.146 } 
    Macmini = "<macmini>"
    table <nodirect>{   192.168.24.188  192.168.24.170 } 
    Nodirect = "<nodirect>"
    table <server>{   192.168.24.2  192.168.24.4  192.168.24.12  192.168.24.8 } 
    Server = "<server>"
    table <torpig>{   91.19.0.0/16  91.20.0.0/16 } 
    torpig = "<torpig>"
    table <webdevices>{   192.168.24.21  192.168.24.20  192.168.24.11 } 
    WebDevices = "<webdevices>"
    table <youtube>persist
    youtube = "<youtube>"
    
    # Gateways
    GWKABELDE_DHCP = " route-to ( em1 188.194.217.254 ) "
    GWWAN_PPPOE = " route-to ( pppoe2 82.135.16.28 ) "
    GWSurf_redundant = "  route-to { ( em1 188.194.217.254 )  }  "
    
    set loginterface em0
    
    set skip on pfsync0
    
    scrub from any to <vpn_networks>max-mss 1400
    scrub from <vpn_networks>to any max-mss 1400
    scrub on $WAN all no-df random-id  fragment reassemble
    scrub on $LAN all no-df random-id  fragment reassemble
    scrub on $KABELDE all no-df random-id  fragment reassemble
    
    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules (automatic)
    
    # Subnets to NAT 
    tonatsubnets	= "{ 127.0.0.0/8 192.168.24.0/24 }"
    nat on $WAN  from $tonatsubnets to any port 500 -> 93.104.178.7/32  static-port
    nat on $WAN  from $tonatsubnets to any -> 93.104.178.7/32 port 1024:65535  
    nat on $KABELDE  from $tonatsubnets to any port 500 -> 188.194.217.58/32  static-port
    nat on $KABELDE  from $tonatsubnets to any -> 188.194.217.58/32 port 1024:65535  
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    rdr pass on em0 proto udp from any to any port tftp -> 127.0.0.1 port 6969
    # NAT Inbound Redirects
    rdr on em1 proto { tcp udp } from any to 188.194.217.58 port $GWPorts -> 192.168.24.6
    # Reflection redirect
    rdr on { em0 enc0 } proto { tcp udp } from any to 188.194.217.58 port $GWPorts -> 192.168.24.6
    no nat on em0 proto { tcp udp } from em0 to 192.168.24.6 port $GWPorts
    nat on em0 proto { tcp udp } from 192.168.24.0/24 to 192.168.24.6 port $GWPorts -> 192.168.24.1 port 1024:65535
    
    rdr on em1 proto tcp from any to 188.194.217.58 port 993 -> 192.168.24.6
    # Reflection redirect
    rdr on { em0 enc0 } proto tcp from any to 188.194.217.58 port 993 -> 192.168.24.6
    no nat on em0 proto tcp from em0 to 192.168.24.6 port 993
    nat on em0 proto tcp from 192.168.24.0/24 to 192.168.24.6 port 993 -> 192.168.24.1 port 1024:65535
    
    rdr on pppoe2 proto tcp from any to 93.104.178.7 port 22 -> 192.168.24.6
    # Reflection redirect
    rdr on { em0 enc0 } proto tcp from any to 93.104.178.7 port 22 -> 192.168.24.6
    no nat on em0 proto tcp from em0 to 192.168.24.6 port 22
    nat on em0 proto tcp from 192.168.24.0/24 to 192.168.24.6 port 22 -> 192.168.24.1 port 1024:65535
    
    rdr on pppoe2 proto tcp from any to 93.104.178.7 port 25 -> 192.168.24.6
    # Reflection redirect
    rdr on { em0 enc0 } proto tcp from any to 93.104.178.7 port 25 -> 192.168.24.6
    no nat on em0 proto tcp from em0 to 192.168.24.6 port 25
    nat on em0 proto tcp from 192.168.24.0/24 to 192.168.24.6 port 25 -> 192.168.24.1 port 1024:65535
    
    rdr on pppoe2 proto tcp from any to 93.104.178.7 port 993 -> 192.168.24.6
    # Reflection redirect
    rdr on { em0 enc0 } proto tcp from any to 93.104.178.7 port 993 -> 192.168.24.6
    no nat on em0 proto tcp from em0 to 192.168.24.6 port 993
    nat on em0 proto tcp from 192.168.24.0/24 to 192.168.24.6 port 993 -> 192.168.24.1 port 1024:65535
    
    rdr on pppoe2 proto { tcp udp } from any to 93.104.178.7 port $GWPorts -> 192.168.24.6
    # Reflection redirect
    rdr on { em0 enc0 } proto { tcp udp } from any to 93.104.178.7 port $GWPorts -> 192.168.24.6
    no nat on em0 proto { tcp udp } from em0 to 192.168.24.6 port $GWPorts
    nat on em0 proto { tcp udp } from 192.168.24.0/24 to 192.168.24.6 port $GWPorts -> 192.168.24.1 port 1024:65535
    
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    anchor "openvpn/*"
    anchor "ipsec/*"
    # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
    # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
    # route-to can override that, causing problems such as in redmine #2073
    block in log quick from 169.254.0.0/16 to any tracker 1000000101 label "Block IPv4 link-local"
    block in log quick from any to 169.254.0.0/16 tracker 1000000102 label "Block IPv4 link-local"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log inet all tracker 1000000103 label "Default deny rule IPv4"
    block out log inet all tracker 1000000104 label "Default deny rule IPv4"
    block in log inet6 all tracker 1000000105 label "Default deny rule IPv6"
    block out log inet6 all tracker 1000000106 label "Default deny rule IPv6"
    
    # IPv6 ICMP is not auxilary, it is required for operation
    # See man icmp6(4)
    # 1    unreach         Destination unreachable
    # 2    toobig          Packet too big
    # 128  echoreq         Echo service request
    # 129  echorep         Echo service reply
    # 133  routersol       Router solicitation
    # 134  routeradv       Router advertisement
    # 135  neighbrsol      Neighbor solicitation
    # 136  neighbradv      Neighbor advertisement
    pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000000107 keep state
    
    # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
    pass out  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000000108 keep state
    pass out  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000000109 keep state
    pass in  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000110 keep state
    pass in  quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000111 keep state
    pass in  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000000112 keep state
    
    # We use the mighty pf, we cannot be fooled.
    block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113
    block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114
    block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115
    block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116
    
    # Snort package
    block log quick from <snort2c>to any tracker 1000000117 label "Block snort2c hosts"
    block log quick from any to <snort2c>tracker 1000000118 label "Block snort2c hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to (self) port 22 tracker 1000000301 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to (self) port 443 tracker 1000000351 label "webConfiguratorlockout"
    block in log quick from <virusprot>to any tracker 1000000400 label "virusprot overload table"
    # block bogon networks (IPv4)
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    block in log quick on $WAN from <bogons>to any tracker 1000001551 label "block bogon IPv4 networks from WAN"
    # block bogon networks (IPv6)
    # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
    block in log quick on $WAN from <bogonsv6>to any tracker 1000001552 label "block bogon IPv6 networks from WAN"
    antispoof log for $WAN tracker 1000001570
    # block anything from private networks on interfaces with the option set
    block in  quick on $WAN from 10.0.0.0/8 to any tracker 1000001581 label "Block private networks from WAN block 10/8"
    block in  quick on $WAN from 127.0.0.0/8 to any tracker 1000001582 label "Block private networks from WAN block 127/8"
    block in  quick on $WAN from 100.64.0.0/10 to any tracker 1000001583 label "Block private networks from WAN block 100.64/10"
    block in  quick on $WAN from 172.16.0.0/12 to any tracker 1000001584 label "Block private networks from WAN block 172.16/12"
    block in  quick on $WAN from 192.168.0.0/16 to any tracker 1000001585 label "Block private networks from WAN block 192.168/16"
    block in  quick on $WAN from fc00::/7 to any tracker 1000001586 label "Block ULA networks from WAN block fc00::/7"
    antispoof log for $LAN tracker 1000002620
    # allow access to DHCP server on LAN
    pass in  quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000002641 label "allow access to DHCP server"
    pass in  quick on $LAN proto udp from any port = 68 to 192.168.24.1 port = 67 tracker 1000002642 label "allow access to DHCP server"
    pass out  quick on $LAN proto udp from 192.168.24.1 port = 67 to any port = 68 tracker 1000002643 label "allow access to DHCP server"
    antispoof log for $KABELDE tracker 1000003670
    # allow our DHCP client out to the KABELDE
    pass in  on $KABELDE proto udp from any port = 67 to any port = 68 tracker 1000003691 label "allow dhcp client out KABELDE"
    pass out  on $KABELDE proto udp from any port = 68 to any port = 67 tracker 1000003692 label "allow dhcp client out KABELDE"
    # Not installing DHCP server firewall rules for KABELDE which is configured for DHCP.
    
    # loopback
    pass in  on $loopback inet all tracker 1000004761 label "pass IPv4 loopback"
    pass out  on $loopback inet all tracker 1000004762 label "pass IPv4 loopback"
    pass in  on $loopback inet6 all tracker 1000004763 label "pass IPv6 loopback"
    pass out  on $loopback inet6 all tracker 1000004764 label "pass IPv6 loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out  inet all keep state allow-opts tracker 1000004765 label "let out anything IPv4 from firewall host itself"
    pass out  inet6 all keep state allow-opts tracker 1000004766 label "let out anything IPv6 from firewall host itself"
    pass out  route-to ( pppoe2 82.135.16.28 ) from 93.104.178.7 to !93.104.178.7/32 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself"
    pass out  route-to ( em1 188.194.217.254 ) from 188.194.217.58 to !188.194.217.0/24 tracker 1000004862 keep state allow-opts label "let out anything from firewall host itself"
    pass out  on $IPsec all tracker 1000005161 tracker 1000005162 keep state label "IPsec internal host to host"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in  quick on em0 proto tcp from any to (em0) port { 443 80 22 } tracker 1000005171 keep state label "anti-lockout rule"
    # NAT Reflection rules
    pass in  inet tagged PFREFLECT tracker 1000005191 keep state label "NAT REFLECT: Allow traffic to localhost"
    
    # User-defined rules follow
    
    anchor "userrules/*"
    pass  in  quick  on $IPsec inet from any to any tracker 1415483079 keep state  label "USER_RULE: Allow ipsec to any mchome net"
    # array key "pptp" does not exist for "allow all for pptp" in array: {WAN LAN KABELDE IPsec } label "USER_RULE: allow all for pptp"
    pass  in  quick  on $WAN reply-to ( pppoe2 82.135.16.28 ) inet from 6.1.47..0/25 to any tracker 1415483058 keep state  label "USER_RULE: allow ping from inetra"
    pass  in  quick  on $WAN reply-to ( pppoe2 82.135.16.28 ) inet proto tcp  from any to 192.168.24.6 port 22 tracker 1415483053 flags S/SA keep state  label "USER_RULE: NAT SSH auf lxhome"
    pass  in  quick  on $WAN reply-to ( pppoe2 82.135.16.28 ) inet proto tcp  from any to 192.168.24.6 port 25 tracker 1415483054 flags S/SA keep state  label "USER_RULE: NAT SMTP fuer GWAVA Proxy"
    pass  in  quick  on $WAN reply-to ( pppoe2 82.135.16.28 ) inet proto tcp  from any to 192.168.24.6 port 993 tracker 1415483055 flags S/SA keep state  label "USER_RULE: NAT IMAPs auf GWIA"
    pass  in  quick  on $WAN reply-to ( pppoe2 82.135.16.28 )  proto { tcp udp }  from any to 192.168.24.6 port $GWPorts tracker 1415483061 keep state  label "USER_RULE: NAT GWMTP IN auf SLES"
    pass  in  quick  on $WAN reply-to ( pppoe2 82.135.16.28 )  proto tcp  from any to 192.168.24.6 port 993 tracker 1415483062 flags S/SA keep state  label "USER_RULE: NAT IMAP auf GWIA"
    block  in  quick  on $WAN inet6 from any to any tracker 1415483060  label "USER_RULE: remove ipv6 from log"
    pass  in  quick  on $LAN  proto { tcp udp }  from 192.168.24.0/24 to 192.168.24.1 port 123 tracker 1415483066 keep state  label "USER_RULE: allow NTP"
    pass  in  quick  on $LAN inet proto { tcp udp }  from 192.168.24.0/24 to 10.0.47.0/24 tracker 1415483067 keep state  label "USER_RULE: redirect traffic to tunnel"
    pass  in  quick  on $LAN inet proto { tcp udp }  from 10.0.47.9 to 192.168.24.0/24 port 6556 tracker 1415483068 keep state  label "USER_RULE: allow check_mk to agent"
    pass  in  quick  on $LAN inet proto { tcp udp }  from 192.168.24.0/24 to 192.168.24.0/24 port 6556 tracker 1419415183 keep state  label "USER_RULE: allow check_mk to agent"
    pass  in  quick  on $LAN  proto tcp  from any to 6.1.47..0/25 port $ineports tracker 1415483069 flags S/SA keep state  label "USER_RULE: allow all inetra services"
    pass  in  quick  on $LAN  proto tcp  from any to 17.149.32.0/24 tracker 1415483070 flags S/SA keep state  label "USER_RULE: allow Apple Server"
    pass  in  quick  on $LAN inet proto { tcp udp }  from any  to <negate_networks>port 53 tracker 1419794934 keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
    pass  in  quick  on $LAN  $GWWAN_PPPOE inet proto { tcp udp }  from any to any port 53 tracker 1419794934 keep state  label "USER_RULE: direct DNS to MNET"
    pass  in  quick  on $LAN inet proto { tcp udp }  from 192.168.24.0/24 to any port $guest_ports tracker 1415657006 keep state  label "USER_RULE: allow min ports for all"
    block  in  quick  on $LAN  proto { tcp udp }  from any to 169.254.255.255 port 136 >< 139 tracker 1415483076  label "USER_RULE: block cifs bc"
    # schedule finished - scheduled Zugriff auf Gamenetworks label "USER_RULE: scheduled Zugriff auf Gamenetworks"
    pass  in  quick  on $LAN inet from 192.168.24.0/24 to any tracker 1415483078 keep state  label "USER_RULE: Default LAN -> allow any"
    pass  in  quick  on $KABELDE reply-to ( em1 188.194.217.254 ) inet from 6.1.47..0/25 to any tracker 1415615732 keep state  label "USER_RULE: allow everything from inetra"
    pass  in  quick  on $KABELDE reply-to ( em1 188.194.217.254 )  proto tcp  from any to 192.168.24.6 port 993 tracker 1415483082 flags S/SA keep state  label "USER_RULE: NAT IMAP auf GWIA"
    pass  in  quick  on $KABELDE reply-to ( em1 188.194.217.254 ) inet proto icmp  from any to any tracker 1415483083 keep state  label "USER_RULE: allow ping from anywhere"
    
    # VPN Rules
    pass out   route-to ( pppoe2 82.135.16.28 )  proto udp from any to 6.1.47.71 port = 500 tracker 1000105301 keep state label "IPsec: inetra_LAN-DMZ - outbound isakmp"
    pass in  on $WAN  reply-to ( pppoe2 82.135.16.28 )  proto udp from 6.1.47.71 to any port = 500 tracker 1000105302 keep state label "IPsec: inetra_LAN-DMZ - inbound isakmp"
    pass out   route-to ( pppoe2 82.135.16.28 )  proto udp from any to 6.1.47.71 port = 4500 tracker 1000105303 keep state label "IPsec: inetra_LAN-DMZ - outbound nat-t"
    pass in  on $WAN  reply-to ( pppoe2 82.135.16.28 )  proto udp from 6.1.47.71 to any port = 4500 tracker 1000105304 keep state label "IPsec: inetra_LAN-DMZ - inbound nat-t"
    pass out   route-to ( pppoe2 82.135.16.28 )  proto esp from any to 6.1.47.71 tracker 1000105305 keep state label "IPsec: inetra_LAN-DMZ - outbound esp proto"
    pass in  on $WAN  reply-to ( pppoe2 82.135.16.28 )  proto esp from 6.1.47.71 to any tracker 1000105306 keep state label "IPsec: inetra_LAN-DMZ - inbound esp proto"
    
    anchor "tftp-proxy/*"
    anchor "miniupnpd"</negate_networks></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></vpn_networks></vpn_networks></youtube></youtube></webdevices></webdevices></torpig></torpig></server></server></nodirect></nodirect></macmini></macmini></kabelhosts></kabelhosts></gamenetworks></gamenetworks></easyruleblockhostsopt2></easyruleblockhostsopt2></blockedhosts></blockedhosts></bad_peers></bad_peers></negate_networks></vpn_networks></bogonsv6></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
    

    these ips: 6.1.47..0 have been modified later.



  • # This file is automatically generated. Do not edit
    config setup
    	uniqueids = yes
    	charondebug="dmn 0,mgr 1,ike 2,chd 2,cfg 1,net 1,imv 0,esp 1"
    
    conn con1000
    	reqid = 1
    	fragmentation = yes
    	keyexchange = ikev1
    	reauth = yes
    	forceencaps = no
    	rekey = yes
    	installpolicy = yes
    	type = tunnel
    	dpdaction = restart
    	dpddelay = 10s
    	dpdtimeout = 40s
    	auto = route
    	left = 93.104.178.7
    	right = 6.1.47.71
    	leftid = @net.dyn.org
    	ikelifetime = 7200s
    	lifetime = 28800s
    	ike = aes128-sha1-modp1024!
    	esp = aes256-sha1-modp1024,aes256-sha1-modp1024!
    	leftauth = psk
    	rightauth = psk
    	rightid = 6.1.47.71
    	aggressive = no
    	rightsubnet = 10.0.47.0/24
    	leftsubnet = 192.168.24.0/24
    
    conn con1001
    	reqid = 2
    	fragmentation = yes
    	keyexchange = ikev1
    	reauth = yes
    	forceencaps = no
    	rekey = yes
    	installpolicy = yes
    	type = tunnel
    	dpdaction = restart
    	dpddelay = 10s
    	dpdtimeout = 40s
    	auto = route
    	left = 9.1.178.7
    	right = 6.1.47.71
    	leftid = @net.dyn.org
    	ikelifetime = 7200s
    	lifetime = 28800s
    	ike = aes128-sha1-modp1024!
    	esp = aes256-sha1-modp1024,aes256-sha1-modp1024!
    	leftauth = psk
    	rightauth = psk
    	rightid = 6.1.47.71
    	aggressive = no
    	rightsubnet = 10.0.48.0/24
    	leftsubnet = 192.168.24.0/24
    
    


  • This happens even when you are initiator?

    I belive your other side is coming on your other interface while you expect it on WAN?



  • I think this end is initiator and responder, b/c the other side opens the tunnels as well.
    BTW I already did a packettrace on the "other" interface to see if there's traffic (UDP&port 500) coming or going.
    Nothing !
    But I can check the other Pfs 2.1.5 tomorrow.
    I deliberately change the tunnel to this other IF and check the the dyn address points to the correct IP and IF.



  • Update:
    Just check the 2.1.5 side and no packets go to the wrong Public IF of the 2.2.



  • Updated and still same tunnnel problems ?

    2.2-RC (amd64)
    built on Fri Jan 16 11:53:08 CST 2015

    @Ermal: Do you think my NAT & Firewall Rules are ok on the WAN IF ?


  • Banned

    What NAT again? You've already been told you cannot NAT IPsec.



  • ::)
    Outbound NAT:
    Automatic Rules.

    And pls let me know where I was told to "not NAT IPsec" ?



  • And BTW a just captured packets on my WAN and could see ISAKMP (Main Mode) going forth and back between both pfsenses.


  • Banned

    @tracer:

    And pls let me know where I was told to "not NAT IPsec" ?

    https://forum.pfsense.org/index.php?topic=86590.msg475029#msg475029



  • @doktornotor: Checking my reply, I said I remove "any NAT rules" meaning the ones I manually created !
    But as known, the "Automatic Outbound NAT rules" persist due the mode !
    So I'm pretty sure that if config is correctly interpreted by pfSense no manual rule should interfere.

    But my Question was if any of the other inbound rules could interfere with VPN ?
    Do you have an answer for this ?



  • The automatic outbound NAT rules won't hurt anything with IPsec.

    For inbound, if you have a port forward on UDP 500 or ESP traffic, that'll break it also. If you have a 1:1 NAT using the public IP where it terminates, that'll forward the traffic to an internal host and break things as well.



  • Hmm, thanks, but I can't find any inbound NATs with 500.
    Maybe we should look at it using our old support contract ?



  • @tracer:

    Maybe we should look at it using our old support contract ?

    Commercial support is definitely the best answer. Your support expired over 5 years ago though, if you purchase to activate support on your account again, we can definitely assist.



  • I'll pm you on this, ok ?


Log in to reply