IPsec VPN connection failed after upgrade to 2.2 from 2.1.5



  • Hi,

    I had an existing IPSEC VPN between 2 pfSense servers (2.1.5), and everything was working fine.
    pfSense1 (2.1.5) <= IPSEC WORKING => pfSense2 (2.1.5)

    This morning, I have upgraded one of these 2 servers to 2.2 (which looks a lot better about the CPU usage on VM), and since then, my IPSEC VPN does not work anymore.
    pfSense1 (2.2) <= IPSEC NOT WORKING => pfSense2 (2.1.5)

    Looking at the log, I saw the following error :

    charon: 02[IKE] IDir "pfSense2 Lan IP address" does not match to "pfSense2 Wan IP address" .

    Do you have any idea of what may be wrong and how I can fix it ?

    Thanks,
    Hakim



  • Hi,

    I now have also updated my second pfSense server to 2.2, but I still have problem with my VPN.

    So now : pfSense1 (2.2) <= IPSEC NOT WORKING => pfSense2 (2.2)

    I copy the logs of the 2 servers below, in case it may give you a clue of what the problem could be.
    In these logs below I did replace the WAN IP address, respectively by pfSense1WanIP and pfSense2WanIP, and I add an arrow '–->' in front of the line about 'failed'

    Thanks for your help,
    Hakim

    Logs on pfSense 1

    Jan 29 19:56:29 	charon: 06[CFG] no IKE_SA named 'con1000' found
    Jan 29 19:56:29 	charon: 09[CFG] received stroke: initiate 'con1000'
    Jan 29 19:56:29 	charon: 06[IKE] <con1000|954> initiating Main Mode IKE_SA con1000[954] to pfSense2WanIP
    Jan 29 19:56:29 	charon: 06[IKE] initiating Main Mode IKE_SA con1000[954] to pfSense2WanIP
    Jan 29 19:56:29 	charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    Jan 29 19:56:29 	charon: 06[NET] sending packet: from pfSense1WanIP[500] to pfSense2WanIP[500] (200 bytes)
    Jan 29 19:56:29 	charon: 06[NET] received packet: from pfSense2WanIP[500] to pfSense1WanIP[500] (180 bytes)
    Jan 29 19:56:29 	charon: 06[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
    Jan 29 19:56:29 	charon: 06[IKE] <con1000|954> received XAuth vendor ID
    Jan 29 19:56:29 	charon: 06[IKE] received XAuth vendor ID
    Jan 29 19:56:29 	charon: 06[IKE] <con1000|954> received DPD vendor ID
    Jan 29 19:56:29 	charon: 06[IKE] received DPD vendor ID
    Jan 29 19:56:29 	charon: 06[IKE] <con1000|954> received Cisco Unity vendor ID
    Jan 29 19:56:29 	charon: 06[IKE] received Cisco Unity vendor ID
    Jan 29 19:56:29 	charon: 06[IKE] <con1000|954> received FRAGMENTATION vendor ID
    Jan 29 19:56:29 	charon: 06[IKE] received FRAGMENTATION vendor ID
    Jan 29 19:56:29 	charon: 06[IKE] <con1000|954> received NAT-T (RFC 3947) vendor ID
    Jan 29 19:56:29 	charon: 06[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 19:56:29 	charon: 06[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:56:29 	charon: 06[NET] sending packet: from pfSense1WanIP[500] to pfSense2WanIP[500] (268 bytes)
    Jan 29 19:56:29 	charon: 06[NET] received packet: from pfSense2WanIP[500] to pfSense1WanIP[500] (268 bytes)
    Jan 29 19:56:29 	charon: 06[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:56:29 	charon: 06[IKE] <con1000|954> remote host is behind NAT
    Jan 29 19:56:29 	charon: 06[IKE] remote host is behind NAT
    Jan 29 19:56:29 	charon: 06[ENC] generating ID_PROT request 0 [ ID HASH ]
    Jan 29 19:56:29 	charon: 06[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (92 bytes)
    Jan 29 19:56:33 	charon: 06[IKE] <con1000|954> sending retransmit 1 of request message ID 0, seq 3
    Jan 29 19:56:33 	charon: 06[IKE] sending retransmit 1 of request message ID 0, seq 3
    Jan 29 19:56:33 	charon: 06[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (92 bytes)
    Jan 29 19:56:40 	charon: 06[IKE] <con1000|954> sending retransmit 2 of request message ID 0, seq 3
    Jan 29 19:56:40 	charon: 06[IKE] sending retransmit 2 of request message ID 0, seq 3
    Jan 29 19:56:40 	charon: 06[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (92 bytes)
    Jan 29 19:56:53 	charon: 12[IKE] <con1000|954> sending retransmit 3 of request message ID 0, seq 3
    Jan 29 19:56:53 	charon: 12[IKE] sending retransmit 3 of request message ID 0, seq 3
    Jan 29 19:56:53 	charon: 12[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (92 bytes)
    Jan 29 19:57:09 	charon: 12[KNL] creating acquire job for policy pfSense1WanIP/32|/0 === pfSense2WanIP/32|/0 with reqid {1}
    Jan 29 19:57:16 	charon: 02[NET] received packet: from pfSense2WanIP[500] to pfSense1WanIP[500] (200 bytes)
    Jan 29 19:57:16 	charon: 02[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
    Jan 29 19:57:16 	charon: 02[IKE] <955> received XAuth vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] received XAuth vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] <955> received DPD vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] received DPD vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] <955> received Cisco Unity vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] received Cisco Unity vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] <955> received FRAGMENTATION vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] received FRAGMENTATION vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] <955> received NAT-T (RFC 3947) vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] <955> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 19:57:16 	charon: 02[IKE] <955> pfSense2WanIP is initiating a Main Mode IKE_SA
    Jan 29 19:57:16 	charon: 02[IKE] pfSense2WanIP is initiating a Main Mode IKE_SA
    Jan 29 19:57:16 	charon: 02[ENC] generating ID_PROT response 0 [ SA V V V V V ]
    Jan 29 19:57:16 	charon: 02[NET] sending packet: from pfSense1WanIP[500] to pfSense2WanIP[500] (180 bytes)
    Jan 29 19:57:16 	charon: 02[NET] received packet: from pfSense2WanIP[500] to pfSense1WanIP[500] (268 bytes)
    Jan 29 19:57:16 	charon: 02[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:57:16 	charon: 02[IKE] <955> remote host is behind NAT
    Jan 29 19:57:16 	charon: 02[IKE] remote host is behind NAT
    Jan 29 19:57:16 	charon: 02[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:57:16 	charon: 02[NET] sending packet: from pfSense1WanIP[500] to pfSense2WanIP[500] (268 bytes)
    Jan 29 19:57:16 	charon: 02[NET] received packet: from pfSense2WanIP[4500] to pfSense1WanIP[4500] (92 bytes)
    Jan 29 19:57:16 	charon: 02[ENC] parsed ID_PROT request 0 [ ID HASH ]
    Jan 29 19:57:16 	charon: 02[CFG] looking for pre-shared key peer configs matching pfSense1WanIP...pfSense2WanIP[192.168.25.201]
    Jan 29 19:57:16 	charon: 02[IKE] <955> no peer config found
    Jan 29 19:57:16 	charon: 02[IKE] no peer config found
    ---> Jan 29 19:57:16 	charon: 02[ENC] generating INFORMATIONAL_V1 request 3664348433 [ HASH N(AUTH_FAILED) ]
    Jan 29 19:57:16 	charon: 02[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (108 bytes)
    Jan 29 19:57:16 	charon: 02[IKE] <con1000|954> sending retransmit 4 of request message ID 0, seq 3
    Jan 29 19:57:16 	charon: 02[IKE] sending retransmit 4 of request message ID 0, seq 3
    Jan 29 19:57:16 	charon: 02[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (92 bytes)
    Jan 29 19:57:41 	charon: 02[NET] received packet: from pfSense2WanIP[500] to pfSense1WanIP[500] (200 bytes)
    Jan 29 19:57:41 	charon: 02[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
    Jan 29 19:57:41 	charon: 02[IKE] <956> received XAuth vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] received XAuth vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] <956> received DPD vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] received DPD vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] <956> received Cisco Unity vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] received Cisco Unity vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] <956> received FRAGMENTATION vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] received FRAGMENTATION vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] <956> received NAT-T (RFC 3947) vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] <956> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 19:57:41 	charon: 02[IKE] <956> pfSense2WanIP is initiating a Main Mode IKE_SA
    Jan 29 19:57:41 	charon: 02[IKE] pfSense2WanIP is initiating a Main Mode IKE_SA
    Jan 29 19:57:41 	charon: 02[ENC] generating ID_PROT response 0 [ SA V V V V V ]
    Jan 29 19:57:41 	charon: 02[NET] sending packet: from pfSense1WanIP[500] to pfSense2WanIP[500] (180 bytes)
    Jan 29 19:57:41 	charon: 02[NET] received packet: from pfSense2WanIP[500] to pfSense1WanIP[500] (268 bytes)
    Jan 29 19:57:41 	charon: 02[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:57:41 	charon: 02[IKE] <956> remote host is behind NAT
    Jan 29 19:57:41 	charon: 02[IKE] remote host is behind NAT
    Jan 29 19:57:41 	charon: 02[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:57:41 	charon: 02[NET] sending packet: from pfSense1WanIP[500] to pfSense2WanIP[500] (268 bytes)
    Jan 29 19:57:41 	charon: 02[NET] received packet: from pfSense2WanIP[4500] to pfSense1WanIP[4500] (92 bytes)
    Jan 29 19:57:41 	charon: 02[ENC] parsed ID_PROT request 0 [ ID HASH ]
    Jan 29 19:57:41 	charon: 02[CFG] looking for pre-shared key peer configs matching pfSense1WanIP...pfSense2WanIP[192.168.25.201]
    Jan 29 19:57:41 	charon: 02[IKE] <956> no peer config found
    Jan 29 19:57:41 	charon: 02[IKE] no peer config found
    ---> Jan 29 19:57:41 	charon: 02[ENC] generating INFORMATIONAL_V1 request 1358166335 [ HASH N(AUTH_FAILED) ]
    Jan 29 19:57:41 	charon: 02[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (108 bytes)
    Jan 29 19:57:58 	charon: 02[IKE] <con1000|954> sending retransmit 5 of request message ID 0, seq 3
    Jan 29 19:57:58 	charon: 02[IKE] sending retransmit 5 of request message ID 0, seq 3
    Jan 29 19:57:58 	charon: 02[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (92 bytes)
    Jan 29 19:59:14 	charon: 02[IKE] <con1000|954> giving up after 5 retransmits
    Jan 29 19:59:14 	charon: 02[IKE] giving up after 5 retransmits
    Jan 29 19:59:14 	charon: 02[IKE] <con1000|954> peer not responding, trying again (2/3)
    Jan 29 19:59:14 	charon: 02[IKE] peer not responding, trying again (2/3)
    Jan 29 19:59:14 	charon: 02[IKE] <con1000|954> initiating Main Mode IKE_SA con1000[954] to pfSense2WanIP
    Jan 29 19:59:14 	charon: 02[IKE] initiating Main Mode IKE_SA con1000[954] to pfSense2WanIP
    Jan 29 19:59:14 	charon: 02[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    Jan 29 19:59:14 	charon: 02[NET] sending packet: from pfSense1WanIP[500] to pfSense2WanIP[500] (200 bytes)
    Jan 29 19:59:14 	charon: 12[NET] received packet: from pfSense2WanIP[500] to pfSense1WanIP[500] (180 bytes)
    Jan 29 19:59:14 	charon: 12[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
    Jan 29 19:59:14 	charon: 12[IKE] <con1000|954> received XAuth vendor ID
    Jan 29 19:59:14 	charon: 12[IKE] received XAuth vendor ID
    Jan 29 19:59:14 	charon: 12[IKE] <con1000|954> received DPD vendor ID
    Jan 29 19:59:14 	charon: 12[IKE] received DPD vendor ID
    Jan 29 19:59:14 	charon: 12[IKE] <con1000|954> received Cisco Unity vendor ID
    Jan 29 19:59:14 	charon: 12[IKE] received Cisco Unity vendor ID
    Jan 29 19:59:14 	charon: 12[IKE] <con1000|954> received FRAGMENTATION vendor ID
    Jan 29 19:59:14 	charon: 12[IKE] received FRAGMENTATION vendor ID
    Jan 29 19:59:14 	charon: 12[IKE] <con1000|954> received NAT-T (RFC 3947) vendor ID
    Jan 29 19:59:14 	charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 19:59:14 	charon: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:59:14 	charon: 12[NET] sending packet: from pfSense1WanIP[500] to pfSense2WanIP[500] (268 bytes)
    Jan 29 19:59:14 	charon: 12[NET] received packet: from pfSense2WanIP[500] to pfSense1WanIP[500] (268 bytes)
    Jan 29 19:59:14 	charon: 12[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:59:14 	charon: 12[ENC] generating ID_PROT request 0 [ ID HASH ]
    Jan 29 19:59:14 	charon: 12[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (92 bytes)
    Jan 29 19:59:14 	charon: 12[NET] received packet: from pfSense2WanIP[4500] to pfSense1WanIP[4500] (92 bytes)
    Jan 29 19:59:14 	charon: 12[ENC] parsed ID_PROT response 0 [ ID HASH ]
    Jan 29 19:59:14 	charon: 12[IKE] <con1000|954> IDir '192.168.25.201' does not match to 'pfSense2WanIP'
    Jan 29 19:59:14 	charon: 12[IKE] IDir '192.168.25.201' does not match to 'pfSense2WanIP'
    Jan 29 19:59:14 	charon: 12[IKE] <con1000|954> deleting IKE_SA con1000[954] between pfSense1WanIP[pfSense1WanIP]...pfSense2WanIP[%any]
    Jan 29 19:59:14 	charon: 12[IKE] deleting IKE_SA con1000[954] between pfSense1WanIP[pfSense1WanIP]...pfSense2WanIP[%any]
    Jan 29 19:59:14 	charon: 12[IKE] <con1000|954> sending DELETE for IKE_SA con1000[954]
    Jan 29 19:59:14 	charon: 12[IKE] sending DELETE for IKE_SA con1000[954]
    Jan 29 19:59:14 	charon: 12[ENC] generating INFORMATIONAL_V1 request 1122998762 [ HASH D ]
    Jan 29 19:59:14 	charon: 12[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (108 bytes)
    Jan 29 19:59:14 	charon: 09[CFG] received stroke: terminate 'con1001'
    Jan 29 19:59:14 	charon: 09[CFG] no IKE_SA named 'con1001' found
    Jan 29 19:59:14 	charon: 12[CFG] received stroke: initiate 'con1001'
    Jan 29 19:59:14 	charon: 09[IKE] <con1000|957> initiating Main Mode IKE_SA con1000[957] to pfSense2WanIP
    Jan 29 19:59:14 	charon: 09[IKE] initiating Main Mode IKE_SA con1000[957] to pfSense2WanIP
    Jan 29 19:59:14 	charon: 09[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    Jan 29 19:59:14 	charon: 09[NET] sending packet: from pfSense1WanIP[500] to pfSense2WanIP[500] (200 bytes)
    Jan 29 19:59:14 	charon: 09[NET] received packet: from pfSense2WanIP[500] to pfSense1WanIP[500] (180 bytes)
    Jan 29 19:59:14 	charon: 09[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
    Jan 29 19:59:14 	charon: 09[IKE] <con1000|957> received XAuth vendor ID
    Jan 29 19:59:14 	charon: 09[IKE] received XAuth vendor ID
    Jan 29 19:59:14 	charon: 09[IKE] <con1000|957> received DPD vendor ID
    Jan 29 19:59:14 	charon: 09[IKE] received DPD vendor ID
    Jan 29 19:59:14 	charon: 09[IKE] <con1000|957> received Cisco Unity vendor ID
    Jan 29 19:59:14 	charon: 09[IKE] received Cisco Unity vendor ID
    Jan 29 19:59:14 	charon: 09[IKE] <con1000|957> received FRAGMENTATION vendor ID
    Jan 29 19:59:14 	charon: 09[IKE] received FRAGMENTATION vendor ID
    Jan 29 19:59:14 	charon: 09[IKE] <con1000|957> received NAT-T (RFC 3947) vendor ID
    Jan 29 19:59:14 	charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 19:59:14 	charon: 09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:59:14 	charon: 09[NET] sending packet: from pfSense1WanIP[500] to pfSense2WanIP[500] (268 bytes)
    Jan 29 19:59:14 	charon: 09[NET] received packet: from pfSense2WanIP[500] to pfSense1WanIP[500] (268 bytes)
    Jan 29 19:59:14 	charon: 09[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:59:14 	charon: 09[IKE] <con1000|957> remote host is behind NAT
    Jan 29 19:59:14 	charon: 09[IKE] remote host is behind NAT
    Jan 29 19:59:14 	charon: 09[ENC] generating ID_PROT request 0 [ ID HASH ]
    Jan 29 19:59:14 	charon: 09[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (92 bytes)
    Jan 29 19:59:14 	charon: 09[NET] received packet: from pfSense2WanIP[4500] to pfSense1WanIP[4500] (92 bytes)
    Jan 29 19:59:14 	charon: 09[ENC] parsed ID_PROT response 0 [ ID HASH ]
    Jan 29 19:59:14 	charon: 09[IKE] <con1000|957> IDir '192.168.25.201' does not match to 'pfSense2WanIP'
    Jan 29 19:59:14 	charon: 09[IKE] IDir '192.168.25.201' does not match to 'pfSense2WanIP'
    Jan 29 19:59:14 	charon: 09[IKE] <con1000|957> deleting IKE_SA con1000[957] between pfSense1WanIP[pfSense1WanIP]...pfSense2WanIP[%any]
    Jan 29 19:59:14 	charon: 09[IKE] deleting IKE_SA con1000[957] between pfSense1WanIP[pfSense1WanIP]...pfSense2WanIP[%any]
    Jan 29 19:59:14 	charon: 09[IKE] <con1000|957> sending DELETE for IKE_SA con1000[957]
    Jan 29 19:59:14 	charon: 09[IKE] sending DELETE for IKE_SA con1000[957]
    Jan 29 19:59:14 	charon: 09[ENC] generating INFORMATIONAL_V1 request 2441748608 [ HASH D ]
    Jan 29 19:59:14 	charon: 09[NET] sending packet: from pfSense1WanIP[4500] to pfSense2WanIP[4500] (108 bytes)</con1000|957></con1000|957></con1000|957></con1000|957></con1000|957></con1000|957></con1000|957></con1000|957></con1000|957></con1000|957></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954></con1000|954>
    

    And the log on pfSense2
    pfSense2 has an interface on 192.168.25.201 which is connected to a an InternetBox which has the pfSense2WanIP

    Jan 29 19:56:29 	charon: 08[NET] received packet: from pfSense1WanIP[500] to 192.168.25.201[500] (200 bytes)
    Jan 29 19:56:29 	charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
    Jan 29 19:56:29 	charon: 08[IKE] <14> received XAuth vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] received XAuth vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] <14> received DPD vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] received DPD vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] <14> received Cisco Unity vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] received Cisco Unity vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] <14> received FRAGMENTATION vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] received FRAGMENTATION vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] <14> received NAT-T (RFC 3947) vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 19:56:29 	charon: 08[IKE] <14> pfSense1WanIP is initiating a Main Mode IKE_SA
    Jan 29 19:56:29 	charon: 08[IKE] pfSense1WanIP is initiating a Main Mode IKE_SA
    Jan 29 19:56:29 	charon: 08[ENC] generating ID_PROT response 0 [ SA V V V V V ]
    Jan 29 19:56:29 	charon: 08[NET] sending packet: from 192.168.25.201[500] to pfSense1WanIP[500] (180 bytes)
    Jan 29 19:56:29 	charon: 08[NET] received packet: from pfSense1WanIP[500] to 192.168.25.201[500] (268 bytes)
    Jan 29 19:56:29 	charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:56:29 	charon: 08[IKE] <14> local host is behind NAT, sending keep alives
    Jan 29 19:56:29 	charon: 08[IKE] local host is behind NAT, sending keep alives
    Jan 29 19:56:29 	charon: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:56:29 	charon: 08[NET] sending packet: from 192.168.25.201[500] to pfSense1WanIP[500] (268 bytes)
    Jan 29 19:56:49 	charon: 08[IKE] <14> sending keep alive to pfSense1WanIP[500]
    Jan 29 19:56:49 	charon: 08[IKE] sending keep alive to pfSense1WanIP[500]
    Jan 29 19:56:59 	charon: 08[JOB] deleting half open IKE_SA after timeout
    Jan 29 19:57:16 	charon: 08[KNL] creating acquire job for policy 192.168.25.201/32|/0 === pfSense1WanIP/32|/0 with reqid {10}
    Jan 29 19:57:16 	charon: 08[IKE] <con3000|15> initiating Main Mode IKE_SA con3000[15] to pfSense1WanIP
    Jan 29 19:57:16 	charon: 08[IKE] initiating Main Mode IKE_SA con3000[15] to pfSense1WanIP
    Jan 29 19:57:16 	charon: 08[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    Jan 29 19:57:16 	charon: 08[NET] sending packet: from 192.168.25.201[500] to pfSense1WanIP[500] (200 bytes)
    Jan 29 19:57:16 	charon: 06[NET] received packet: from pfSense1WanIP[500] to 192.168.25.201[500] (180 bytes)
    Jan 29 19:57:16 	charon: 06[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
    Jan 29 19:57:16 	charon: 06[IKE] <con3000|15> received XAuth vendor ID
    Jan 29 19:57:16 	charon: 06[IKE] received XAuth vendor ID
    Jan 29 19:57:16 	charon: 06[IKE] <con3000|15> received DPD vendor ID
    Jan 29 19:57:16 	charon: 06[IKE] received DPD vendor ID
    Jan 29 19:57:16 	charon: 06[IKE] <con3000|15> received Cisco Unity vendor ID
    Jan 29 19:57:16 	charon: 06[IKE] received Cisco Unity vendor ID
    Jan 29 19:57:16 	charon: 06[IKE] <con3000|15> received FRAGMENTATION vendor ID
    Jan 29 19:57:16 	charon: 06[IKE] received FRAGMENTATION vendor ID
    Jan 29 19:57:16 	charon: 06[IKE] <con3000|15> received NAT-T (RFC 3947) vendor ID
    Jan 29 19:57:16 	charon: 06[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 19:57:16 	charon: 06[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:57:16 	charon: 06[NET] sending packet: from 192.168.25.201[500] to pfSense1WanIP[500] (268 bytes)
    Jan 29 19:57:16 	charon: 06[NET] received packet: from pfSense1WanIP[500] to 192.168.25.201[500] (268 bytes)
    Jan 29 19:57:16 	charon: 06[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:57:16 	charon: 06[IKE] <con3000|15> local host is behind NAT, sending keep alives
    Jan 29 19:57:16 	charon: 06[IKE] local host is behind NAT, sending keep alives
    Jan 29 19:57:16 	charon: 06[ENC] generating ID_PROT request 0 [ ID HASH ]
    Jan 29 19:57:16 	charon: 06[NET] sending packet: from 192.168.25.201[4500] to pfSense1WanIP[4500] (92 bytes)
    Jan 29 19:57:16 	charon: 06[NET] received packet: from pfSense1WanIP[4500] to 192.168.25.201[4500] (108 bytes)
    ---> Jan 29 19:57:16 	charon: 06[ENC] parsed INFORMATIONAL_V1 request 3664348433 [ HASH N(AUTH_FAILED) ]
    Jan 29 19:57:16 	charon: 06[IKE] <con3000|15> received AUTHENTICATION_FAILED error notify
    Jan 29 19:57:16 	charon: 06[IKE] received AUTHENTICATION_FAILED error notify
    Jan 29 19:57:41 	charon: 08[KNL] creating acquire job for policy 192.168.25.201/32|/0 === pfSense1WanIP/32|/0 with reqid {11}
    Jan 29 19:57:41 	charon: 08[IKE] <con3000|16> initiating Main Mode IKE_SA con3000[16] to pfSense1WanIP
    Jan 29 19:57:41 	charon: 08[IKE] initiating Main Mode IKE_SA con3000[16] to pfSense1WanIP
    Jan 29 19:57:41 	charon: 08[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    Jan 29 19:57:41 	charon: 08[NET] sending packet: from 192.168.25.201[500] to pfSense1WanIP[500] (200 bytes)
    Jan 29 19:57:41 	charon: 10[NET] received packet: from pfSense1WanIP[500] to 192.168.25.201[500] (180 bytes)
    Jan 29 19:57:41 	charon: 10[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
    Jan 29 19:57:41 	charon: 10[IKE] <con3000|16> received XAuth vendor ID
    Jan 29 19:57:41 	charon: 10[IKE] received XAuth vendor ID
    Jan 29 19:57:41 	charon: 10[IKE] <con3000|16> received DPD vendor ID
    Jan 29 19:57:41 	charon: 10[IKE] received DPD vendor ID
    Jan 29 19:57:41 	charon: 10[IKE] <con3000|16> received Cisco Unity vendor ID
    Jan 29 19:57:41 	charon: 10[IKE] received Cisco Unity vendor ID
    Jan 29 19:57:41 	charon: 10[IKE] <con3000|16> received FRAGMENTATION vendor ID
    Jan 29 19:57:41 	charon: 10[IKE] received FRAGMENTATION vendor ID
    Jan 29 19:57:41 	charon: 10[IKE] <con3000|16> received NAT-T (RFC 3947) vendor ID
    Jan 29 19:57:41 	charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 19:57:41 	charon: 10[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:57:41 	charon: 10[NET] sending packet: from 192.168.25.201[500] to pfSense1WanIP[500] (268 bytes)
    Jan 29 19:57:41 	charon: 10[NET] received packet: from pfSense1WanIP[500] to 192.168.25.201[500] (268 bytes)
    Jan 29 19:57:41 	charon: 10[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:57:41 	charon: 10[IKE] <con3000|16> local host is behind NAT, sending keep alives
    Jan 29 19:57:41 	charon: 10[IKE] local host is behind NAT, sending keep alives
    Jan 29 19:57:41 	charon: 10[ENC] generating ID_PROT request 0 [ ID HASH ]
    Jan 29 19:57:41 	charon: 10[NET] sending packet: from 192.168.25.201[4500] to pfSense1WanIP[4500] (92 bytes)
    Jan 29 19:57:41 	charon: 10[NET] received packet: from pfSense1WanIP[4500] to 192.168.25.201[4500] (108 bytes)
    ---> Jan 29 19:57:41 	charon: 10[ENC] parsed INFORMATIONAL_V1 request 1358166335 [ HASH N(AUTH_FAILED) ]
    Jan 29 19:57:41 	charon: 10[IKE] <con3000|16> received AUTHENTICATION_FAILED error notify
    Jan 29 19:57:41 	charon: 10[IKE] received AUTHENTICATION_FAILED error notify
    Jan 29 19:59:14 	charon: 10[NET] received packet: from pfSense1WanIP[500] to 192.168.25.201[500] (200 bytes)
    Jan 29 19:59:14 	charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
    Jan 29 19:59:14 	charon: 10[IKE] <17> received XAuth vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] received XAuth vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] <17> received DPD vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] received DPD vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] <17> received Cisco Unity vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] received Cisco Unity vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] <17> received FRAGMENTATION vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] received FRAGMENTATION vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] <17> received NAT-T (RFC 3947) vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] <17> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 19:59:14 	charon: 10[IKE] <17> pfSense1WanIP is initiating a Main Mode IKE_SA
    Jan 29 19:59:14 	charon: 10[IKE] pfSense1WanIP is initiating a Main Mode IKE_SA
    Jan 29 19:59:14 	charon: 10[ENC] generating ID_PROT response 0 [ SA V V V V V ]
    Jan 29 19:59:14 	charon: 10[NET] sending packet: from 192.168.25.201[500] to pfSense1WanIP[500] (180 bytes)
    Jan 29 19:59:14 	charon: 10[NET] received packet: from pfSense1WanIP[500] to 192.168.25.201[500] (268 bytes)
    Jan 29 19:59:14 	charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:59:14 	charon: 10[IKE] <17> local host is behind NAT, sending keep alives
    Jan 29 19:59:14 	charon: 10[IKE] local host is behind NAT, sending keep alives
    Jan 29 19:59:14 	charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:59:14 	charon: 10[NET] sending packet: from 192.168.25.201[500] to pfSense1WanIP[500] (268 bytes)
    Jan 29 19:59:14 	charon: 10[NET] received packet: from pfSense1WanIP[4500] to 192.168.25.201[4500] (92 bytes)
    Jan 29 19:59:14 	charon: 10[ENC] parsed ID_PROT request 0 [ ID HASH ]
    Jan 29 19:59:14 	charon: 10[CFG] looking for pre-shared key peer configs matching 192.168.25.201...pfSense1WanIP[pfSense1WanIP]
    Jan 29 19:59:14 	charon: 10[CFG] selected peer config "con3000"
    Jan 29 19:59:14 	charon: 10[IKE] <con3000|17> IKE_SA con3000[17] established between 192.168.25.201[192.168.25.201]...pfSense1WanIP[pfSense1WanIP]
    Jan 29 19:59:14 	charon: 10[IKE] IKE_SA con3000[17] established between 192.168.25.201[192.168.25.201]...pfSense1WanIP[pfSense1WanIP]
    Jan 29 19:59:14 	charon: 10[IKE] <con3000|17> scheduling reauthentication in 27880s
    Jan 29 19:59:14 	charon: 10[IKE] scheduling reauthentication in 27880s
    Jan 29 19:59:14 	charon: 10[IKE] <con3000|17> maximum IKE_SA lifetime 28420s
    Jan 29 19:59:14 	charon: 10[IKE] maximum IKE_SA lifetime 28420s
    Jan 29 19:59:14 	charon: 10[ENC] generating ID_PROT response 0 [ ID HASH ]
    Jan 29 19:59:14 	charon: 10[NET] sending packet: from 192.168.25.201[4500] to pfSense1WanIP[4500] (92 bytes)
    Jan 29 19:59:14 	charon: 08[NET] received packet: from pfSense1WanIP[4500] to 192.168.25.201[4500] (108 bytes)
    Jan 29 19:59:14 	charon: 08[ENC] parsed INFORMATIONAL_V1 request 1122998762 [ HASH D ]
    Jan 29 19:59:14 	charon: 08[IKE] <con3000|17> received DELETE for IKE_SA con3000[17]
    Jan 29 19:59:14 	charon: 08[IKE] received DELETE for IKE_SA con3000[17]
    Jan 29 19:59:14 	charon: 08[IKE] <con3000|17> deleting IKE_SA con3000[17] between 192.168.25.201[192.168.25.201]...pfSense1WanIP[pfSense1WanIP]
    Jan 29 19:59:14 	charon: 08[IKE] deleting IKE_SA con3000[17] between 192.168.25.201[192.168.25.201]...pfSense1WanIP[pfSense1WanIP]
    Jan 29 19:59:14 	charon: 08[NET] received packet: from pfSense1WanIP[500] to 192.168.25.201[500] (200 bytes)
    Jan 29 19:59:14 	charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V ]
    Jan 29 19:59:14 	charon: 08[IKE] <18> received XAuth vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] received XAuth vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] <18> received DPD vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] received DPD vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] <18> received Cisco Unity vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] received Cisco Unity vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] <18> received FRAGMENTATION vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] received FRAGMENTATION vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] <18> received NAT-T (RFC 3947) vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] <18> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jan 29 19:59:14 	charon: 08[IKE] <18> pfSense1WanIP is initiating a Main Mode IKE_SA
    Jan 29 19:59:14 	charon: 08[IKE] pfSense1WanIP is initiating a Main Mode IKE_SA
    Jan 29 19:59:14 	charon: 08[ENC] generating ID_PROT response 0 [ SA V V V V V ]
    Jan 29 19:59:14 	charon: 08[NET] sending packet: from 192.168.25.201[500] to pfSense1WanIP[500] (180 bytes)
    Jan 29 19:59:14 	charon: 08[NET] received packet: from pfSense1WanIP[500] to 192.168.25.201[500] (268 bytes)
    Jan 29 19:59:14 	charon: 08[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:59:14 	charon: 08[IKE] <18> local host is behind NAT, sending keep alives
    Jan 29 19:59:14 	charon: 08[IKE] local host is behind NAT, sending keep alives
    Jan 29 19:59:14 	charon: 08[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jan 29 19:59:14 	charon: 08[NET] sending packet: from 192.168.25.201[500] to pfSense1WanIP[500] (268 bytes)
    Jan 29 19:59:14 	charon: 08[NET] received packet: from pfSense1WanIP[4500] to 192.168.25.201[4500] (92 bytes)
    Jan 29 19:59:14 	charon: 08[ENC] parsed ID_PROT request 0 [ ID HASH ]
    Jan 29 19:59:14 	charon: 08[CFG] looking for pre-shared key peer configs matching 192.168.25.201...pfSense1WanIP[pfSense1WanIP]
    Jan 29 19:59:14 	charon: 08[CFG] selected peer config "con3000"
    Jan 29 19:59:14 	charon: 08[IKE] <con3000|18> IKE_SA con3000[18] established between 192.168.25.201[192.168.25.201]...pfSense1WanIP[pfSense1WanIP]
    Jan 29 19:59:14 	charon: 08[IKE] IKE_SA con3000[18] established between 192.168.25.201[192.168.25.201]...pfSense1WanIP[pfSense1WanIP]
    Jan 29 19:59:14 	charon: 08[IKE] <con3000|18> scheduling reauthentication in 27905s
    Jan 29 19:59:14 	charon: 08[IKE] scheduling reauthentication in 27905s
    Jan 29 19:59:14 	charon: 08[IKE] <con3000|18> maximum IKE_SA lifetime 28445s
    Jan 29 19:59:14 	charon: 08[IKE] maximum IKE_SA lifetime 28445s
    Jan 29 19:59:14 	charon: 08[ENC] generating ID_PROT response 0 [ ID HASH ]
    Jan 29 19:59:14 	charon: 08[NET] sending packet: from 192.168.25.201[4500] to pfSense1WanIP[4500] (92 bytes)
    Jan 29 19:59:14 	charon: 14[NET] received packet: from pfSense1WanIP[4500] to 192.168.25.201[4500] (108 bytes)
    Jan 29 19:59:14 	charon: 14[ENC] parsed INFORMATIONAL_V1 request 2441748608 [ HASH D ]
    Jan 29 19:59:14 	charon: 14[IKE] <con3000|18> received DELETE for IKE_SA con3000[18]
    Jan 29 19:59:14 	charon: 14[IKE] received DELETE for IKE_SA con3000[18]
    Jan 29 19:59:14 	charon: 14[IKE] <con3000|18> deleting IKE_SA con3000[18] between 192.168.25.201[192.168.25.201]...pfSense1WanIP[pfSense1WanIP]
    Jan 29 19:59:14 	charon: 14[IKE] deleting IKE_SA con3000[18] between 192.168.25.201[192.168.25.201]...pfSense1WanIP[pfSense1WanIP]</con3000|18></con3000|18></con3000|18></con3000|18></con3000|18></con3000|17></con3000|17></con3000|17></con3000|17></con3000|17></con3000|16></con3000|16></con3000|16></con3000|16></con3000|16></con3000|16></con3000|16></con3000|16></con3000|15></con3000|15></con3000|15></con3000|15></con3000|15></con3000|15></con3000|15></con3000|15>
    


  • I had a similar situation where I was using dynamic DNS for one endpoint, and was getting the error:

    IDir 'myhost.mydomain.com' does not match to 'XX.YY.ZZ.WWW'

    To resolve, I edited the IPsec configuration.  Under "Phase 1 proposal (Authentication)", change the "Peer Identifier" from "Peer IP Address" to "Distinguished Name" and enter the dynamic DNS name of the remote end.  I was able to establish a connection after this single change.

    This may not be your exact set-up, but may direct you to a relevant configuration variable to change.



  • OP's logs show 192.168.25.201 as an identifier, so I'm sure that's this:
    https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation

    @mooboynyc:

    IDir 'myhost.mydomain.com' does not match to 'XX.YY.ZZ.WWW'

    To resolve, I edited the IPsec configuration.  Under "Phase 1 proposal (Authentication)", change the "Peer Identifier" from "Peer IP Address" to "Distinguished Name" and enter the dynamic DNS name of the remote end.  I was able to establish a connection after this single change.

    Ditto for that. It was mismatched to begin with, racoon would just fall back to the IP if the identifier didn't match and try that, hiding the fact things weren't actually correctly configured.


Log in to reply