IPSEC tunnel only comes up from remote side
-
I've been trying to get a site-to-site IPSEC tunnel working between my Sophos UTM firewall and a pfSense VM and have spent way too much time chasing this already. This is my last ditch effort at getting this working.
Local LAN:
192.168.2.0/24
Remote LAN:
10.10.0.0/16
(no NAT used)Phase 1 seems to connect without issues, but local traffic won't cross the tunnel until a packet is initiated from the remote side. As soon as the remote side sends a single ping, the local side can send traffic across. This lasts for an undetermined amount of time, after which the local side starts failing again. If I keep a steady ping from remote to local, tunnel stays up all night.
The most confounding thing I've seen in the Sophos logs refers to INVALID_ID_INFORMATION. The interesting thing is that, just prior to this, it logs the local subnet correctly (192.168.2.0/24) but states that the peer client is subnet 0.0.0.0/0. At that point, Sophos logs peer client ID returned doesn't match my proposal and sending encrypted notification INVALID_ID_INFORMATION to 20x.xxx.x.xx:500
Despite this, traffic will flow if I kick it off from the remote side. Meanwhile, however, the SPD tab on the remote pfSense device shows the correct local subnet (10.10.0.0/16).
I have tried messing with every setting I could find to resolve this, and the only thing that's done is sometimes made it worst (e.g. a ping from the remote side won't bring up the tunnel with certain settings).
What gives?
-
hm,
i cause my problem with x509 authenticated IPsec i tried an site-to-site tunnel between PFsense 2.2 and Cisco IOS with PSK and fix IP on both side.
There i have the similar problem.
This site-to-site only get established, when a client behind PFsense initiates the tunnel to the cisco.When the tunnel is established also the router is able to transfer traffic over the tunnel, but not before.
I assumed: the Cisco IOS has about 5 different Phase1 policies, the PFsense has only one.
But i don't know how to define only one Phase1 policy for a specific client, also Cisco-Support told me that's not possible, I am unsure if should trust cisco in this statement (had already fights with the cisco support, what is possible and what isn't)best regards
Thomas