IPSec PFsense 2.2 To Sonicwall timing out straight away



  • Hi ALL

    I had problems routing a secondary subnet on PFSense 2.1 so I decided to setup from scratch and use PFSense 2.2 and setup a IPSec tunnel to a Sonicwall NSA5600
    But it times out straight away and I can't find out from the PFSense logs what they mean.
    Scenario:
    We have 2 sites which are routed via a external service provider (Private IP)
    My Sonicwall has a WAN address of 192.168.20.253 The PFSense has a WAN address of 192.168.11.252
    I copied the exact IPSec settings from the PFSense 2.1 (the tunnel on the old Firewall works)
    IPSec settings:

    Phase1:
    Main Mode
    Identifiers: IP addresses
    Encryption: AES 128
    Hash: SHA1
    DH Key Group: 5

    Phase2:
    Protocol: ESP
    Encryption: AES 128
    Hash: SHA1
    PFS Key Group 5

    This is the exact same on PFSense 2.1 and on the 2.2 firewall, (except of the IP addresses as they are setup in parallel.
    The PFSense 2.2 just does not connect.
    Log files are below:

    Last 50 IPsec log entries
    Mar 20 10:51:33 charon: 12[IKE] <26> received NAT-T (RFC 3947) vendor ID
    Mar 20 10:51:33 charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
    Mar 20 10:51:33 charon: 12[IKE] <26> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 20 10:51:33 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 20 10:51:33 charon: 12[IKE] <26> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 20 10:51:33 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 20 10:51:33 charon: 12[IKE] <26> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Mar 20 10:51:33 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Mar 20 10:51:33 charon: 12[IKE] <26> 192.168.20.253 is initiating a Main Mode IKE_SA
    Mar 20 10:51:33 charon: 12[IKE] 192.168.20.253 is initiating a Main Mode IKE_SA
    Mar 20 10:51:33 charon: 12[ENC] generating ID_PROT response 0 [ SA V V V V ]

    |
    Mar 20 10:51:33 charon: 12[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)
    Mar 20 10:51:38 charon: 12[NET] received packet: from 192.168.20.253[500] to 192.168.11.252[500] (176 bytes)
    Mar 20 10:51:38 charon: 12[IKE] <26> received retransmit of request with ID 0, retransmitting response
    Mar 20 10:51:38 charon: 12[IKE] received retransmit of request with ID 0, retransmitting response
    Mar 20 10:51:38 charon: 12[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)
    Mar 20 10:51:40 charon: 12[KNL] creating acquire job for policy 192.168.11.252/32|/0 === 192.168.20.253/32|/0 with reqid {1}
    Mar 20 10:51:40 charon: 14[IKE] <con1000|27>initiating Main Mode IKE_SA con1000[27] to 192.168.20.253
    Mar 20 10:51:40 charon: 14[IKE] initiating Main Mode IKE_SA con1000[27] to 192.168.20.253
    Mar 20 10:51:40 charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
    Mar 20 10:51:40 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
    Mar 20 10:51:44 charon: 14[IKE] <con1000|27>sending retransmit 1 of request message ID 0, seq 1
    Mar 20 10:51:44 charon: 14[IKE] sending retransmit 1 of request message ID 0, seq 1
    Mar 20 10:51:44 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
    Mar 20 10:51:48 charon: 14[NET] received packet: from 192.168.20.253[500] to 192.168.11.252[500] (176 bytes)
    Mar 20 10:51:48 charon: 14[IKE] <26> received retransmit of request with ID 0, retransmitting response
    Mar 20 10:51:48 charon: 14[IKE] received retransmit of request with ID 0, retransmitting response
    Mar 20 10:51:48 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)
    Mar 20 10:51:51 charon: 14[IKE] <con1000|27>sending retransmit 2 of request message ID 0, seq 1
    Mar 20 10:51:51 charon: 14[IKE] sending retransmit 2 of request message ID 0, seq 1
    Mar 20 10:51:51 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
    Mar 20 10:52:03 charon: 14[JOB] deleting half open IKE_SA after timeout
    Mar 20 10:52:04 charon: 14[IKE] <con1000|27>sending retransmit 3 of request message ID 0, seq 1
    Mar 20 10:52:04 charon: 14[IKE] sending retransmit 3 of request message ID 0, seq 1
    Mar 20 10:52:04 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
    Mar 20 10:52:05 charon: 14[NET] received packet: from 192.168.20.253[500] to 192.168.11.252[500] (176 bytes)
    Mar 20 10:52:05 charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
    Mar 20 10:52:05 charon: 14[ENC] received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07
    Mar 20 10:52:05 charon: 14[IKE] <28> received NAT-T (RFC 3947) vendor ID
    Mar 20 10:52:05 charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
    Mar 20 10:52:05 charon: 14[IKE] <28> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 20 10:52:05 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
    Mar 20 10:52:05 charon: 14[IKE] <28> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 20 10:52:05 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Mar 20 10:52:05 charon: 14[IKE] <28> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Mar 20 10:52:05 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
    Mar 20 10:52:05 charon: 14[IKE] <28> 192.168.20.253 is initiating a Main Mode IKE_SA
    Mar 20 10:52:05 charon: 14[IKE] 192.168.20.253 is initiating a Main Mode IKE_SA
    Mar 20 10:52:05 charon: 14[ENC] generating ID_PROT response 0 [ SA V V V V ]
    Mar 20 10:52:05 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)

    I keep on seeing " deleting half open IKE_SA after timeout?
    I have also tried Aggressive mode (security is no issue for this tunnel) but I see the same behaviour that the tunnel just does not start.
    I also tried encryption AES 256 but it is the same there.
    Any help would be appreciated.

    Below is a screenshot of the config</con1000|27></con1000|27></con1000|27></con1000|27> |





Log in to reply