IPSec PFsense 2.2 To Sonicwall timing out straight away
-
Hi ALL
I had problems routing a secondary subnet on PFSense 2.1 so I decided to setup from scratch and use PFSense 2.2 and setup a IPSec tunnel to a Sonicwall NSA5600
But it times out straight away and I can't find out from the PFSense logs what they mean.
Scenario:
We have 2 sites which are routed via a external service provider (Private IP)
My Sonicwall has a WAN address of 192.168.20.253 The PFSense has a WAN address of 192.168.11.252
I copied the exact IPSec settings from the PFSense 2.1 (the tunnel on the old Firewall works)
IPSec settings:Phase1:
Main Mode
Identifiers: IP addresses
Encryption: AES 128
Hash: SHA1
DH Key Group: 5Phase2:
Protocol: ESP
Encryption: AES 128
Hash: SHA1
PFS Key Group 5This is the exact same on PFSense 2.1 and on the 2.2 firewall, (except of the IP addresses as they are setup in parallel.
The PFSense 2.2 just does not connect.
Log files are below:Last 50 IPsec log entries
Mar 20 10:51:33 charon: 12[IKE] <26> received NAT-T (RFC 3947) vendor ID
Mar 20 10:51:33 charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Mar 20 10:51:33 charon: 12[IKE] <26> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 20 10:51:33 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 20 10:51:33 charon: 12[IKE] <26> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 20 10:51:33 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 20 10:51:33 charon: 12[IKE] <26> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Mar 20 10:51:33 charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Mar 20 10:51:33 charon: 12[IKE] <26> 192.168.20.253 is initiating a Main Mode IKE_SA
Mar 20 10:51:33 charon: 12[IKE] 192.168.20.253 is initiating a Main Mode IKE_SA
Mar 20 10:51:33 charon: 12[ENC] generating ID_PROT response 0 [ SA V V V V ]|
Mar 20 10:51:33 charon: 12[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)
Mar 20 10:51:38 charon: 12[NET] received packet: from 192.168.20.253[500] to 192.168.11.252[500] (176 bytes)
Mar 20 10:51:38 charon: 12[IKE] <26> received retransmit of request with ID 0, retransmitting response
Mar 20 10:51:38 charon: 12[IKE] received retransmit of request with ID 0, retransmitting response
Mar 20 10:51:38 charon: 12[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)
Mar 20 10:51:40 charon: 12[KNL] creating acquire job for policy 192.168.11.252/32|/0 === 192.168.20.253/32|/0 with reqid {1}
Mar 20 10:51:40 charon: 14[IKE] <con1000|27>initiating Main Mode IKE_SA con1000[27] to 192.168.20.253
Mar 20 10:51:40 charon: 14[IKE] initiating Main Mode IKE_SA con1000[27] to 192.168.20.253
Mar 20 10:51:40 charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
Mar 20 10:51:40 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
Mar 20 10:51:44 charon: 14[IKE] <con1000|27>sending retransmit 1 of request message ID 0, seq 1
Mar 20 10:51:44 charon: 14[IKE] sending retransmit 1 of request message ID 0, seq 1
Mar 20 10:51:44 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
Mar 20 10:51:48 charon: 14[NET] received packet: from 192.168.20.253[500] to 192.168.11.252[500] (176 bytes)
Mar 20 10:51:48 charon: 14[IKE] <26> received retransmit of request with ID 0, retransmitting response
Mar 20 10:51:48 charon: 14[IKE] received retransmit of request with ID 0, retransmitting response
Mar 20 10:51:48 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)
Mar 20 10:51:51 charon: 14[IKE] <con1000|27>sending retransmit 2 of request message ID 0, seq 1
Mar 20 10:51:51 charon: 14[IKE] sending retransmit 2 of request message ID 0, seq 1
Mar 20 10:51:51 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
Mar 20 10:52:03 charon: 14[JOB] deleting half open IKE_SA after timeout
Mar 20 10:52:04 charon: 14[IKE] <con1000|27>sending retransmit 3 of request message ID 0, seq 1
Mar 20 10:52:04 charon: 14[IKE] sending retransmit 3 of request message ID 0, seq 1
Mar 20 10:52:04 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (200 bytes)
Mar 20 10:52:05 charon: 14[NET] received packet: from 192.168.20.253[500] to 192.168.11.252[500] (176 bytes)
Mar 20 10:52:05 charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Mar 20 10:52:05 charon: 14[ENC] received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07
Mar 20 10:52:05 charon: 14[IKE] <28> received NAT-T (RFC 3947) vendor ID
Mar 20 10:52:05 charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
Mar 20 10:52:05 charon: 14[IKE] <28> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 20 10:52:05 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 20 10:52:05 charon: 14[IKE] <28> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 20 10:52:05 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 20 10:52:05 charon: 14[IKE] <28> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Mar 20 10:52:05 charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Mar 20 10:52:05 charon: 14[IKE] <28> 192.168.20.253 is initiating a Main Mode IKE_SA
Mar 20 10:52:05 charon: 14[IKE] 192.168.20.253 is initiating a Main Mode IKE_SA
Mar 20 10:52:05 charon: 14[ENC] generating ID_PROT response 0 [ SA V V V V ]
Mar 20 10:52:05 charon: 14[NET] sending packet: from 192.168.11.252[500] to 192.168.20.253[500] (156 bytes)I keep on seeing " deleting half open IKE_SA after timeout?
I have also tried Aggressive mode (security is no issue for this tunnel) but I see the same behaviour that the tunnel just does not start.
I also tried encryption AES 256 but it is the same there.
Any help would be appreciated.Below is a screenshot of the config</con1000|27></con1000|27></con1000|27></con1000|27> |