Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Site to Site from Zywall

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      draccusfly
      last edited by

      I am trying to configure a Site to site VPN tunnel from our US office to the UK (locations are actually irrelevant).  US end we have a Zywall USG20w connected to the users broadband modem in bridged mode.
      I have created both endpoints yet I am seeing very little  traffic.  However, this is what I do see:

      charon: 16[NET] received packet: from USAIP[500] to UKIP[500] (160 bytes)
      Jun 26 14:21:18 charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V ]
      Jun 26 14:21:18 charon: 16[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
      Jun 26 14:21:18 charon: 16[ENC] received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
      Jun 26 14:21:18 charon: 16[IKE] <43> received DPD vendor ID
      Jun 26 14:21:18 charon: 16[IKE] received DPD vendor ID
      Jun 26 14:21:18 charon: 16[ENC] received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
      Jun 26 14:21:18 charon: 16[IKE] <43> USAIP is initiating a Main Mode IKE_SA
      Jun 26 14:21:18 charon: 16[IKE] USAIP is initiating a Main Mode IKE_SA
      Jun 26 14:21:18 charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
      Jun 26 14:21:18 charon: 16[NET] sending packet: from UK-IP[500] to USA-IP[500] (136 bytes)
      Jun 26 14:21:18 charon: 16[NET] received packet: from USA-IP[500] to UK-IP[500] (180 bytes)
      Jun 26 14:21:18 charon: 16[ENC] parsed ID_PROT request 0 [ KE No ]
      Jun 26 14:21:18 charon: 16[ENC] generating ID_PROT response 0 [ KE No ]
      Jun 26 14:21:18 charon: 16[NET] sending packet: from UK-IP[500] to USA-IP[500] (196 bytes)
      Jun 26 14:21:18 charon: 16[NET] received packet: from USA-IP[500] to UK-IP[500] (92 bytes)
      Jun 26 14:21:18 charon: 16[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
      Jun 26 14:21:18 charon: 16[CFG] looking for pre-shared key peer configs matching UK-IP…USA-IP[10.0.0.15]
      Jun 26 14:21:18 charon: 16[CFG] selected peer config "con6000"
      Jun 26 14:21:18 charon: 16[IKE] <con6000|43>IKE_SA con6000[43] established between UK-IP[UK-IP]…USA-IP[10.0.0.15]
      Jun 26 14:21:18 charon: 16[IKE] IKE_SA con6000[43] established between UK-IP[UK-IP]…USA-IP[10.0.0.15]
      Jun 26 14:21:18 charon: 16[IKE] <con6000|43>scheduling reauthentication in 85677s
      Jun 26 14:21:18 charon: 16[IKE] scheduling reauthentication in 85677s
      Jun 26 14:21:18 charon: 16[IKE] <con6000|43>maximum IKE_SA lifetime 86217s
      Jun 26 14:21:18 charon: 16[IKE] maximum IKE_SA lifetime 86217s
      Jun 26 14:21:18 charon: 16[ENC] generating ID_PROT response 0 [ ID HASH ]
      Jun 26 14:21:18 charon: 16[NET] sending packet: from UK-IP[500] to USA-IP[500] (68 bytes)
      Jun 26 14:21:18 charon: 16[IKE] <con6000|42>destroying duplicate IKE_SA for peer '10.0.0.15', received INITIAL_CONTACT
      Jun 26 14:21:18 charon: 16[IKE] destroying duplicate IKE_SA for peer '10.0.0.15', received INITIAL_CONTACT
      Jun 26 14:21:19 charon: 13[NET] received packet: from USA-IP[500] to UK-IP[500] (292 bytes)
      Jun 26 14:21:19 charon: 13[ENC] parsed QUICK_MODE request 1394978436 [ HASH SA No KE ID ID ]
      Jun 26 14:21:19 charon: 13[IKE] <con6000|43>no matching CHILD_SA config found
      Jun 26 14:21:19 charon: 13[IKE] no matching CHILD_SA config found
      Jun 26 14:21:19 charon: 13[ENC] generating INFORMATIONAL_V1 request 386260058 [ HASH N(INVAL_ID) ]
      Jun 26 14:21:19 charon: 13[NET] sending packet: from UK-IP[500] to USA-IP[500] (76 bytes)
      Jun 26 14:21:33 charon: 13[IKE] <con4000|3>sending DPD request
      Jun 26 14:21:33 charon: 13[IKE] sending DPD request
      Jun 26 14:21:33 charon: 13[ENC] generating INFORMATIONAL_V1 request 2699687542 [ HASH N(DPD) ]
      Jun 26 14:21:33 charon: 13[ENC] parsed INFORMATIONAL_V1 request 2282481677 [ HASH N(DPD_ACK) ]

      Dean

      pfSense Version 2.2.1</con4000|3></con6000|43></con6000|42></con6000|43></con6000|43></con6000|43>

      1 Reply Last reply Reply Quote 0
      • S
        stemond
        last edited by

        see your setting P1 My identifier, Peer identifier

        1 Reply Last reply Reply Quote 0
        • D
          draccusfly
          last edited by

          Thanks, I checked the Peer IP and corrected and now the tunnel connects at both ends..

          However, I cannot connect to any resource on the remote (USA) end and have lost my remote session to the remote end as well :(

          Looking at Status > IPSec I can see that the tunnel is still established but viewing the Child SA entries I see stats of Bytes in: 0, Packets In: 0, Bytes out: 17904 and Packets out: 138:498 so something is happening one way but not both ways.

          Any ideas?

          Dean

          1 Reply Last reply Reply Quote 0
          • S
            stemond
            last edited by

            Check your P2 entries

            Have you checked your P2 entries in PFsense and Zywall ?

            Stefano

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              You're sending traffic out, but the other side isn't replying. Likely the other side is blocking your requests, either on the Zywall, or on the destination host (host firewall).

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.