IPSec Site to Site from Zywall



  • I am trying to configure a Site to site VPN tunnel from our US office to the UK (locations are actually irrelevant).  US end we have a Zywall USG20w connected to the users broadband modem in bridged mode.
    I have created both endpoints yet I am seeing very little  traffic.  However, this is what I do see:

    charon: 16[NET] received packet: from USAIP[500] to UKIP[500] (160 bytes)
    Jun 26 14:21:18 charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V ]
    Jun 26 14:21:18 charon: 16[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
    Jun 26 14:21:18 charon: 16[ENC] received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
    Jun 26 14:21:18 charon: 16[IKE] <43> received DPD vendor ID
    Jun 26 14:21:18 charon: 16[IKE] received DPD vendor ID
    Jun 26 14:21:18 charon: 16[ENC] received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
    Jun 26 14:21:18 charon: 16[IKE] <43> USAIP is initiating a Main Mode IKE_SA
    Jun 26 14:21:18 charon: 16[IKE] USAIP is initiating a Main Mode IKE_SA
    Jun 26 14:21:18 charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
    Jun 26 14:21:18 charon: 16[NET] sending packet: from UK-IP[500] to USA-IP[500] (136 bytes)
    Jun 26 14:21:18 charon: 16[NET] received packet: from USA-IP[500] to UK-IP[500] (180 bytes)
    Jun 26 14:21:18 charon: 16[ENC] parsed ID_PROT request 0 [ KE No ]
    Jun 26 14:21:18 charon: 16[ENC] generating ID_PROT response 0 [ KE No ]
    Jun 26 14:21:18 charon: 16[NET] sending packet: from UK-IP[500] to USA-IP[500] (196 bytes)
    Jun 26 14:21:18 charon: 16[NET] received packet: from USA-IP[500] to UK-IP[500] (92 bytes)
    Jun 26 14:21:18 charon: 16[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Jun 26 14:21:18 charon: 16[CFG] looking for pre-shared key peer configs matching UK-IP…USA-IP[10.0.0.15]
    Jun 26 14:21:18 charon: 16[CFG] selected peer config "con6000"
    Jun 26 14:21:18 charon: 16[IKE] <con6000|43>IKE_SA con6000[43] established between UK-IP[UK-IP]…USA-IP[10.0.0.15]
    Jun 26 14:21:18 charon: 16[IKE] IKE_SA con6000[43] established between UK-IP[UK-IP]…USA-IP[10.0.0.15]
    Jun 26 14:21:18 charon: 16[IKE] <con6000|43>scheduling reauthentication in 85677s
    Jun 26 14:21:18 charon: 16[IKE] scheduling reauthentication in 85677s
    Jun 26 14:21:18 charon: 16[IKE] <con6000|43>maximum IKE_SA lifetime 86217s
    Jun 26 14:21:18 charon: 16[IKE] maximum IKE_SA lifetime 86217s
    Jun 26 14:21:18 charon: 16[ENC] generating ID_PROT response 0 [ ID HASH ]
    Jun 26 14:21:18 charon: 16[NET] sending packet: from UK-IP[500] to USA-IP[500] (68 bytes)
    Jun 26 14:21:18 charon: 16[IKE] <con6000|42>destroying duplicate IKE_SA for peer '10.0.0.15', received INITIAL_CONTACT
    Jun 26 14:21:18 charon: 16[IKE] destroying duplicate IKE_SA for peer '10.0.0.15', received INITIAL_CONTACT
    Jun 26 14:21:19 charon: 13[NET] received packet: from USA-IP[500] to UK-IP[500] (292 bytes)
    Jun 26 14:21:19 charon: 13[ENC] parsed QUICK_MODE request 1394978436 [ HASH SA No KE ID ID ]
    Jun 26 14:21:19 charon: 13[IKE] <con6000|43>no matching CHILD_SA config found
    Jun 26 14:21:19 charon: 13[IKE] no matching CHILD_SA config found
    Jun 26 14:21:19 charon: 13[ENC] generating INFORMATIONAL_V1 request 386260058 [ HASH N(INVAL_ID) ]
    Jun 26 14:21:19 charon: 13[NET] sending packet: from UK-IP[500] to USA-IP[500] (76 bytes)
    Jun 26 14:21:33 charon: 13[IKE] <con4000|3>sending DPD request
    Jun 26 14:21:33 charon: 13[IKE] sending DPD request
    Jun 26 14:21:33 charon: 13[ENC] generating INFORMATIONAL_V1 request 2699687542 [ HASH N(DPD) ]
    Jun 26 14:21:33 charon: 13[ENC] parsed INFORMATIONAL_V1 request 2282481677 [ HASH N(DPD_ACK) ]

    Dean

    pfSense Version 2.2.1</con4000|3></con6000|43></con6000|42></con6000|43></con6000|43></con6000|43>



  • see your setting P1 My identifier, Peer identifier



  • Thanks, I checked the Peer IP and corrected and now the tunnel connects at both ends..

    However, I cannot connect to any resource on the remote (USA) end and have lost my remote session to the remote end as well :(

    Looking at Status > IPSec I can see that the tunnel is still established but viewing the Child SA entries I see stats of Bytes in: 0, Packets In: 0, Bytes out: 17904 and Packets out: 138:498 so something is happening one way but not both ways.

    Any ideas?

    Dean



  • Check your P2 entries

    Have you checked your P2 entries in PFsense and Zywall ?

    Stefano



  • You're sending traffic out, but the other side isn't replying. Likely the other side is blocking your requests, either on the Zywall, or on the destination host (host firewall).


Log in to reply