VPN connects, but I can't ping remote network
-
Hi there. I'm new to pfSense I need some help getting pfSense to connect an IPsec VPN. The client runs VOIP traffic over the VPN to the PBX on the other side.
I'm replacing a crummy old Kentrox Q2300 on the local side with the pfSense. This device works as far as the VPN connection goes, it's just very slow and causing Internet connectivity problems. I don't know what's on the remote side and don't have direct access to configure the router. I have limited access to support on that side.
The IPsec tunnel seems to connect, but I am unable to ping any machines on the far side of the VPN. I need help determining why.
I've attached a few screenshots. I obscured the Local WAN Address, the Remote WAN Address and the preshared key.
Kentrox Config 1.jpg and Kentrox Config 2.jpg show the current settings, which work.
IPsec Phase 1.jpg and IPsec Phase 2.jpg show the current config on the new pfSense box. I did my best to recreate the settings on the Kentrox.
IPSec Firewall Rules.jpg shows the very open firewall rules I setup for the IPsec VPN. My intention was to allow everything at this point.
Below is the IPsec log, captured immediately after initiating the connection. Again, I obscured the WAN addresses on the local and remote sides.
Any idea what I'm missing? Hopefully it's something obvious that I'll feel stupid about missing.
I appreciate your help!
Here's the log:
Jul 6 19:06:04 charon: 06[CFG] no IKE_SA named 'con1000' found Jul 6 19:06:04 charon: 15[CFG] received stroke: initiate 'con1000' Jul 6 19:06:04 charon: 06[IKE] <con1000|2>initiating Main Mode IKE_SA con1000[2] to {Remote WAN Address} Jul 6 19:06:04 charon: 06[IKE] <con1000|2>initiating Main Mode IKE_SA con1000[2] to {Remote WAN Address} Jul 6 19:06:04 charon: 06[ENC] <con1000|2>generating ID_PROT request 0 [ SA V V V V V V ] Jul 6 19:06:04 charon: 06[NET] <con1000|2>sending packet: from {Local WAN Address}[500] to {Remote WAN Address}[500] (196 bytes) Jul 6 19:06:04 charon: 06[NET] <con1000|2>received packet: from {Remote WAN Address}[500] to {Local WAN Address}[500] (100 bytes) Jul 6 19:06:04 charon: 06[ENC] <con1000|2>parsed ID_PROT response 0 [ SA V ] Jul 6 19:06:04 charon: 06[IKE] <con1000|2>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jul 6 19:06:04 charon: 06[IKE] <con1000|2>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jul 6 19:06:04 charon: 06[ENC] <con1000|2>generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Jul 6 19:06:04 charon: 06[NET] <con1000|2>sending packet: from {Local WAN Address}[500] to {Remote WAN Address}[500] (244 bytes) Jul 6 19:06:05 charon: 06[NET] <con1000|2>received packet: from {Remote WAN Address}[500] to {Local WAN Address}[500] (244 bytes) Jul 6 19:06:05 charon: 06[ENC] <con1000|2>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Jul 6 19:06:05 charon: 06[ENC] <con1000|2>generating ID_PROT request 0 [ ID HASH ] Jul 6 19:06:05 charon: 06[NET] <con1000|2>sending packet: from {Local WAN Address}[500] to {Remote WAN Address}[500] (68 bytes) Jul 6 19:06:05 charon: 06[NET] <con1000|2>received packet: from {Remote WAN Address}[500] to {Local WAN Address}[500] (68 bytes) Jul 6 19:06:05 charon: 06[ENC] <con1000|2>parsed ID_PROT response 0 [ ID HASH ] Jul 6 19:06:05 charon: 06[IKE] <con1000|2>IKE_SA con1000[2] established between {Local WAN Address}[{Local WAN Address}]...{Remote WAN Address}[{Remote WAN Address}] Jul 6 19:06:05 charon: 06[IKE] <con1000|2>IKE_SA con1000[2] established between {Local WAN Address}[{Local WAN Address}]...{Remote WAN Address}[{Remote WAN Address}] Jul 6 19:06:05 charon: 06[IKE] <con1000|2>scheduling reauthentication in 42420s Jul 6 19:06:05 charon: 06[IKE] <con1000|2>scheduling reauthentication in 42420s Jul 6 19:06:05 charon: 06[IKE] <con1000|2>maximum IKE_SA lifetime 42960s Jul 6 19:06:05 charon: 06[IKE] <con1000|2>maximum IKE_SA lifetime 42960s Jul 6 19:06:05 charon: 06[IKE] <con1000|2>DPD not supported by peer, disabled Jul 6 19:06:05 charon: 06[IKE] <con1000|2>DPD not supported by peer, disabled Jul 6 19:06:05 charon: 06[ENC] <con1000|2>generating QUICK_MODE request 3689710999 [ HASH SA No ID ID ] Jul 6 19:06:05 charon: 06[NET] <con1000|2>sending packet: from {Local WAN Address}[500] to {Remote WAN Address}[500] (172 bytes) Jul 6 19:06:05 charon: 10[NET] <con1000|2>received packet: from {Remote WAN Address}[500] to {Local WAN Address}[500] (68 bytes) Jul 6 19:06:05 charon: 10[ENC] <con1000|2>parsed INFORMATIONAL_V1 request 2848750997 [ HASH N(INITIAL_CONTACT) ] Jul 6 19:06:05 charon: 10[NET] <con1000|2>received packet: from {Remote WAN Address}[500] to {Local WAN Address}[500] (68 bytes) Jul 6 19:06:05 charon: 10[ENC] <con1000|2>parsed INFORMATIONAL_V1 request 3867220343 [ HASH N(INVAL_ID) ] Jul 6 19:06:05 charon: 10[IKE] <con1000|2>received INVALID_ID_INFORMATION error notify Jul 6 19:06:05 charon: 10[IKE] <con1000|2>received INVALID_ID_INFORMATION error notify</con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2> ```          -
in ipsec rules tab try setting the ipv4 protocol to 'any'.
-
Thank you. I'll try that tonight and report back.
-
Did you get this functional?
-
I did, two days ago. It turns out the problem wasn't my end at all. The guy in charge of the router on the other end transposed some number or something (he was kind of vague about it) so my connection wasn't authorized to access anything on his network. I'm pretty sure he just typed in my external IP wrong.
He fixed that on his end, and voila, a perfect connection. The client is very happy.
Thanks for the help, and for the reminder to update the thread!