PfSense 2.2.3 <–> CyberGuard SG300: Stuck to phase 1
-
Hi everybody,
I've a site to site vpn which never goes past phase 1.
Both sides are behind NAT.
Remote peer ID is set on the private IP (after NAT) on both PfSense and SG300.Below logs with PfSense acting as initiator.
Seems the ID_PROT request sent from PfSense on port 4500 never get replied.
Instead it gets a late reply on port 500, but looks ignored because "next request already sent"I've another tunnel to an SG300 woking fine, but in this case the remote pary is not behind NAT.
Regards,
CorradoPFSENSE Jul 19 11:53:35 charon: 01[CFG] received stroke: initiate 'con3000' Jul 19 11:53:35 charon: 11[IKE] <con3000|5>initiating Main Mode IKE_SA con3000[5] to x.x.x.x Jul 19 11:53:35 charon: 11[ENC] <con3000|5>generating ID_PROT request 0 [ SA V V V V V V ] Jul 19 11:53:35 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[500] to x.x.x.x[500] (200 bytes) Jul 19 11:53:35 charon: 11[NET] <con3000|5>received packet: from x.x.x.x[500] to 10.168.180.2[500] (124 bytes) Jul 19 11:53:35 charon: 11[ENC] <con3000|5>parsed ID_PROT response 0 [ SA V V ] Jul 19 11:53:35 charon: 11[IKE] <con3000|5>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jul 19 11:53:35 charon: 11[IKE] <con3000|5>received DPD vendor ID Jul 19 11:53:35 charon: 11[ENC] <con3000|5>generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Jul 19 11:53:35 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[500] to x.x.x.x[500] (308 bytes) Jul 19 11:53:36 charon: 11[NET] <con3000|5>received packet: from x.x.x.x[500] to 10.168.180.2[500] (292 bytes) Jul 19 11:53:36 charon: 11[ENC] <con3000|5>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Jul 19 11:53:36 charon: 11[IKE] <con3000|5>local host is behind NAT, sending keep alives Jul 19 11:53:36 charon: 11[IKE] <con3000|5>remote host is behind NAT Jul 19 11:53:36 charon: 11[ENC] <con3000|5>generating ID_PROT request 0 [ ID HASH ] Jul 19 11:53:36 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[4500] to x.x.x.x[4500] (76 bytes) ... Jul 19 11:53:40 charon: 11[IKE] <con3000|5>sending retransmit 1 of request message ID 0, seq 3 Jul 19 11:53:40 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[4500] to x.x.x.x[4500] (76 bytes) ... Jul 19 11:53:46 charon: 06[NET] <con3000|5>received packet: from x.x.x.x[500] to 10.168.180.2[500] (292 bytes) Jul 19 11:53:46 charon: 06[IKE] <con3000|5>received retransmit of response with ID 0, but next request already sent Jul 19 11:53:47 charon: 06[IKE] <con3000|5>sending retransmit 2 of request message ID 0, seq 3 Jul 19 11:53:47 charon: 06[NET] <con3000|5>sending packet: from 10.168.180.2[4500] to x.x.x.x[4500] (76 bytes) CYBERGUAD SG300 Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [XAUTH] Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: received Vendor ID payload [Dead Peer Detection] Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [Cisco-Unity] Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [4048b7d56ebce885...] Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [4a131c8107035845...] Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Jul 19 11:53:38 Pluto[143]: "Vpn1" #48: responding to Main Mode Jul 19 11:53:38 Pluto[143]: "Vpn1" #48: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed Jul 19 11:54:48 Pluto[143]: "Vpn1" #48: max number of retransmissions (2) reached STATE_MAIN_R2 ... Jul 19 11:55:05 Pluto[143]: "Vpn1" #46: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE message Jul 19 11:55:05 Pluto[143]: "Vpn1" #46: starting keying attempt 3 of an unlimited number Jul 19 11:55:05 Pluto[143]: "Vpn1" #49: initiating Main Mode to replace #46</con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5>
-
Looks like you're missing a forward for UDP 4500 through the NAT possibly, no indication that traffic is actually making it to the other side.
-
On both sites I've others IPSec connections working.
These connections have both endpoints NATed, so UDP 4500 forward is working.
Also I've installed PfSense as replacement for a broken FortiGate, which was working too.
Meanwhile I upgraded to 2.2.4 but the issue remains.
-
Thanks cmb,
you were right.
The Cyberguard is behind a Sitecom X4 N300 router.
This home router has an "Ipsec pass through" option which sadly does not pass UDP 4500.
Explictiy allowing it fixed the issue.Regards,
Corrado