PfSense 2.2.3 <–> CyberGuard SG300: Stuck to phase 1



  • Hi everybody,

    I've a site to site vpn which never goes past phase 1.
    Both sides are behind NAT.
    Remote peer ID is set on the private IP (after NAT) on both PfSense and SG300.

    Below logs with PfSense acting as initiator.
    Seems the ID_PROT request sent from PfSense on port 4500 never get replied.
    Instead it gets a late reply on port 500, but looks ignored because "next request already sent"

    I've another tunnel to an SG300 woking fine, but in this case the remote pary is not behind NAT.

    Regards,
      Corrado

    
    PFSENSE 
    Jul 19 11:53:35 charon: 01[CFG] received stroke: initiate 'con3000' 
    Jul 19 11:53:35 charon: 11[IKE] <con3000|5>initiating Main Mode IKE_SA con3000[5] to x.x.x.x 
    Jul 19 11:53:35 charon: 11[ENC] <con3000|5>generating ID_PROT request 0 [ SA V V V V V V ] 
    Jul 19 11:53:35 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[500] to x.x.x.x[500] (200 bytes) 
    Jul 19 11:53:35 charon: 11[NET] <con3000|5>received packet: from x.x.x.x[500] to 10.168.180.2[500] (124 bytes) 
    Jul 19 11:53:35 charon: 11[ENC] <con3000|5>parsed ID_PROT response 0 [ SA V V ] 
    Jul 19 11:53:35 charon: 11[IKE] <con3000|5>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
    Jul 19 11:53:35 charon: 11[IKE] <con3000|5>received DPD vendor ID 
    Jul 19 11:53:35 charon: 11[ENC] <con3000|5>generating ID_PROT request 0 [ KE No NAT-D NAT-D ] 
    Jul 19 11:53:35 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[500] to x.x.x.x[500] (308 bytes) 
    Jul 19 11:53:36 charon: 11[NET] <con3000|5>received packet: from x.x.x.x[500] to 10.168.180.2[500] (292 bytes) 
    Jul 19 11:53:36 charon: 11[ENC] <con3000|5>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] 
    Jul 19 11:53:36 charon: 11[IKE] <con3000|5>local host is behind NAT, sending keep alives 
    Jul 19 11:53:36 charon: 11[IKE] <con3000|5>remote host is behind NAT 
    Jul 19 11:53:36 charon: 11[ENC] <con3000|5>generating ID_PROT request 0 [ ID HASH ] 
    Jul 19 11:53:36 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[4500] to x.x.x.x[4500] (76 bytes) 
    ...
    Jul 19 11:53:40 charon: 11[IKE] <con3000|5>sending retransmit 1 of request message ID 0, seq 3 
    Jul 19 11:53:40 charon: 11[NET] <con3000|5>sending packet: from 10.168.180.2[4500] to x.x.x.x[4500] (76 bytes) 
    ...
    Jul 19 11:53:46 charon: 06[NET] <con3000|5>received packet: from x.x.x.x[500] to 10.168.180.2[500] (292 bytes) 
    Jul 19 11:53:46 charon: 06[IKE] <con3000|5>received retransmit of response with ID 0, but next request already sent 
    Jul 19 11:53:47 charon: 06[IKE] <con3000|5>sending retransmit 2 of request message ID 0, seq 3 
    Jul 19 11:53:47 charon: 06[NET] <con3000|5>sending packet: from 10.168.180.2[4500] to x.x.x.x[4500] (76 bytes) 
    
    CYBERGUAD SG300
    Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [XAUTH] 
    Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: received Vendor ID payload [Dead Peer Detection] 
    Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [Cisco-Unity] 
    Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [4048b7d56ebce885...] 
    Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: ignoring Vendor ID payload [4a131c8107035845...] 
    Jul 19 11:53:38 Pluto[143]: packet from y.y.y.y:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
    Jul 19 11:53:38 Pluto[143]: "Vpn1" #48: responding to Main Mode 
    Jul 19 11:53:38 Pluto[143]: "Vpn1" #48: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed 
    Jul 19 11:54:48 Pluto[143]: "Vpn1" #48: max number of retransmissions (2) reached STATE_MAIN_R2 
    ...
    Jul 19 11:55:05 Pluto[143]: "Vpn1" #46: max number of retransmissions (20) reached STATE_MAIN_I1.  No acceptable response to our first IKE message 
    Jul 19 11:55:05 Pluto[143]: "Vpn1" #46: starting keying attempt 3 of an unlimited number 
    Jul 19 11:55:05 Pluto[143]: "Vpn1" #49: initiating Main Mode to replace #46</con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5></con3000|5> 
    


  • Looks like you're missing a forward for UDP 4500 through the NAT possibly, no indication that traffic is actually making it to the other side.



  • On both sites I've others IPSec connections working.

    These connections have both endpoints NATed, so UDP 4500 forward is working.

    Also I've installed PfSense as replacement for a broken FortiGate, which was working too.

    Meanwhile I upgraded to 2.2.4 but the issue remains.



  • Thanks cmb,

    you were right.
    The Cyberguard is behind a Sitecom X4 N300 router.
    This home router has an "Ipsec pass through" option which sadly does not pass UDP 4500.
    Explictiy allowing it fixed the issue.

    Regards,
      Corrado


Log in to reply