Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec connection LAN-to-LAN doesn't work - pls help

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      esquire1968
      last edited by

      Hi!

      I try to conect my pfSense to a remote router (TP-Link TL-6120). The setup of the TP-Link is not very difficult - I use the following settings:

      SETUP Side-B
      
      Mode:                 LAN-to-LAN
      Local Subnet:         192.168.0.0/24
      Remote Subnet:        10.0.0.0/15
      Remote Gateway:       [myDynDns]
      
      IPsec Proposal 1: 
      . Security Protocol:  ESP
      . ESP Authentication: SHA1
      . ESP Encryption:     AES256
      
      PFS:                  NONE
      SA Lifetime:          28800
      
      IKE Policy:
      . Excange Mode:       Main
      . Local ID Type:      IP Address
      . Local ID:           Local WAN IP
      . Remote ID Type:     IP Adress
      . Remote ID:          Remote Gateway ID
      . Pre-shared Key:     secretkey
      . SA Lifetime:        28800
      . DPD:                Enable
      . DPD Interval:       15
      
      IKE Proposal:
      . Authentification:   SHA1
      . Encyption:          AES256
      . DH Group:           DH5
      

      Here are the settings of my pfSense (Side-A):

      SETUP Side-A
      
      Phase 1:
      
      . Key Excahnge version:   V1
      . Internet Protocol:      IPv4
      . Interface:              WAN
      . Remote gateway:         [remoteDynDNS]
      
      . Authentication method:  Mutual PSK
      . Negotiation mode:       main
      . My identifier:          Dynamic DNS - [myDynDns]
      . Peer identifier:        Peer ID address
      . Pre-shared key:         secretkey
      
      . Encryption algorithm:   AES - 256 bits
      . Hash algorithm:         SHA1
      . DH key group:           5 (1536 bit)
      . Lifetime:               28800
      
      . NAT Traversak:          Auto
      . Dead Peer Detection:    checked - 15 seconds - 15 retries
      
      Phase 2:
      
      . Mode:                   Tunnel IPv4
      . Local Network:          Network - 10.0.0.0/15
      . Remote Network:         Network - 192.168.0.0/24
      
      . Protcol:                ESP
      . Encryption algorithm:   AES - auto
      . Hash algorithm:         SHA1
      . PFS key group:          off
      . Lifetime:               28800
      
      IPsec Setting:
      
      . Unique IDs:             YES
      . Unencrypted payloads:   checked
      

      After start the IPsec Service I get the following log-entries:

      Sep 10 13:30:52 ipsec_starter[91603]:  
      Sep 10 13:30:52 ipsec_starter[91603]: 'con1000' routed 
      Sep 10 13:30:52 charon: 16[CFG] received stroke: route 'con1000' 
      Sep 10 13:30:52 charon: 12[CFG] added configuration 'con1000' 
      Sep 10 13:30:52 charon: 12[CFG] received stroke: add connection 'con1000' 
      Sep 10 13:30:52 ipsec_starter[91603]: charon (91639) started after 80 ms 
      Sep 10 13:30:52 charon: 00[JOB] spawning 16 worker threads 
      Sep 10 13:30:52 charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity 
      Sep 10 13:30:52 charon: 00[CFG] loaded 0 RADIUS server configurations 
      Sep 10 13:30:52 charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory 
      Sep 10 13:30:52 charon: 00[CFG] loaded IKE secret for %any REMOTEIP 
      Sep 10 13:30:52 charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' 
      Sep 10 13:30:52 charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls' 
      Sep 10 13:30:52 charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' 
      Sep 10 13:30:52 charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' 
      Sep 10 13:30:52 charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' 
      Sep 10 13:30:52 charon: 00[CFG] loaded ca certificate "..." from '/var/etc/ipsec/ipsec.d/cacerts/df28683a.0.crt' 
      Sep 10 13:30:52 charon: 00[CFG] loaded ca certificate "..." from '/var/etc/ipsec/ipsec.d/cacerts/a9025906.0.crt' 
      Sep 10 13:30:52 charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' 
      Sep 10 13:30:52 charon: 00[CFG] ipseckey plugin is disabled 
      Sep 10 13:30:52 charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed 
      Sep 10 13:30:52 charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument 
      Sep 10 13:30:52 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.1-RELEASE-p15, amd64) 
      Sep 10 13:30:52 ipsec_starter[91011]: no known IPsec stack detected, ignoring! 
      Sep 10 13:30:52 ipsec_starter[91011]: no KLIPS IPsec stack detected 
      Sep 10 13:30:52 ipsec_starter[91011]: no netkey IPsec stack detected 
      Sep 10 13:30:52 ipsec_starter[91011]: Starting strongSwan 5.3.2 IPsec [starter]... 
      

      I try to connect (Status: IPsec):

      Sep 10 13:32:37 charon: 10[NET] <con1000|1>sending packet: from MYIP[500] to REMOTEIP[500] (200 bytes) 
      Sep 10 13:32:37 charon: 10[IKE] <con1000|1>sending retransmit 3 of request message ID 0, seq 1 
      Sep 10 13:32:37 charon: 10[IKE] <con1000|1>sending retransmit 3 of request message ID 0, seq 1 
      Sep 10 13:32:24 charon: 10[NET] <con1000|1>sending packet: from MYIP[500] to REMOTEIP[500] (200 bytes) 
      Sep 10 13:32:24 charon: 10[IKE] <con1000|1>sending retransmit 2 of request message ID 0, seq 1 
      Sep 10 13:32:24 charon: 10[IKE] <con1000|1>sending retransmit 2 of request message ID 0, seq 1 
      Sep 10 13:32:17 charon: 10[NET] <con1000|1>sending packet: from MYIP[500] to REMOTEIP[500] (200 bytes) 
      Sep 10 13:32:17 charon: 10[IKE] <con1000|1>sending retransmit 1 of request message ID 0, seq 1 
      Sep 10 13:32:17 charon: 10[IKE] <con1000|1>sending retransmit 1 of request message ID 0, seq 1 
      Sep 10 13:32:13 charon: 10[NET] <con1000|1>sending packet: from MYIP[500] to REMOTEIP[500] (200 bytes) 
      Sep 10 13:32:13 charon: 10[ENC] <con1000|1>generating ID_PROT request 0 [ SA V V V V V V ] 
      Sep 10 13:32:13 charon: 10[IKE] <con1000|1>initiating Main Mode IKE_SA con1000[1] to REMOTEIP 
      Sep 10 13:32:13 charon: 10[IKE] <con1000|1>initiating Main Mode IKE_SA con1000[1] to REMOTEIP 
      Sep 10 13:32:13 charon: 16[CFG] received stroke: initiate 'con1000' 
      Sep 10 13:32:13 charon: 10[CFG] no IKE_SA named 'con1000' found 
      Sep 10 13:32:13 charon: 10[CFG] received stroke: terminate 'con1000'</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1> 
      

      What's wrong? Please help!

      Best regards,
      Thomas

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Your identifiers don't match. You have an IP on one side and a domain name on the other.

        1 Reply Last reply Reply Quote 0
        • E
          esquire1968
          last edited by

          Thanks for your answer! There was as mistake in the DynDns.

          Now, the connection is established, but I can't ping any client on the remote side.

          I get the following log-entries:

          Sep 19 09:58:35 charon: 09[IKE] <con1000|64>INFORMATIONAL_V1 request with message ID 510091493 processing failed 
          Sep 19 09:58:35 charon: 09[IKE] <con1000|64>INFORMATIONAL_V1 request with message ID 510091493 processing failed 
          Sep 19 09:58:35 charon: 09[IKE] <con1000|64>ignore malformed INFORMATIONAL request 
          Sep 19 09:58:35 charon: 09[IKE] <con1000|64>ignore malformed INFORMATIONAL request 
          Sep 19 09:58:35 charon: 09[IKE] <con1000|64>message verification failed 
          Sep 19 09:58:35 charon: 09[IKE] <con1000|64>message verification failed 
          Sep 19 09:58:35 charon: 09[ENC] <con1000|64>ignoring unprotected INFORMATIONAL from <ip of="" the="" remote="" side="">Sep 19 09:58:35 charon: 09[ENC] <con1000|64>parsed INFORMATIONAL_V1 request 510091493 [ N(NO_PROP) ]</con1000|64></ip></con1000|64></con1000|64></con1000|64></con1000|64></con1000|64></con1000|64></con1000|64> 
          

          Thanking you in anticipation.

          Thomas

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Still something mismatched there. NO_PROP seems to indicate an identifier mismatch. Try hard coding the current IP and using only IP identifiers, no dyndns anywhere, and see if that works. That'll at least narrow it down some.

            1 Reply Last reply Reply Quote 0
            • E
              esquire1968
              last edited by

              Now, I have a stable IPsec tunnel, but i can't reach any client on the remote side. I get the following logs:

              Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify 
              Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify 
              Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify 
              Sep 20 21:18:08 charon: 15[IKE] <con1000|1>received (30) error notify 
              Sep 20 21:18:08 charon: 15[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 3846293289 [ HASH N((30)) ] 
              Sep 20 21:18:08 charon: 15[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (76 bytes) 
              Sep 20 21:18:08 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) 
              Sep 20 21:18:08 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3559683763, seq 5 
              Sep 20 21:18:08 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3559683763, seq 5 
              Sep 20 21:18:04 charon: 08[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) 
              Sep 20 21:18:04 charon: 08[ENC] <con1000|1>generating QUICK_MODE response 3559683763 [ HASH SA No ID ID ] 
              Sep 20 21:18:04 charon: 08[IKE] <con1000|1>received 28800s lifetime, configured 0s 
              Sep 20 21:18:04 charon: 08[IKE] <con1000|1>received 28800s lifetime, configured 0s 
              Sep 20 21:18:04 charon: 08[ENC] <con1000|1>parsed QUICK_MODE request 3559683763 [ HASH SA No ID ID ] 
              Sep 20 21:18:04 charon: 08[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (204 bytes) 
              Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify 
              Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify 
              Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify 
              Sep 20 21:17:59 charon: 15[IKE] <con1000|1>received (30) error notify 
              Sep 20 21:17:59 charon: 15[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 3122718413 [ HASH N((30)) ] 
              Sep 20 21:17:59 charon: 15[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (76 bytes) 
              Sep 20 21:17:59 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) 
              Sep 20 21:17:59 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3922146324, seq 4 
              Sep 20 21:17:59 charon: 15[IKE] <con1000|1>sending retransmit 1 of response message ID 3922146324, seq 4 
              Sep 20 21:17:54 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (172 bytes) 
              Sep 20 21:17:54 charon: 15[ENC] <con1000|1>generating QUICK_MODE response 3922146324 [ HASH SA No ID ID ] 
              Sep 20 21:17:54 charon: 15[IKE] <con1000|1>received 28800s lifetime, configured 0s 
              Sep 20 21:17:54 charon: 15[IKE] <con1000|1>received 28800s lifetime, configured 0s 
              Sep 20 21:17:54 charon: 15[ENC] <con1000|1>parsed QUICK_MODE request 3922146324 [ HASH SA No ID ID ] 
              Sep 20 21:17:54 charon: 15[NET] <con1000|1>received packet: from 81.217.23.223[500] to 193.81.148.115[500] (204 bytes) 
              Sep 20 21:17:54 charon: 15[NET] <con1000|1>sending packet: from 193.81.148.115[500] to 81.217.23.223[500] (76 bytes) 
              Sep 20 21:17:54 charon: 15[ENC] <con1000|1>generating ID_PROT response 0 [ ID HASH ] 
              Sep 20 21:17:54 charon: 15[IKE] <con1000|1>IKE_SA con1000[1] established between 193.81.148.115[193.81.148.115]...81.217.23.223[81.217.23.223] 
              Sep 20 21:17:54 charon: 15[IKE] <con1000|1>IKE_SA con1000[1] established between 193.81.148.115[193.81.148.115]...81.217.23.223[81.217.23.223]</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1> 
              

              Thanks!

              Thomas

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.