IPSEC initiation from one side only

bouli_2003

hi,

I implemented 1  S2S ipsec tunnel between pfsense and juniper SSG router.

The wan interface of pfsence  is natted on our router.

The site initiation succeed from SSG side nut fail once initiated from pfsense side.

N.B: -automatic outbound nat is selected
        - the initiation from pfsense is from itself (No LAN connected  as it is for testing purpose).

how can  i initiate the tunnel from pfsense.

Thanks in advance.

cmb

What IPsec logs do you get when trying to initiate in the non-working direction?

bouli_2003

Hi ,

Below are the received logs:
Feb 12 17:11:57 charon: 15[IKE] <con1000|43>initiating Main Mode IKE_SA con1000[43] to x.x.x.x
Feb 12 17:11:57 charon: 15[ENC] <con1000|43>generating ID_PROT request 0 [ SA V V V V V V ]
Feb 12 17:11:57 charon: 15[NET] <con1000|43>sending packet: from x.x.x.x[500] to x.x.x.x[500] (200 bytes)
Feb 12 17:11:57 charon: 12[NET] <con1000|43>received packet: from x.x.x.x[500] to x.x.x.x[500] (180 bytes)
Feb 12 17:11:57 charon: 12[ENC] <con1000|43>parsed ID_PROT response 0 [ SA V V V V ]
Feb 12 17:11:57 charon: 12[ENC] <con1000|43>received unknown vendor ID: 52:84:3a:df:f6:b8:88:d8:49:05:e9:c7:c7:71:d2:2c:3d:f0:27:bc:00:00:00:15:00:00:06:1e
Feb 12 17:11:57 charon: 12[IKE] <con1000|43>received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 12 17:11:57 charon: 12[IKE] <con1000|43>received DPD vendor ID
Feb 12 17:11:57 charon: 12[ENC] <con1000|43>received unknown vendor ID: 48:65:61:72:74:42:65:61:74:5f:4e:6f:74:69:66:79:38:6b:01:00
Feb 12 17:11:57 charon: 12[ENC] <con1000|43>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 12 17:11:57 charon: 12[NET] <con1000|43>sending packet: from 1x.x.x.x[500] to x.x.x.x[500] (244 bytes)
Feb 12 17:11:58 charon: 12[NET] <con1000|43>received packet: from x.x.x.x[500] to x.x.x.x[500] (244 bytes)
Feb 12 17:11:58 charon: 12[ENC] <con1000|43>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 12 17:11:58 charon: 12[ENC] <con1000|43>generating ID_PROT request 0 [ ID HASH ]
Feb 12 17:11:58 charon: 12[NET] <con1000|43>sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes)
Feb 12 17:12:00 charon: 12[KNL] creating acquire job for policy x.x.x.x/32|/0 === x.x.x.x/32|/0 with reqid {1}
Feb 12 17:12:00 charon: 05[CFG] ignoring acquire, connection attempt pending
Feb 12 17:12:02 charon: 05[IKE] <con1000|43>sending retransmit 1 of request message ID 0, seq 3
Feb 12 17:12:02 charon: 05[NET] <con1000|43>sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes)
Feb 12 17:12:06 charon: 14[KNL] creating acquire job for policy x.x.x.x/32|/0 === x.x.x.x/32|/0 with reqid {1}
Feb 12 17:12:06 charon: 05[CFG] ignoring acquire, connection attempt pending
Feb 12 17:12:09 charon: 12[IKE] <con1000|43>sending retransmit 2 of request message ID 0, seq 3
Feb 12 17:12:09 charon: 12[NET] <con1000|43>sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes)
Feb 12 17:12:12 charon: 14[KNL] creating acquire job for policy x.x.x.x/32|/0 === x.x.x.x2/32|/0 with reqid {1}
Feb 12 17:12:12 charon: 12[CFG] ignoring acquire, connection attempt pending
Feb 12 17:12:16 charon: 12[KNL] creating acquire job for policy x.x.x.x/32|/0 === x.x.x.x/32|/0 with reqid {1}
Feb 12 17:12:16 charon: 15[CFG] ignoring acquire, connection attempt pending</con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43>

cmb

Just shows the Juniper isn't replying, no way to tell why from that. Check the logs on the Juniper.

bouli_2003

Please note that when doing traceroute to the remote LAN it is going directly from the WAN interface.

Also i don't have any LAN network from pfsense side.. i am testing directly from the FW who has only WAN interface configured.

cmb

That's expected and has no relation to the issue. For proper testing you'll want to bring the LAN up, but that has no relation to why the Juniper isn't responding.

bouli_2003

I don 't think there is a configuration issue because once a trafiic is initiated from juniper the tunnel  goes up

cmb

Config can differ as initiator vs. responder. UDP 500 traffic could be blocked in that direction but not the opposite. Regardless you need to look at the Juniper side and see why it's not replying.