Netgate SG-1000 microFirewall

Author Topic: Can't get IPSEC to connect, been trying for days.  (Read 181 times)

0 Members and 1 Guest are viewing this topic.

Offline tnbp

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Can't get IPSEC to connect, been trying for days.
« on: January 23, 2018, 11:09:38 pm »
heres the logs, I've tried all sorts of ways to set it up, no luck..


Jan 24 16:06:19   charon      07[NET] <con1|7> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (80 bytes)
Jan 24 16:06:19   charon      07[ENC] <con1|7> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:06:19   charon      07[IKE] <con1|7> received AUTHENTICATION_FAILED notify error
Jan 24 16:06:24   charon      07[NET] <8> received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
Jan 24 16:06:24   charon      07[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 16:06:24   charon      07[IKE] <8> 110.142.113.249 is initiating an IKE_SA
Jan 24 16:06:24   charon      07[IKE] <8> local host is behind NAT, sending keep alives
Jan 24 16:06:24   charon      07[IKE] <8> remote host is behind NAT
Jan 24 16:06:24   charon      07[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 24 16:06:24   charon      07[NET] <8> sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
Jan 24 16:06:24   charon      07[NET] <8> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (256 bytes)
Jan 24 16:06:24   charon      07[ENC] <8> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jan 24 16:06:24   charon      07[CFG] <8> looking for peer configs matching 192.168.15.2[120.151.146.229]...110.142.113.249[192.168.1.2]
Jan 24 16:06:24   charon      07[CFG] <bypasslan|8> selected peer config 'bypasslan'
Jan 24 16:06:24   charon      07[IKE] <bypasslan|8> no shared key found for '120.151.146.229' - '192.168.1.2'
Jan 24 16:06:24   charon      07[IKE] <bypasslan|8> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 24 16:06:24   charon      07[ENC] <bypasslan|8> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:06:24   charon      07[NET] <bypasslan|8> sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (80 bytes)
Jan 24 16:06:26   charon      07[NET] <9> received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
Jan 24 16:06:26   charon      07[ENC] <9> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 16:06:26   charon      07[IKE] <9> 110.142.113.249 is initiating an IKE_SA
Jan 24 16:06:27   charon      07[IKE] <9> local host is behind NAT, sending keep alives
Jan 24 16:06:27   charon      07[IKE] <9> remote host is behind NAT
Jan 24 16:06:27   charon      07[ENC] <9> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 24 16:06:27   charon      07[NET] <9> sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
Jan 24 16:06:27   charon      07[NET] <9> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (256 bytes)
Jan 24 16:06:27   charon      07[ENC] <9> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jan 24 16:06:27   charon      07[CFG] <9> looking for peer configs matching 192.168.15.2[120.151.146.229]...110.142.113.249[192.168.1.2]
Jan 24 16:06:27   charon      07[CFG] <bypasslan|9> selected peer config 'bypasslan'
Jan 24 16:06:27   charon      07[IKE] <bypasslan|9> no shared key found for '120.151.146.229' - '192.168.1.2'
Jan 24 16:06:27   charon      07[IKE] <bypasslan|9> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 24 16:06:27   charon      07[ENC] <bypasslan|9> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:06:27   charon      07[NET] <bypasslan|9> sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (80 bytes)
Jan 24 16:07:11   charon      05[CFG] received stroke: terminate 'con1'
Jan 24 16:07:11   charon      05[CFG] no IKE_SA named 'con1' found
Jan 24 16:07:11   charon      06[CFG] received stroke: initiate 'con1'
Jan 24 16:07:11   charon      05[IKE] <con1|10> initiating IKE_SA con1[10] to 110.142.113.249
Jan 24 16:07:11   charon      05[ENC] <con1|10> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 16:07:11   charon      05[NET] <con1|10> sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
Jan 24 16:07:11   charon      05[NET] <con1|10> received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
Jan 24 16:07:11   charon      05[ENC] <con1|10> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 24 16:07:11   charon      05[IKE] <con1|10> local host is behind NAT, sending keep alives
Jan 24 16:07:11   charon      05[IKE] <con1|10> remote host is behind NAT
Jan 24 16:07:11   charon      05[IKE] <con1|10> authentication of '192.168.15.2' (myself) with pre-shared key
Jan 24 16:07:11   charon      05[IKE] <con1|10> establishing CHILD_SA con1{6}
Jan 24 16:07:11   charon      05[ENC] <con1|10> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 24 16:07:11   charon      05[NET] <con1|10> sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (272 bytes)
Jan 24 16:07:11   charon      05[NET] <con1|10> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (80 bytes)
Jan 24 16:07:11   charon      05[ENC] <con1|10> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:07:11   charon      05[IKE] <con1|10> received AUTHENTICATION_FAILED notify error

Offline tnbp

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Can't get IPSEC to connect, been trying for days.
« Reply #1 on: January 23, 2018, 11:15:58 pm »
more logs

Jan 24 16:14:12   charon      13[NET] <11> sending packet: from 192.168.0.1[500] to 110.142.113.249[500] (338 bytes)
Jan 24 16:14:12   charon      13[NET] <11> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (256 bytes)
Jan 24 16:14:12   charon      13[ENC] <11> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jan 24 16:14:12   charon      13[CFG] <11> looking for peer configs matching 192.168.15.2[120.151.146.229]...110.142.113.249[192.168.1.2]
Jan 24 16:14:12   charon      13[CFG] <bypasslan|11> selected peer config 'bypasslan'
Jan 24 16:14:12   charon      13[IKE] <bypasslan|11> no shared key found for '120.151.146.229' - '192.168.1.2'
Jan 24 16:14:12   charon      13[IKE] <bypasslan|11> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 24 16:14:12   charon      13[ENC] <bypasslan|11> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:14:13   charon      13[NET] <bypasslan|11> sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (80 bytes)
Jan 24 16:14:22   charon      11[CFG] rereading secrets
Jan 24 16:14:22   charon      11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Jan 24 16:14:22   charon      11[CFG] loaded IKE secret for %any 110.142.113.249
Jan 24 16:14:22   charon      11[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jan 24 16:14:22   charon      11[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jan 24 16:14:22   charon      11[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jan 24 16:14:22   charon      11[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jan 24 16:14:22   charon      11[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Jan 24 16:14:22   charon      13[CFG] received stroke: unroute 'bypasslan'
Jan 24 16:14:22   ipsec_starter   28108   shunt policy 'bypasslan' uninstalled
Jan 24 16:14:22   charon      10[CFG] received stroke: delete connection 'bypasslan'
Jan 24 16:14:22   charon      10[CFG] deleted connection 'bypasslan'
Jan 24 16:14:22   charon      11[CFG] received stroke: unroute 'con1'
Jan 24 16:14:22   ipsec_starter   28108   configuration 'con1' unrouted
Jan 24 16:14:22   charon      13[CFG] received stroke: delete connection 'con1'
Jan 24 16:14:22   charon      13[CFG] deleted connection 'con1'
Jan 24 16:14:22   charon      13[CFG] received stroke: add connection 'bypasslan'
Jan 24 16:14:22   charon      13[CFG] added configuration 'bypasslan'
Jan 24 16:14:22   charon      10[CFG] received stroke: route 'bypasslan'
Jan 24 16:14:22   ipsec_starter   28108   'bypasslan' shunt PASS policy installed
Jan 24 16:14:22   charon      08[CFG] received stroke: add connection 'con1'
Jan 24 16:14:22   charon      08[CFG] added configuration 'con1'
Jan 24 16:14:22   charon      08[CFG] received stroke: route 'con1'
Jan 24 16:14:22   ipsec_starter   28108   'con1' routed
Jan 24 16:14:26   charon      10[CFG] received stroke: terminate 'con1'
Jan 24 16:14:26   charon      10[CFG] no IKE_SA named 'con1' found
Jan 24 16:14:26   charon      16[CFG] received stroke: initiate 'con1'
Jan 24 16:14:26   charon      10[IKE] <con1|12> initiating IKE_SA con1[12] to 110.142.113.249
Jan 24 16:14:26   charon      10[ENC] <con1|12> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 16:14:26   charon      10[NET] <con1|12> sending packet: from 192.168.15.2[500] to 110.142.113.249[500] (338 bytes)
Jan 24 16:14:26   charon      10[NET] <con1|12> received packet: from 110.142.113.249[500] to 192.168.15.2[500] (336 bytes)
Jan 24 16:14:26   charon      10[ENC] <con1|12> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 24 16:14:26   charon      10[IKE] <con1|12> local host is behind NAT, sending keep alives
Jan 24 16:14:26   charon      10[IKE] <con1|12> remote host is behind NAT
Jan 24 16:14:26   charon      10[IKE] <con1|12> authentication of '192.168.15.2' (myself) with pre-shared key
Jan 24 16:14:26   charon      10[IKE] <con1|12> establishing CHILD_SA con1{8}
Jan 24 16:14:26   charon      10[ENC] <con1|12> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 24 16:14:26   charon      10[NET] <con1|12> sending packet: from 192.168.15.2[4500] to 110.142.113.249[4500] (272 bytes)
Jan 24 16:14:27   charon      10[NET] <con1|12> received packet: from 110.142.113.249[4500] to 192.168.15.2[4500] (80 bytes)
Jan 24 16:14:27   charon      10[ENC] <con1|12> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jan 24 16:14:27   charon      10[IKE] <con1|12> received AUTHENTICATION_FAILED notify error

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9827
  • Karma: +1111/-311
    • View Profile
Re: Can't get IPSEC to connect, been trying for days.
« Reply #2 on: January 24, 2018, 01:53:09 am »
You are behind NAT. You probably need to explicitly set the public IP address as your identifier in the phase 1.

If your address is dynamic, you will probably need to set a distinguished name instead.

The other side is rejecting the authentication. You will need to be on the same page with them.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline tnbp

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Can't get IPSEC to connect, been trying for days.
« Reply #3 on: January 24, 2018, 04:30:10 pm »
Thanks mate, that fixed it. Legend.