Netgate SG-1000 microFirewall

Author Topic: ipsec phase 2 not working  (Read 206 times)

0 Members and 1 Guest are viewing this topic.

Offline irs

  • Jr. Member
  • **
  • Posts: 82
  • Karma: +0/-0
    • View Profile
ipsec phase 2 not working
« on: January 29, 2018, 10:11:47 pm »
i am tring to fix this but still can not understand how can i fix phase2 can any one please help

 but not Phase 2. make sure your access list matches exactly the opposite of ours. Check your other P2 parameters.
>>>
>>> Crypto Map IPv4 "VPN" 49 ipsec-isakmp
>>> Description:  Center
>>> Peer = static ip address
>>> Extended IP access list acl-vpn-NJB
>>> access-list acl-vpn-NJB permit ip host 172.17.0.254 172.17.7.0 0.0.0.255
>>> access-list acl-vpn-NJB permit ip host 172.17.0.4 172.17.7.0 0.0.0.255
>>> access-list acl-vpn-NJB permit ip host 172.17.0.51 172.17.7.0 0.0.0.255
>>> Current peer: same staic ip address as above
>>> Security association lifetime: 4608000 kilobytes/3600 seconds
>>> Responder-Only (Y/N): N
>>> PFS (Y/N): Y
>>> DH group: group2
>>> Mixed-mode : Disabled
>>> Transform sets={
>>> vpn-aes128-sha: { esp-aes esp-sha-hmac } ,

 

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9793
  • Karma: +1107/-311
    • View Profile
Re: ipsec phase 2 not working
« Reply #1 on: January 29, 2018, 10:38:47 pm »
What is not working?

What is in the logs?

How is the pfSense side set up?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline irs

  • Jr. Member
  • **
  • Posts: 82
  • Karma: +0/-0
    • View Profile
Re: ipsec phase 2 not working
« Reply #2 on: January 30, 2018, 09:30:11 pm »
IKE Phase 1

Key Negotiation Type                   ISAKMP
Encryption                               AES (128-bit)
Authentication                             SHA1
Key Group                                Diffie_Hellman
SA Life Time                                86400
Mode Exchange                         Main         
Shared Key Prefix                     self generated

IPSEC Phase-2

Type                                     ESP (encapsulating
Authentication                           SHA1
Encryption                                 AES (128-bit)
Perfect Forward                       Diff-Hellman
SA Life                                         3600
SA life Kilobytes                        4608000

IP  Netblock/Host
192.168.1.254/32                      192.168.1.0/24
192.168.1.4/32
192.168.1.4.54/32

in bound Ports
ALL

Offline irs

  • Jr. Member
  • **
  • Posts: 82
  • Karma: +0/-0
    • View Profile
Re: ipsec phase 2 not working
« Reply #3 on: January 30, 2018, 09:42:49 pm »
Jan 31 09:35:40   charon      12[IKE] <con1000|21> activating new tasks
Jan 31 09:35:40   charon      12[IKE] <con1000|21> activating ISAKMP_DPD task
Jan 31 09:35:40   charon      12[ENC] <con1000|21> generating INFORMATIONAL_V1 request 71033770 [ HASH N(DPD) ]
Jan 31 09:35:40   charon      12[NET] <con1000|21> sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:40   charon      12[IKE] <con1000|21> activating new tasks
Jan 31 09:35:40   charon      12[IKE] <con1000|21> nothing to initiate
Jan 31 09:35:40   charon      12[NET] <con1000|21> received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:40   charon      12[ENC] <con1000|21> parsed INFORMATIONAL_V1 request 422502870 [ HASH N(DPD_ACK) ]
Jan 31 09:35:40   charon      12[IKE] <con1000|21> activating new tasks
Jan 31 09:35:40   charon      12[IKE] <con1000|21> nothing to initiate
Jan 31 09:35:44   charon      06[CFG] vici client 49 connected
Jan 31 09:35:44   charon      13[CFG] vici client 49 registered for: list-sa
Jan 31 09:35:44   charon      13[CFG] vici client 49 requests: list-sas
Jan 31 09:35:44   charon      13[CFG] vici client 49 disconnected
Jan 31 09:35:49   charon      14[CFG] vici client 50 connected
Jan 31 09:35:49   charon      06[CFG] vici client 50 registered for: list-sa
Jan 31 09:35:49   charon      14[CFG] vici client 50 requests: list-sas
Jan 31 09:35:49   charon      14[CFG] vici client 50 disconnected
Jan 31 09:35:50   charon      14[IKE] <con1000|21> sending DPD request
Jan 31 09:35:50   charon      14[IKE] <con1000|21> queueing ISAKMP_DPD task
Jan 31 09:35:50   charon      14[IKE] <con1000|21> activating new tasks
Jan 31 09:35:50   charon      14[IKE] <con1000|21> activating ISAKMP_DPD task
Jan 31 09:35:50   charon      14[ENC] <con1000|21> generating INFORMATIONAL_V1 request 3516362738 [ HASH N(DPD) ]
Jan 31 09:35:50   charon      14[NET] <con1000|21> sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:50   charon      14[IKE] <con1000|21> activating new tasks
Jan 31 09:35:50   charon      14[IKE] <con1000|21> nothing to initiate
Jan 31 09:35:50   charon      14[NET] <con1000|21> received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:35:50   charon      14[ENC] <con1000|21> parsed INFORMATIONAL_V1 request 472707021 [ HASH N(DPD_ACK) ]
Jan 31 09:35:50   charon      14[IKE] <con1000|21> activating new tasks
Jan 31 09:35:50   charon      14[IKE] <con1000|21> nothing to initiate
Jan 31 09:35:54   charon      13[CFG] vici client 51 connected
Jan 31 09:35:54   charon      13[CFG] vici client 51 registered for: list-sa
Jan 31 09:35:54   charon      05[CFG] vici client 51 requests: list-sas
Jan 31 09:35:54   charon      13[CFG] vici client 51 disconnected
Jan 31 09:35:59   charon      13[CFG] vici client 52 connected
Jan 31 09:35:59   charon      10[CFG] vici client 52 registered for: list-sa
Jan 31 09:35:59   charon      10[CFG] vici client 52 requests: list-sas
Jan 31 09:35:59   charon      10[CFG] vici client 52 disconnected
Jan 31 09:36:00   charon      10[IKE] <con1000|21> sending DPD request
Jan 31 09:36:00   charon      10[IKE] <con1000|21> queueing ISAKMP_DPD task
Jan 31 09:36:00   charon      10[IKE] <con1000|21> activating new tasks
Jan 31 09:36:00   charon      10[IKE] <con1000|21> activating ISAKMP_DPD task
Jan 31 09:36:00   charon      10[ENC] <con1000|21> generating INFORMATIONAL_V1 request 3870667372 [ HASH N(DPD) ]
Jan 31 09:36:00   charon      10[NET] <con1000|21> sending packet: from 98.xxx.xxx.xxx[500] to 64.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:36:00   charon      10[IKE] <con1000|21> activating new tasks
Jan 31 09:36:00   charon      10[IKE] <con1000|21> nothing to initiate
Jan 31 09:36:00   charon      10[NET] <con1000|21> received packet: from 64.xxx.xxx.xxx[500] to 98.xxx.xxx.xxx[500] (92 bytes)
Jan 31 09:36:00   charon      10[ENC] <con1000|21> parsed INFORMATIONAL_V1 request 483150185 [ HASH N(DPD_ACK) ]
Jan 31 09:36:00   charon      10[IKE] <con1000|21> activating new tasks
Jan 31 09:36:00   charon      10[IKE] <con1000|21> nothing to initiat

Offline irs

  • Jr. Member
  • **
  • Posts: 82
  • Karma: +0/-0
    • View Profile
Re: ipsec phase 2 not working
« Reply #4 on: January 31, 2018, 06:23:49 am »
Phase 2 is not working.

Offline irs

  • Jr. Member
  • **
  • Posts: 82
  • Karma: +0/-0
    • View Profile
Re: ipsec phase 2 not working
« Reply #5 on: January 31, 2018, 06:38:35 am »
any idea what is wrong I am doing to make phase 2 running?


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9793
  • Karma: +1107/-311
    • View Profile
Re: ipsec phase 2 not working
« Reply #6 on: January 31, 2018, 01:51:54 pm »
Nothing in those logs are helpful. They have nothing to do with establishing or failed connections.

Have you looked at this?

https://doc.pfsense.org/index.php/IPsec_Troubleshooting

Be sure IKE SA, IKE Child SA, and Configuration Backend are all set to Diag in VPN > IPsec, Advanced. Everything else can be Control.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline irs

  • Jr. Member
  • **
  • Posts: 82
  • Karma: +0/-0
    • View Profile
Re: ipsec phase 2 not working
« Reply #7 on: February 02, 2018, 11:19:00 pm »
Thx for your kindly reply, though i read that link but still can not figure out how to NAT in ipsec to allow access to three different ip address

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9793
  • Karma: +1107/-311
    • View Profile
Re: ipsec phase 2 not working
« Reply #8 on: February 03, 2018, 01:30:24 pm »
What do you mean NAT?

Based on this:

Quote
>>> access-list acl-vpn-NJB permit ip host 172.17.0.254 172.17.7.0 0.0.0.255
>>> access-list acl-vpn-NJB permit ip host 172.17.0.4 172.17.7.0 0.0.0.255
>>> access-list acl-vpn-NJB permit ip host 172.17.0.51 172.17.7.0 0.0.0.255

You would make three phase 2 tunnel entries:

Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.254

Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.4

Local Network: Network: 172.17.7.0 /24
Remote Network: Address: 172.17.0.51
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM