Netgate SG-1000 microFirewall

Author Topic: SG-3100 IPSec ---  (Read 92 times)

0 Members and 1 Guest are viewing this topic.

Offline Phonebuff

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
SG-3100 IPSec ---
« on: February 07, 2018, 12:56:09 pm »

I am attempting to start a IPSec tunnel from a SG-3100 that was upgraded to a 2.4.2_1..

Comcast -- DMZ Port --  3100 WAN --- 3100 LAN --

So first issue is the Web page never updates / refreshes when I try and enable the Link (P2 & P1) But if I try and Disable them it refreshes immed..

I should note that this worked previously from a Comcast link with Multiple IPs and in Bridge mode, but I don't have the luxury here..

-- My Identifier is - Dynamic DNS   With the FQN and that can be pinged and is validated.

--  Peer Identifier - Is Peer IP Address (Is this correct ??)

Must be missing something, but not really sure what at this point -

Any help guidance appreciated --


Offline Phonebuff

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
Re: SG-3100 IPSec ---
« Reply #1 on: February 07, 2018, 01:12:39 pm »

So I forgot to mention --

   No matter how long I let the Enable Apply Spin, the Status IP Sec indicates "No IPSEC Status available" 

   The Log has a number of entries --   Ending with --

    Feb 7 14:09:19   charon      00[DMN] signal of type SIGINT received. Shutting down

Offline Phonebuff

  • Jr. Member
  • **
  • Posts: 56
  • Karma: +0/-0
    • View Profile
Re: SG-3100 IPSec ---
« Reply #2 on: February 07, 2018, 01:18:17 pm »
One more part --

Code: [Select]
Feb 7 14:07:00 charon 13[NET] <con1000|3> sending packet: from 172.16.200.20[500] to xxx.xxxx.xxx.x[500] (180 bytes)
Feb 7 14:07:00 charon 13[NET] <con1000|3> received packet: from xxx.xxx.xxx.x[500] to 172.16.200.20[500] (160 bytes)
Feb 7 14:07:00 charon 13[ENC] <con1000|3> parsed ID_PROT response 0 [ SA V V V V ]
Feb 7 14:07:00 charon 13[IKE] <con1000|3> received XAuth vendor ID
Feb 7 14:07:00 charon 13[IKE] <con1000|3> received DPD vendor ID
Feb 7 14:07:00 charon 13[IKE] <con1000|3> received FRAGMENTATION vendor ID
Feb 7 14:07:00 charon 13[IKE] <con1000|3> received NAT-T (RFC 3947) vendor ID
Feb 7 14:07:00 charon 13[ENC] <con1000|3> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 7 14:07:00 charon 13[NET] <con1000|3> sending packet: from 172.16.200.20[500] to xxx.xxxx.xxx.x[500] (244 bytes)
Feb 7 14:07:00 charon 13[NET] <con1000|3> received packet: from xxx.xxx.xxx.x[500] to 172.16.200.20[500] (244 bytes)
Feb 7 14:07:00 charon 13[ENC] <con1000|3> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 7 14:07:00 charon 13[IKE] <con1000|3> local host is behind NAT, sending keep alives
Feb 7 14:07:00 charon 13[ENC] <con1000|3> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Feb 7 14:07:00 charon 13[NET] <con1000|3> sending packet: from 172.16.200.20[4500] to xxx.xxx.xxx.x[4500] (108 bytes)
Feb 7 14:07:01 charon 13[NET] <con1000|3> received packet: from xxx.xxx.xxx.x[4500] to 172.16.200.20[4500] (92 bytes)
Feb 7 14:07:01 charon 13[ENC] <con1000|3> parsed INFORMATIONAL_V1 request 907020096 [ HASH N(AUTH_FAILED) ]
Feb 7 14:07:01 charon 13[IKE] <con1000|3> received AUTHENTICATION_FAILED error notify
Feb 7 14:09:19 charon 00[DMN] signal of type SIGINT received. Shutting down