Hi. I'm having troubles connecting a Cisco SRP527W to pfSense using an IPSec VPN. Well, to be honest I have problems with a single specific setup.
The SRP527W is a DSL modem/router, and has public IP. pfSense is on a fixed IP DSL connection but NATted: there is a modem with the public ip, then a private lan (172.16.16.x) between the modem and the firewall, which has IP 172.16.16.2. pfSense fails to establish a connection apparently with the following error: racoon: [Casa Ste]: [87.14.119.1] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 87.14.119.1[0]->172.16.16.2[0] I checked settings of encryption, hash algorithm and DH key group and they match. Since the Cisco doesn't have a setting for phase1 lifetime I had to enable debug and go through the logs to understand what was the appropriate setting. After all this hassle the VPN still won't connect. NAT-T is enabled on both sides. I don't know what else to look for. The only problem I can think of are the local/remote identifier fields. I tried setting defaults on pfSense (my ip address/peer ip address) but no way. I tried using the public hostname of pfSense as identifier for the firewall end, but still no way. As a check I configured my office's pfSense, which has a public IP address, to connect to the SRP and works great. Then I configured another VPN from my office to the other pfSense and works great. So the only configuration not working is between the SRP and the NATted pfSense! I don't know what else to check. Any hint is really welcome. Thanks P.S. here's part of the racoon log Mar 4 15:32:07 pfsense racoon: DEBUG: evaluating sainfo: loc='192.168.55.0/24', rmt='10.22.22.0/24', peer='ANY', id=2 Mar 4 15:32:07 pfsense racoon: DEBUG: remoteid mismatch: 2 != 3 Mar 4 15:32:07 pfsense racoon: DEBUG: evaluating sainfo: loc='192.168.55.0/24', rmt='192.168.15.0/24', peer='ANY', id=3 Mar 4 15:32:07 pfsense racoon: DEBUG: check and compare ids : values matched (IPv4_subnet) Mar 4 15:32:07 pfsense racoon: DEBUG: cmpid target: '192.168.55.0/24' Mar 4 15:32:07 pfsense racoon: DEBUG: cmpid source: '192.168.55.0/24' Mar 4 15:32:07 pfsense racoon: DEBUG: check and compare ids : values matched (IPv4_subnet) Mar 4 15:32:07 pfsense racoon: DEBUG: cmpid target: '192.168.15.0/24' Mar 4 15:32:07 pfsense racoon: DEBUG: cmpid source: '192.168.15.0/24' Mar 4 15:32:07 pfsense racoon: DEBUG: selected sainfo: loc='192.168.55.0/24', rmt='192.168.15.0/24', peer='ANY', id=3 Mar 4 15:32:07 pfsense racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=16574:16573) Mar 4 15:32:07 pfsense racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5) Mar 4 15:32:07 pfsense racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) Mar 4 15:32:07 pfsense racoon: DEBUG: in post_acquire Mar 4 15:32:07 pfsense racoon: [87.14.119.1] DEBUG: configuration "87.14.119.1[500]" selected. Mar 4 15:32:07 pfsense racoon: INFO: IPsec-SA request for 87.14.119.1 queued due to no phase1 found. Mar 4 15:32:07 pfsense racoon: DEBUG: === Mar 4 15:32:07 pfsense racoon: INFO: initiate new phase 1 negotiation: 172.16.16.2[500]<=>87.14.119.1[500] Mar 4 15:32:07 pfsense racoon: INFO: begin Aggressive mode. Mar 4 15:32:07 pfsense racoon: DEBUG: new cookie: d33f0047a727df6d Mar 4 15:32:07 pfsense racoon: DEBUG: use ID type of FQDN Mar 4 15:32:07 pfsense racoon: DEBUG: compute DH's private. Mar 4 15:32:07 pfsense racoon: DEBUG: 74acd334 0866d0a7 89800e3b ca36aa43 9eb23b83 6d3fffd1 9bf7d897 1d6a2054 e1f4deea 16994abd 3c831de0 e8dd8a23 2725c8ba 8a3703db f3469d78 882866aa 5250f4f4 d4b04a06 2f9ebeac b01183c1 3af66506 fd1abd5d ed955ef5 679a8cb1 506a82e0 29c2c8b8 0647e976 805492ff 42734137 367b9169 b5a03605 6344ab4b Mar 4 15:32:07 pfsense racoon: DEBUG: compute DH's public. Mar 4 15:32:07 pfsense racoon: DEBUG: 9c35f255 04e204c6 9651dd05 751d7fc9 668e79dd 8163ed73 1a398cf1 28c78ec8 f9b0330e e9c63c99 e9724127 590eb6e0 439426c8 efbd5d74 33021dd7 dcc61148 a4353741 ea4386fb 112384f0 79b5debc 470dd6b2 b1433fae 0fc12a6f 992d8b89 bbe51a24 a7128c97 c2578d03 3fc49499 9ee628cd f29c8b93 d43540b4 3bf989fa Mar 4 15:32:07 pfsense racoon: DEBUG: authmethod is pre-shared key Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 52, next type 4 Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 128, next type 10 Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 5 Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 24, next type 13 Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 20, next type 13 Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 13 Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 13 Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 13 Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 13 Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 0 Mar 4 15:32:07 pfsense racoon: DEBUG: 388 bytes from 172.16.16.2[500] to 87.14.119.1[500] Mar 4 15:32:07 pfsense racoon: DEBUG: sockname 172.16.16.2[500] Mar 4 15:32:07 pfsense racoon: DEBUG: send packet from 172.16.16.2[500] Mar 4 15:32:07 pfsense racoon: DEBUG: send packet to 87.14.119.1[500] Mar 4 15:32:07 pfsense racoon: DEBUG: 1 times of 388 bytes message will be sent to 87.14.119.1[500] Mar 4 15:32:07 pfsense racoon: DEBUG: d33f0047 a727df6d 00000000 00000000 01100400 00000000 00000184 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00014c83 80010005 80030001 80020001 80040002 0a000084 9c35f255 04e204c6 9651dd05 751d7fc9 668e79dd 8163ed73 1a398cf1 28c78ec8 f9b0330e e9c63c99 e9724127 590eb6e0 439426c8 efbd5d74 33021dd7 dcc61148 a4353741 ea4386fb 112384f0 79b5debc 470dd6b2 b1433fae 0fc12a6f 992d8b89 bbe51a24 a7128c97 c2578d03 3fc49499 9ee628cd f29c8b93 d43540b4 3bf989fa 05000014 c7649af5 a3006135 aa508181 bf650b72 0d00001c 02000000 706f7374 612e7465 63686e69 6f6e7372 6c2e6974 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Mar 4 15:32:07 pfsense racoon: DEBUG: resend phase1 packet d33f0047a727df6d:0000000000000000 Mar 4 15:32:17 pfsense racoon: DEBUG: 388 bytes from 172.16.16.2[500] to 87.14.119.1[500] Mar 4 15:32:17 pfsense racoon: DEBUG: sockname 172.16.16.2[500] Mar 4 15:32:17 pfsense racoon: DEBUG: send packet from 172.16.16.2[500] Mar 4 15:32:17 pfsense racoon: DEBUG: send packet to 87.14.119.1[500] Mar 4 15:32:17 pfsense racoon: DEBUG: 1 times of 388 bytes message will be sent to 87.14.119.1[500] Mar 4 15:32:17 pfsense racoon: DEBUG: d33f0047 a727df6d 00000000 00000000 01100400 00000000 00000184 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00014c83 80010005 80030001 80020001 80040002 0a000084 9c35f255 04e204c6 9651dd05 751d7fc9 668e79dd 8163ed73 1a398cf1 28c78ec8 f9b0330e e9c63c99 e9724127 590eb6e0 439426c8 efbd5d74 33021dd7 dcc61148 a4353741 ea4386fb 112384f0 79b5debc 470dd6b2 b1433fae 0fc12a6f 992d8b89 bbe51a24 a7128c97 c2578d03 3fc49499 9ee628cd f29c8b93 d43540b4 3bf989fa 05000014 c7649af5 a3006135 aa508181 bf650b72 0d00001c 02000000 706f7374 612e7465 63686e69 6f6e7372 6c2e6974 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Mar 4 15:32:17 pfsense racoon: DEBUG: resend phase1 packet d33f0047a727df6d:0000000000000000 Mar 4 15:32:25 pfsense racoon: DEBUG: KA: 172.16.16.2[4500]->93.149.11.106[4500] Mar 4 15:32:25 pfsense racoon: DEBUG: sockname 172.16.16.2[4500] Mar 4 15:32:25 pfsense racoon: DEBUG: send packet from 172.16.16.2[4500] Mar 4 15:32:25 pfsense racoon: DEBUG: send packet to 93.149.11.106[4500] Mar 4 15:32:25 pfsense racoon: DEBUG: 1 times of 1 bytes message will be sent to 93.149.11.106[4500] Mar 4 15:32:25 pfsense racoon: DEBUG: ff Mar 4 15:32:27 pfsense racoon: DEBUG: 388 bytes from 172.16.16.2[500] to 87.14.119.1[500] Mar 4 15:32:27 pfsense racoon: DEBUG: sockname 172.16.16.2[500] Mar 4 15:32:27 pfsense racoon: DEBUG: send packet from 172.16.16.2[500] Mar 4 15:32:27 pfsense racoon: DEBUG: send packet to 87.14.119.1[500] Mar 4 15:32:27 pfsense racoon: DEBUG: 1 times of 388 bytes message will be sent to 87.14.119.1[500] Mar 4 15:32:27 pfsense racoon: DEBUG: d33f0047 a727df6d 00000000 00000000 01100400 00000000 00000184 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00014c83 80010005 80030001 80020001 80040002 0a000084 9c35f255 04e204c6 9651dd05 751d7fc9 668e79dd 8163ed73 1a398cf1 28c78ec8 f9b0330e e9c63c99 e9724127 590eb6e0 439426c8 efbd5d74 33021dd7 dcc61148 a4353741 ea4386fb 112384f0 79b5debc 470dd6b2 b1433fae 0fc12a6f 992d8b89 bbe51a24 a7128c97 c2578d03 3fc49499 9ee628cd f29c8b93 d43540b4 3bf989fa 05000014 c7649af5 a3006135 aa508181 bf650b72 0d00001c 02000000 706f7374 612e7465 63686e69 6f6e7372 6c2e6974 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Mar 4 15:32:27 pfsense racoon: DEBUG: resend phase1 packet d33f0047a727df6d:0000000000000000 Mar 4 15:32:37 pfsense racoon: DEBUG: 388 bytes from 172.16.16.2[500] to 87.14.119.1[500] Mar 4 15:32:37 pfsense racoon: DEBUG: sockname 172.16.16.2[500] Mar 4 15:32:37 pfsense racoon: DEBUG: send packet from 172.16.16.2[500] Mar 4 15:32:37 pfsense racoon: DEBUG: send packet to 87.14.119.1[500] Mar 4 15:32:37 pfsense racoon: DEBUG: 1 times of 388 bytes message will be sent to 87.14.119.1[500] Mar 4 15:32:37 pfsense racoon: DEBUG: d33f0047 a727df6d 00000000 00000000 01100400 00000000 00000184 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 00014c83 80010005 80030001 80020001 80040002 0a000084 9c35f255 04e204c6 9651dd05 751d7fc9 668e79dd 8163ed73 1a398cf1 28c78ec8 f9b0330e e9c63c99 e9724127 590eb6e0 439426c8 efbd5d74 33021dd7 dcc61148 a4353741 ea4386fb 112384f0 79b5debc 470dd6b2 b1433fae 0fc12a6f 992d8b89 bbe51a24 a7128c97 c2578d03 3fc49499 9ee628cd f29c8b93 d43540b4 3bf989fa 05000014 c7649af5 a3006135 aa508181 bf650b72 0d00001c 02000000 706f7374 612e7465 63686e69 6f6e7372 6c2e6974 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Mar 4 15:32:37 pfsense racoon: DEBUG: resend phase1 packet d33f0047a727df6d:0000000000000000 Mar 4 15:32:39 pfsense racoon: [87.14.119.1] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 87.14.119.1[0]->172.16.16.2[0] Mar 4 15:32:39 pfsense racoon: INFO: delete phase 2 handler. Mar 4 15:32:45 pfsense racoon: DEBUG: KA: 172.16.16.2[4500]->93.149.11.106[4500] Mar 4 15:32:45 pfsense racoon: DEBUG: sockname 172.16.16.2[4500] Mar 4 15:32:45 pfsense racoon: DEBUG: send packet from 172.16.16.2[4500] Mar 4 15:32:45 pfsense racoon: DEBUG: send packet to 93.149.11.106[4500] Mar 4 15:32:45 pfsense racoon: DEBUG: 1 times of 1 bytes message will be sent to 93.149.11.106[4500] Mar 4 15:32:45 pfsense racoon: DEBUG: ff Mar 4 15:32:47 pfsense racoon: DEBUG: 388 bytes from 172.16.16.2[500] to 87.14.119.1[500] Mar 4 15:32:47 pfsense racoon: DEBUG: sockname 172.16.16.2[500] Mar 4 15:32:47 pfsense racoon: DEBUG: send packet from 172.16.16.2[500] Mar 4 15:32:47 pfsense racoon: DEBUG: send packet to 87.14.119.1[500] Mar 4 15:32:47 pfsense racoon: DEBUG: 1 times of 388 bytes message will be sent to 87.14.119.1[500] -- Lorenzo Milesi - [email protected] YetOpen S.r.l. - http://www.yetopen.it/ _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
