ended up being the crappy Cisco not correctly taking the settings. After creating a new IKE and IPSEC policy on the router with the correct settings it worked immediately!
----- Messaggio originale ----- > Da: "Lorenzo Milesi" <[email protected]> > A: "pfSense support and discussion" <[email protected]> > Inviato: Martedì, 4 marzo 2014 15:34:43 > Oggetto: [pfSense] IPSec to Cisco SRP527W not working: time up waiting for > phase1 > > Hi. > I'm having troubles connecting a Cisco SRP527W to pfSense using an IPSec VPN. > Well, to be honest I have problems with a single specific setup. > > The SRP527W is a DSL modem/router, and has public IP. > pfSense is on a fixed IP DSL connection but NATted: there is a modem with the > public ip, then a private lan (172.16.16.x) between the modem and the > firewall, which has IP 172.16.16.2. > > pfSense fails to establish a connection apparently with the following error: > racoon: [Casa Ste]: [87.14.119.1] ERROR: phase2 negotiation failed due to > time up waiting for phase1 [Remote Side not responding]. ESP > 87.14.119.1[0]->172.16.16.2[0] > > I checked settings of encryption, hash algorithm and DH key group and they > match. Since the Cisco doesn't have a setting for phase1 lifetime I had to > enable debug and go through the logs to understand what was the appropriate > setting. After all this hassle the VPN still won't connect. > NAT-T is enabled on both sides. > > I don't know what else to look for. > The only problem I can think of are the local/remote identifier fields. > I tried setting defaults on pfSense (my ip address/peer ip address) but no > way. I tried using the public hostname of pfSense as identifier for the > firewall end, but still no way. > > > As a check I configured my office's pfSense, which has a public IP address, > to connect to the SRP and works great. > Then I configured another VPN from my office to the other pfSense and works > great. > So the only configuration not working is between the SRP and the NATted > pfSense! > > > I don't know what else to check. Any hint is really welcome. > Thanks > > > P.S. here's part of the racoon log > > Mar 4 15:32:07 pfsense racoon: DEBUG: evaluating sainfo: > loc='192.168.55.0/24', rmt='10.22.22.0/24', peer='ANY', id=2 > Mar 4 15:32:07 pfsense racoon: DEBUG: remoteid mismatch: 2 != 3 > Mar 4 15:32:07 pfsense racoon: DEBUG: evaluating sainfo: > loc='192.168.55.0/24', rmt='192.168.15.0/24', peer='ANY', id=3 > Mar 4 15:32:07 pfsense racoon: DEBUG: check and compare ids : values matched > (IPv4_subnet) > Mar 4 15:32:07 pfsense racoon: DEBUG: cmpid target: '192.168.55.0/24' > Mar 4 15:32:07 pfsense racoon: DEBUG: cmpid source: '192.168.55.0/24' > Mar 4 15:32:07 pfsense racoon: DEBUG: check and compare ids : values matched > (IPv4_subnet) > Mar 4 15:32:07 pfsense racoon: DEBUG: cmpid target: '192.168.15.0/24' > Mar 4 15:32:07 pfsense racoon: DEBUG: cmpid source: '192.168.15.0/24' > Mar 4 15:32:07 pfsense racoon: DEBUG: selected sainfo: > loc='192.168.55.0/24', rmt='192.168.15.0/24', peer='ANY', id=3 > Mar 4 15:32:07 pfsense racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 > spi_p=00000000 encmode=Tunnel reqid=16574:16573) > Mar 4 15:32:07 pfsense racoon: DEBUG: (trns_id=3DES encklen=0 > authtype=hmac-md5) > Mar 4 15:32:07 pfsense racoon: DEBUG: (trns_id=3DES encklen=0 > authtype=hmac-sha) > Mar 4 15:32:07 pfsense racoon: DEBUG: in post_acquire > Mar 4 15:32:07 pfsense racoon: [87.14.119.1] DEBUG: configuration > "87.14.119.1[500]" selected. > Mar 4 15:32:07 pfsense racoon: INFO: IPsec-SA request for 87.14.119.1 queued > due to no phase1 found. > Mar 4 15:32:07 pfsense racoon: DEBUG: === > Mar 4 15:32:07 pfsense racoon: INFO: initiate new phase 1 negotiation: > 172.16.16.2[500]<=>87.14.119.1[500] > Mar 4 15:32:07 pfsense racoon: INFO: begin Aggressive mode. > Mar 4 15:32:07 pfsense racoon: DEBUG: new cookie: d33f0047a727df6d > Mar 4 15:32:07 pfsense racoon: DEBUG: use ID type of FQDN > Mar 4 15:32:07 pfsense racoon: DEBUG: compute DH's private. > Mar 4 15:32:07 pfsense racoon: DEBUG: 74acd334 0866d0a7 89800e3b ca36aa43 > 9eb23b83 6d3fffd1 9bf7d897 1d6a2054 e1f4deea 16994abd 3c831de0 e8dd8a23 > 2725c8ba 8a3703db f3469d78 882866aa 5250f4f4 d4b04a06 2f9ebeac > b01183c1 3af66506 fd1abd5d ed955ef5 679a8cb1 506a82e0 29c2c8b8 0647e976 > 805492ff 42734137 367b9169 b5a03605 6344ab4b > Mar 4 15:32:07 pfsense racoon: DEBUG: compute DH's public. > Mar 4 15:32:07 pfsense racoon: DEBUG: 9c35f255 04e204c6 9651dd05 751d7fc9 > 668e79dd 8163ed73 1a398cf1 28c78ec8 f9b0330e e9c63c99 e9724127 590eb6e0 > 439426c8 efbd5d74 33021dd7 dcc61148 a4353741 ea4386fb 112384f0 > 79b5debc 470dd6b2 b1433fae 0fc12a6f 992d8b89 bbe51a24 a7128c97 c2578d03 > 3fc49499 9ee628cd f29c8b93 d43540b4 3bf989fa > Mar 4 15:32:07 pfsense racoon: DEBUG: authmethod is pre-shared key > Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 52, next type 4 > Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 128, next type 10 > Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 5 > Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 24, next type 13 > Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 20, next type 13 > Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 13 > Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 13 > Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 13 > Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 13 > Mar 4 15:32:07 pfsense racoon: DEBUG: add payload of len 16, next type 0 > Mar 4 15:32:07 pfsense racoon: DEBUG: 388 bytes from 172.16.16.2[500] to > 87.14.119.1[500] > Mar 4 15:32:07 pfsense racoon: DEBUG: sockname 172.16.16.2[500] > Mar 4 15:32:07 pfsense racoon: DEBUG: send packet from 172.16.16.2[500] > Mar 4 15:32:07 pfsense racoon: DEBUG: send packet to 87.14.119.1[500] > Mar 4 15:32:07 pfsense racoon: DEBUG: 1 times of 388 bytes message will be > sent to 87.14.119.1[500] > Mar 4 15:32:07 pfsense racoon: DEBUG: d33f0047 a727df6d 00000000 00000000 > 01100400 00000000 00000184 04000038 00000001 00000001 0000002c 01010001 > 00000024 01010000 800b0001 000c0004 00014c83 80010005 80030001 80020001 > 80040002 0a000084 9c35f255 04e204c6 9651dd05 751d7fc9 668e79dd 8163ed73 > 1a398cf1 28c78ec8 f9b0330e e9c63c99 e9724127 590eb6e0 439426c8 efbd5d74 > 33021dd7 dcc61148 a4353741 ea4386fb 112384f0 79b5debc 470dd6b2 b1433fae > 0fc12a6f 992d8b89 bbe51a24 a7128c97 c2578d03 3fc49499 9ee628cd f29c8b93 > d43540b4 3bf989fa 05000014 c7649af5 a3006135 aa508181 bf650b72 0d00001c > 02000000 706f7374 612e7465 63686e69 6f6e7372 6c2e6974 0d000018 4048b7d5 > 6ebce885 25e7de7f 00d6c2d3 80000000 0d000014 4a131c81 07035845 5c5728f2 > 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 > 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc > 00000014 afcad713 68a1f1c9 6b8696fc 77570100 > Mar 4 15:32:07 pfsense racoon: DEBUG: resend phase1 packet > d33f0047a727df6d:0000000000000000 > Mar 4 15:32:17 pfsense racoon: DEBUG: 388 bytes from 172.16.16.2[500] to > 87.14.119.1[500] > Mar 4 15:32:17 pfsense racoon: DEBUG: sockname 172.16.16.2[500] > Mar 4 15:32:17 pfsense racoon: DEBUG: send packet from 172.16.16.2[500] > Mar 4 15:32:17 pfsense racoon: DEBUG: send packet to 87.14.119.1[500] > Mar 4 15:32:17 pfsense racoon: DEBUG: 1 times of 388 bytes message will be > sent to 87.14.119.1[500] > Mar 4 15:32:17 pfsense racoon: DEBUG: d33f0047 a727df6d 00000000 00000000 > 01100400 00000000 00000184 04000038 00000001 00000001 0000002c 01010001 > 00000024 01010000 800b0001 000c0004 00014c83 80010005 80030001 80020001 > 80040002 0a000084 9c35f255 04e204c6 9651dd05 751d7fc9 668e79dd 8163ed73 > 1a398cf1 28c78ec8 f9b0330e e9c63c99 e9724127 590eb6e0 439426c8 efbd5d74 > 33021dd7 dcc61148 a4353741 ea4386fb 112384f0 79b5debc 470dd6b2 b1433fae > 0fc12a6f 992d8b89 bbe51a24 a7128c97 c2578d03 3fc49499 9ee628cd f29c8b93 > d43540b4 3bf989fa 05000014 c7649af5 a3006135 aa508181 bf650b72 0d00001c > 02000000 706f7374 612e7465 63686e69 6f6e7372 6c2e6974 0d000018 4048b7d5 > 6ebce885 25e7de7f 00d6c2d3 80000000 0d000014 4a131c81 07035845 5c5728f2 > 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 > 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc > 00000014 afcad713 68a1f1c9 6b8696fc 77570100 > Mar 4 15:32:17 pfsense racoon: DEBUG: resend phase1 packet > d33f0047a727df6d:0000000000000000 > Mar 4 15:32:25 pfsense racoon: DEBUG: KA: > 172.16.16.2[4500]->93.149.11.106[4500] > Mar 4 15:32:25 pfsense racoon: DEBUG: sockname 172.16.16.2[4500] > Mar 4 15:32:25 pfsense racoon: DEBUG: send packet from 172.16.16.2[4500] > Mar 4 15:32:25 pfsense racoon: DEBUG: send packet to 93.149.11.106[4500] > Mar 4 15:32:25 pfsense racoon: DEBUG: 1 times of 1 bytes message will be > sent to 93.149.11.106[4500] > Mar 4 15:32:25 pfsense racoon: DEBUG: ff > Mar 4 15:32:27 pfsense racoon: DEBUG: 388 bytes from 172.16.16.2[500] to > 87.14.119.1[500] > Mar 4 15:32:27 pfsense racoon: DEBUG: sockname 172.16.16.2[500] > Mar 4 15:32:27 pfsense racoon: DEBUG: send packet from 172.16.16.2[500] > Mar 4 15:32:27 pfsense racoon: DEBUG: send packet to 87.14.119.1[500] > Mar 4 15:32:27 pfsense racoon: DEBUG: 1 times of 388 bytes message will be > sent to 87.14.119.1[500] > Mar 4 15:32:27 pfsense racoon: DEBUG: d33f0047 a727df6d 00000000 00000000 > 01100400 00000000 00000184 04000038 00000001 00000001 0000002c 01010001 > 00000024 01010000 800b0001 000c0004 00014c83 80010005 80030001 80020001 > 80040002 0a000084 9c35f255 04e204c6 9651dd05 751d7fc9 668e79dd 8163ed73 > 1a398cf1 28c78ec8 f9b0330e e9c63c99 e9724127 590eb6e0 439426c8 efbd5d74 > 33021dd7 dcc61148 a4353741 ea4386fb 112384f0 79b5debc 470dd6b2 b1433fae > 0fc12a6f 992d8b89 bbe51a24 a7128c97 c2578d03 3fc49499 9ee628cd f29c8b93 > d43540b4 3bf989fa 05000014 c7649af5 a3006135 aa508181 bf650b72 0d00001c > 02000000 706f7374 612e7465 63686e69 6f6e7372 6c2e6974 0d000018 4048b7d5 > 6ebce885 25e7de7f 00d6c2d3 80000000 0d000014 4a131c81 07035845 5c5728f2 > 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 > 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc > 00000014 afcad713 68a1f1c9 6b8696fc 77570100 > Mar 4 15:32:27 pfsense racoon: DEBUG: resend phase1 packet > d33f0047a727df6d:0000000000000000 > Mar 4 15:32:37 pfsense racoon: DEBUG: 388 bytes from 172.16.16.2[500] to > 87.14.119.1[500] > Mar 4 15:32:37 pfsense racoon: DEBUG: sockname 172.16.16.2[500] > Mar 4 15:32:37 pfsense racoon: DEBUG: send packet from 172.16.16.2[500] > Mar 4 15:32:37 pfsense racoon: DEBUG: send packet to 87.14.119.1[500] > Mar 4 15:32:37 pfsense racoon: DEBUG: 1 times of 388 bytes message will be > sent to 87.14.119.1[500] > Mar 4 15:32:37 pfsense racoon: DEBUG: d33f0047 a727df6d 00000000 00000000 > 01100400 00000000 00000184 04000038 00000001 00000001 0000002c 01010001 > 00000024 01010000 800b0001 000c0004 00014c83 80010005 80030001 80020001 > 80040002 0a000084 9c35f255 04e204c6 9651dd05 751d7fc9 668e79dd 8163ed73 > 1a398cf1 28c78ec8 f9b0330e e9c63c99 e9724127 590eb6e0 439426c8 efbd5d74 > 33021dd7 dcc61148 a4353741 ea4386fb 112384f0 79b5debc 470dd6b2 b1433fae > 0fc12a6f 992d8b89 bbe51a24 a7128c97 c2578d03 3fc49499 9ee628cd f29c8b93 > d43540b4 3bf989fa 05000014 c7649af5 a3006135 aa508181 bf650b72 0d00001c > 02000000 706f7374 612e7465 63686e69 6f6e7372 6c2e6974 0d000018 4048b7d5 > 6ebce885 25e7de7f 00d6c2d3 80000000 0d000014 4a131c81 07035845 5c5728f2 > 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 > 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc > 00000014 afcad713 68a1f1c9 6b8696fc 77570100 > Mar 4 15:32:37 pfsense racoon: DEBUG: resend phase1 packet > d33f0047a727df6d:0000000000000000 > Mar 4 15:32:39 pfsense racoon: [87.14.119.1] ERROR: phase2 negotiation > failed due to time up waiting for phase1. ESP 87.14.119.1[0]->172.16.16.2[0] > Mar 4 15:32:39 pfsense racoon: INFO: delete phase 2 handler. > Mar 4 15:32:45 pfsense racoon: DEBUG: KA: > 172.16.16.2[4500]->93.149.11.106[4500] > Mar 4 15:32:45 pfsense racoon: DEBUG: sockname 172.16.16.2[4500] > Mar 4 15:32:45 pfsense racoon: DEBUG: send packet from 172.16.16.2[4500] > Mar 4 15:32:45 pfsense racoon: DEBUG: send packet to 93.149.11.106[4500] > Mar 4 15:32:45 pfsense racoon: DEBUG: 1 times of 1 bytes message will be > sent to 93.149.11.106[4500] > Mar 4 15:32:45 pfsense racoon: DEBUG: ff > Mar 4 15:32:47 pfsense racoon: DEBUG: 388 bytes from 172.16.16.2[500] to > 87.14.119.1[500] > Mar 4 15:32:47 pfsense racoon: DEBUG: sockname 172.16.16.2[500] > Mar 4 15:32:47 pfsense racoon: DEBUG: send packet from 172.16.16.2[500] > Mar 4 15:32:47 pfsense racoon: DEBUG: send packet to 87.14.119.1[500] > Mar 4 15:32:47 pfsense racoon: DEBUG: 1 times of 388 bytes message will be > sent to 87.14.119.1[500] > > > -- > Lorenzo Milesi - [email protected] > > YetOpen S.r.l. - http://www.yetopen.it/ > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > -- -- Lorenzo Milesi - [email protected] YetOpen S.r.l. - http://www.yetopen.it/ _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
