Options

IPSec Local Gateway Issue

mtavukcuoglumtavukcuoglu
in Firebox - VPN Branch Office

Merhaba,
Uzak şubemiz ile ipsec bağlantısı kurmaya çalışıyoruz. Bağlantı kurmaya çalıştığımda ipsec bağlantısı kurulamıyor. hatayı incelediğimde external üzerinden değil mpls üzerinden bağlantı kurmaya çalıştığını görüntülüyorum.

Firebox üzerinde network yapılandırmam aşağıdaki gibi.

0 external
1 servers
2 mpls

Phase1 i kurarken local gateway olarak external seçili ve çıkış ip adresim yazılım. konfigürasyonu defalarca kontrol ettim ama başarılı olamadım. aşağıdaki çıktıları inceleyip yol gösterirseniz çok memnun olurum.

*** WG Diagnostic Report for Gateway "Balikesir-sube" ***
Created On: Fri Jul 25 16:43:48 2025

[Conclusion]
Unable to find an established Phase 1 Security Association (SA) for BOVPN Gateway (Balikesir-sube)'s endpoint #1
Recommendation: Review VPN log messages to identify the reason.

[Gateway Summary]
Gateway "Balikesir-sube" contains "1" gateway endpoint(s). IKE Version is IKEv1.
Gateway Endpoint #1 (name "Balikesir-sube") Enabled
Mode: Main
PFS: Disabled AlwaysUp: Disabled
DPD: Enabled Keepalive: Disabled
Local ID<->Remote ID: {IP_ADDR(1.1.1.1) <-> IP_ADDR(2.2.2.2)}
Local GW_IP<->Remote GW_IP: {1.1.1.1 <-> 2.2.2.2}
Outgoing Interface: eth0 (ifIndex=2)
  ifMark=0x10000
  linkStatus=0 (0:unknown, 1:down, 2:up)

[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway

Name: "balikesirp2" Enabled
PFS: "Enabled" DH-Group: "5"
Number of Proposals: "1"
 Proposal "ESP-AES256-SHA256"
  ESP:
   EncryptAlgo: "AES" KeyLen: "32(bytes)"
   AuthAlgo: "SHA2-256"
   LifeTime: "28800(seconds)" LifeByte: "0(kbytes)"
Number of Tunnel Routes: "1"
 #1
  Direction: "BOTH"
  "192.168.10.0/24<->192.168.0.0/24"

[Run-time Info (gateway IKE_SA)]

[Run-time Info (tunnel IPSEC_SA)]
"0" IPSEC SA(s) are found under tunnel "balikesirp2"

[Run-time Info (tunnel IPSEC_SP)]
"1" IPSEC SP(s) are found under tunnel "balikesirp2"

1

 Tunnel Endpoint: "1.1.1.1->2.2.2.2"
 Tunnel Selector: 192.168.10.0/24 -> 192.168.0.0/24 Proto: ANY
 Created On: Fri Jul 25 16:39:57 2025
 Gateway Name: "Balikesir-sube"
 Tunnel Name: "balikesirp2"

[Address Pairs in Firewalld]
Address Pairs for tunnel "balikesirp2"
 Direction: BOTH
 192.168.10.0/24 <-> 192.168.0.0/24

[Policy checker result]
Tunnel name: balikesirp2
 #1 tunnel route 192.168.10.0/24<->192.168.0.0/24
  No policy checker results for this tunnel (no P2SA found or some other error)

[Related Logs]

Jul 25 16:43:48 iked: alwaysUpTimerCb trigger autoStart for ikePcy(Balikesir-sube) ipsecPcy(balikesirp2)
Jul 25 16:43:48 iked: AUTOSTART: RECV ipecPcy(balikesirp2), ikePcy(Balikesir-sube), ifIndex(2), tunnel_src=1.1.1.1, tunnel_dst=2.2.2.2
Jul 25 16:43:48 iked: (1.1.1.1<->2.2.2.2) do the ACQUIRE action for the tunnel route [src:192.168.10.0/24 <-> dst:192.168.0.0/24], ike_ver=1, peer_udp_port=0
Jul 25 16:43:48 iked: (1.1.1.1<->2.2.2.2) ikeSAInsertToCookieHashTable: IKE SA event: Added IsakmpSA(0x6d3f50)
Jul 25 16:43:48 iked: MainMode: Start (Ct=71133) pcy [Balikesir-sube]
Jul 25 16:43:48 iked: ikeSendToWithPktInfo: sendmsg failed, ifindex:2 - error: Operation not permitted(1)
Jul 25 16:43:48 iked: StartMainMode: failed to send out 1st msg
Jul 25 16:43:48 iked: StartNegotiation: failed to start phase 1 negotiation
Jul 25 16:43:48 iked: SA Nego Fail: saHandle 0x0x84a0b8 InitMode 1, reason 2

Sign In to comment.