@cmb:

The authentication options there are specific to Xauth modes, they don't (yet) apply to EAP.

thanks. is there a bug to track this feature?

Hi, Thanks for the response.
I managed to sort it out & it is now working fine.  The clue was in the pfSense IPSec logs where I was getting the error "[IKE]I Dir 'Domain.name' does not match to 'IP address'".  In Phase 1 proposal (Authentication) I had set the Peer identifier to a Distinguished Name with the DDNS name of the peer site.  When I changed it to 'Peer IP address', the VPN came up.  I was fairly certain that I'd tried this before & it didn't work, but I also upgraded the pfSense box from version 2.2 to 2.2.4, so maybe that had something to do with it.

Hi cmb-
Thank you for the reply. I apologize that was a typo it was 2.2.4-dev. I have also upgrade to the 2.2.4-release since then. When testing the failure I physically unplug the network cable from the firewall and verify that the gateway group shows the gateway for that WAN is offline.

Thanks again.

pfsense_version.JPG
pfsense_version.JPG_thumb

Haven't heard of that with Sonicwall, but apparently they've broken/don't support multiple TS in same TS payload either. The config is 100% correct as generated for the proper IKEv2 usage. One of the benefits of IKEv2 is not needing multiple child SAs for such circumstances. At least for proper implementations of it.

In /usr/local/www/vpn_ipsec_phase1.php, take out this chunk of input validation:

if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) { $t = 0; foreach ($a_phase1 as $ph1tmp) { if ($p1index <> $t) { $tremotegw = $pconfig['remotegw']; if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) { $input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']); } } $t++; } }

Then add two P1s with one P2 on each. That's really what you're configuring there by splitting it to two conn entries.

That validation probably isn't really necessary, might just remove that to allow configs like this. Its intention is to prevent foot shooting, but there are potential circumstances like this where it works around issues with the remote end.

That's not currently possible at the moment with multiple tunnels, however you can still pull it off with a single tunnel.

For the "Core" side use a hostname in DNS that will resolve to whichever one is up (like DynDNS) – and then use that hostname as your Phase 1 IPsec peer in pfSense.

If the other settings (key, P2 nets, etc) are all the same then pfSense won't care which one it connects to, it will follow the hostname.

It is working now that I've set it to IKEv1.  Thank you for the explanation.

thank you very much, my misunderstanding of the different id types and how the non-decorated name works.

Thanks for the follow up, glad you got it resolved.

Printers that don't work usually are because they're missing a default gateway, or have a wrong one set.

The trailing number at the end is noise from strongswan's output there, just ignore it. We have a bug ticket open to clean that up in the future.

Where you have 0 bytes and packets in like both posts here are showing, it means the other end isn't replying for some reason. Maybe the other end is blocking the traffic, maybe the target system isn't replying, or it might be replying to the wrong device (diff default gateway). Something along those lines. When you have that circumstance as shown, you know the IPsec portion is fine because it's up and you're passing traffic out of it. Look to the other end to see why it's not sending anything back.

Problem is in Android's IPsec client with NAT-D and PSK+aggressive. Use RSA instead.

Unfortunately, there appears to be no way to support a mix of v1 and v2 mobile clients in 2.2.4.

https://redmine.pfsense.org/issues/4873

I've had to downgrade to 2.2.3.

In order to provide any assistance or guidance you will need to provide a lot more information, such as:

Type of IPsec tunnel (e.g. Mobile, site-to-site) IPsec configuration settings (e.g. IKEv2 or IKEv1, encryption settings, etc) – basically anything except your PSKs or other sensitive info. Make/model/version of the device on the other end of the tunnel Anything else you can tell that would be relevant

If I give it a static public IP I have no problems getting the VPN to come up.

Then set up an static public IP and go for it.

Suggestions?

DynDNS, NoIP, …..

Hi cmb-
Thank you for the reply and the offer to look at the configuration.  Everything appears to be working properly now.  It seems like I was not giving the tunnel enough time to come up or I was not passing enough traffic across to bring up the tunnel.  I just got back from the office where I was able to recreate the configuration on the production equipment and everything works as expected.  If I unplug one of the wan interfaces, the gateway group fails over, the vpn ip on the azure gateway gets updated, and the tunnel comes back up on the other wan after manually disconnecting the ipsec connection.

I am very excited that everything is working and I learned quite a bit from the experience!

Thanks again!

Hi,

Can you please help me to configure IPSec between pfsense 2.2.2 to CISCO rv042.

I break my head from one week to figure out but no luck :'(.
PFsene is on Xen VM in data center. WAN network is a VLAN(73.241.202.232/29) and LAN is also a VLAN (172.51.130.160/27).

WAN IP : 73.241.202.238
Gateway(default) : 73.241.202.233
LAN  IP : 172.51.130.190 (Lan Only)
LANGW : 172.51.130.190 ( I made it I don't know where it is correct way or not) I am using same LANGW for all LAN.

CISCO RV 042

WAN : 35.31.39.153/29
GW : 35.31.39.158
LAN : 192.168.10.0/27
GW  : 192.168.10.1

I Enabled and Created IPSec in pfSense with the settings as you mentioned in your picture except Negotiation Mode "MAIN" . Connection is established but no to traffic is going. From pfSense I am able to ping only RV042(no computers). From CISCO Destination host not reachable.

I thought it might be the issue with Gateways or Firewall rules I am not getting anything or is it because of two different VLANS . Can you please help me to fix this. Thanking you in advance.

Thank You,
Harry.

I have had the same issue with setting up IPsec IKEv1 tunnel (Roadwarriors/Remote mobile setup).
I just got parts of the LAN-NW working. Also testet yesterday 0.0.0.0/0 for WAN, but it was not successful. Was not able to think that setting this to LAN interface for Phase 2 will resolve this isseu!

Thanks guys!

–
greetz

I started a new vm on the remote site and started from scratch.  I set it up a while back to connect to the fortigate I used to have here so I can't remember what all I experimented with or had done to get it to work.  The good news is after just setting everything up by hand it is all working so it likely was something like that.

Probably this. https://redmine.pfsense.org/issues/4719  More of an ASA issue it appears, but one we'll revisit.