Just checked: I have the same behavior with OpenVPN?! Maybe I'm stupid, but I don't understand this. Please enlighten me

Nope in addition to port 21 you need to pass the passive port range, for eaxmple 10000-20000 but that that could be anything depending on how you've configured it.
Also vsftp seems to use ftps so needs port 990 also for the encryption.

See: https://www.howtoforge.com/tutorial/ubuntu-vsftpd/

You should be able to see that traffic blocked in the firewall log though when you try to connect and it fails.

Steve

You should not really have an issue with a Draytek to ASA VPN, we have many of those running on multiple ASA firmwares and 2820s, 2860s (v3.9.4.1), 2862s, 29xx etc.

I can't specifically tell you how, as I am not the Cisco guy :-) If it helps most of ours run on IKEv1 with 3DES with auth, no PFS. We also run all the tunnels outbound on the Draytek to the Cisco., with P1 28800 and P2 3600, which is the Draytek default.

The solution is reasonably well documented on the Draytek knowledge bases and forums, and your Draytek reseller should have access to Draytek tech support, who are pretty helpful most of the time if you are clear on what the problem is.

Not wishing to undermine stephenw10 on the pfSense sell ;-), we have had no luck really in getting Draytek to play with pfSense running in Azure. Despite our best efforts we cannot get a stable solution. We can get pfSense to work with ASA all day long though, so it depends which end you might switch out for a pfSense.

Hi all , i should put that at the top of the topic, sorry.

Great idea!

mac OS Big Sur & iOS 14.3 Phase 1: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Phase 2: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

pfSense version is: 2.4.5-RELEASE-p1 (amd64)

@derelict Someone is, however :)

@jimp

Right now I’m using a LastPass generated password 16 charachter and just saving the credentials . Just abit concerned about this approach as it’s just 1fa , I’m saving the password and the vpn gives full access to my network

Also, what does using certificates protect against ? Not sure on how it enhances security

@sgnoc
Cool 👍

Great that my brainstorming was of help

/Bingo

After even more investigation:
Seams like the rules from WAN to pfSense where in place and effective. But what was missing: An allow rule from IPSec to the LAN. Is this "works as designed"? Even the DNS (the pfSense itself) was not reachable...

Everything is explained. Thank you for your answers!

@jimp said in IPSec mobile without certificate:

There is an ACME package in pfSense, works great for me and many others. YMMV depending on your update method, though.

Great!
I just tested, it works! thank you
Do I have to configure an "Action" in the ACME service so that it restarts IPSec server when renewing the certificate to take the new certificat or does it happen automatically without restart?