S2S pfS <-> USG 20 - Initiation only works from USG20
-
Hello
I try to set up a site2site IPSec VPN between an USG20 and a pfSense (2.3.2-RELEASE-p12.3.2-RELEASE-p1). The tunnel can be opened from the USG20 but not from the side of the pfSense. My pfSense is connected to the internet directly by PPPoE, I do not work with NAT traversal. I get the following log information when trying to open the tunnel:
Nov 21 16:34:18 charon 10[CFG] received stroke: terminate 'con1000'
Nov 21 16:34:18 charon 10[CFG] no IKE_SA named 'con1000' found
Nov 21 16:34:18 charon 13[CFG] received stroke: initiate 'con1000'
Nov 21 16:34:18 charon 10[IKE] <con1000|27>initiating Main Mode IKE_SA con1000[27] to x.x.x.x
Nov 21 16:34:18 charon 10[ENC] <con1000|27>generating ID_PROT request 0 [ SA V V V V V ]
Nov 21 16:34:18 charon 10[NET] <con1000|27>sending packet: from x.x.x.x[500] to x.x.x.x[500] (184 bytes)
Nov 21 16:34:18 charon 10[NET] <con1000|27>received packet: from x.x.x.x[500] to x.x.x.x[500] (88 bytes)
Nov 21 16:34:18 charon 10[ENC] <con1000|27>parsed ID_PROT response 0 [ SA ]
Nov 21 16:34:18 charon 10[ENC] <con1000|27>generating ID_PROT request 0 [ KE No ]
Nov 21 16:34:18 charon 10[NET] <con1000|27>sending packet: from x.x.x.x[500] to x.x.x.x[500] (196 bytes)
Nov 21 16:34:18 charon 10[NET] <con1000|27>received packet: from x.x.x.x[500] to x.x.x.x[500] (91 bytes)
Nov 21 16:34:18 charon 10[ENC] <con1000|27>parsed INFORMATIONAL_V1 request 1440699603 [ N(AUTH_FAILED) ]
Nov 21 16:34:18 charon 10[IKE] <con1000|27>received AUTHENTICATION_FAILED error notify </con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27>I already tried to switch negotiation mode which is proposed in the FAQ but it didn't solve the problem. My P1 IPSec config on the pfSense looks the following (I know that security is equal to 0 but we have to stick to those settings).
IKE Version 1
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: Public IP of the USG20Authentication Method: Mutual PSK
Negotiation Mode: Main
My identifier: My IP address
Peer IDentifier: Peer IP address
PSK: PSKProposal: AES128
Hash Algorithm: SHA1
DH Group: DH2
Lifetime: 86400Disable rekey: Unchecked
Responder only: UncheckedNAT traversal: Auto
DPD: UncheckedLet me know if you need any furher info. Any help would be appreciated.
Regards
ANo ideas?
As soon as the tunnel gets connected from the ZyWall side I see the following under IPSec status:
Role: IKEv1
responderAlgo: AES_CBC
HMAC_SHA1_96
PRF_HMAC_SHA1
MODP_1024STATUS: ESTABLISHED
xxxx seconds