PfSense to Netgear VPN

decibel83 · Jan 29, 2007, 10:27 AM

Hi.

I'm trying to setup an Ipsec VPN from a pfSense system with a static IP address and a Netgear ADSL router with a dynamic IP address.
I setted up the pfSense end point with the mobile Ipsec tutorial on the pfSense website.
The VPN connection doesn't work, when I activate the connection on the Netgear nothing happens, and on the pfSense system's Ipsec log i see this error:

"racoon: ERROR: not acceptable Identity Protection mode".

The pfSense endpoint is setted up as follow in the "Mobile clients" label:

Negotiation mode: aggressive
My identifier: User FQDN fqdn@vpn.mysite.com
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 2
Lifetime: 1200
Authentication method: Pre-shared key
Protocol: ESP
Encryption algorithms: 3DES, Blowfish, CAST128, Rijndaeel (AES)
Hash algorithms: SHA1, MD5
PFS key group: off
Lifetime: 1200

In the Pre-shared keys i setted up a key for the Identifier "fqdn2@vpn.mysite.com" and a the Pre-shared key "My%Pre%Shared%Key".

On the Netgear ADSL router, i setted up a VPN policy as follow:

Policy name: My VPN
remote VPN Endpoint: IP address, 123.123.123.123 (the public and static IP address of the pfSense system's WAN)
Local LAN: subnet address, 192.168.0.1/255.255.255.0
Remote LAN: subnet address, 192.168.1.0/255.255.255.0 (the pfSense system's LAN subnet)
IKE direction: initiatior and responder
IKE exchange mode: main mode
Diffie-Hellman (DH) group: group 2 (1024 bit)
Local identity: FQDN, fqdn2@vpn.mysite.com
Remote identity: FQDN, fqdn@vpn.mysite.com
Encryption algorythm: 3DES
Authentication algorythm: SHA-1
Pre-shared key: My%Pre%Shared%Key
SA life time: 1200 seconds

Where the problem could be?

Thank you very much for your support!
Have a nice day.

hoba · Jan 29, 2007, 3:50 PM

@decibel83:

…
The pfSense endpoint is setted up as follow in the "Mobile clients" label:
Negotiation mode: aggressive
...
On the Netgear ADSL router, i setted up a VPN policy as follow:
...
IKE exchange mode: main mode
...

You have a mismatch. Set the netgear end to agressive too.

decibel83 · Jan 29, 2007, 9:08 PM

How I can setup the Netgear to aggressive?

sullrich · Jan 29, 2007, 9:17 PM

@decibel83:

How I can setup the Netgear to aggressive?

Wrong forum for that type of question :) Call netgear or find a netgear forum :)

decibel83 · Jan 29, 2007, 9:34 PM

Sorry, I found it.
My Netgear system doesn't support the aggressive mode.
I setted up the Netgear and the pfSense systems to main mode, but it doesn't work anymore.
Now pfSense is telling me these errors:

racoon: ERROR: couldn't find the pskey for 123.123.123.123 (which is the dynamic IP of the Netgear's endpoint).

The Netgear is setted up as netgear.myvpnsite.com (which is the Identifier of the pre-shared key).
If I set up the local identify of the Netgear and the identifier of the pre-shared key as the its dynamic IP address of the Netgear it works without problem.

Could you help me, please?

hoba · Jan 29, 2007, 9:41 PM

At the pfSense use "My IP-Adress" as identifier. Looks like you didn't follow the tutorial too closely ;)

decibel83 · Jan 29, 2007, 9:45 PM

Yes, at my pfSense i'm using "My IP-Address" as identifier, but the error is the same…

hoba · Jan 29, 2007, 10:33 PM

I don't own a netgear to check this out with.

decibel83 · Jan 29, 2007, 10:47 PM

The problem is solved when I set up the WAN dynamic IP address of the Netgear as the identifier of the pre-shared key and as the local identifier on the Netgear.
But as the WAN IP address of the Netgear is dynamic, I can't use it as the identifier of the pre-shared key.
If I setup a FQDN as the identifier, I get that error…

hoba · Jan 29, 2007, 11:01 PM

Are you sure the netgear supports this kind of config that you need here?

decibel83 · Jan 30, 2007, 1:40 PM

I think so, because the connection works with a static IP address…

hoba · Jan 30, 2007, 1:50 PM

That's not the same. If it was that easy dynamic to dynamic would just work too ;)

decibel83 · Jan 31, 2007, 3:07 PM

Ok. Now the VPN from pfSense to Netgear is working.
I can ping from pfSense to Netgear, but not from Netgear to pfSense.
When the VPN connection is established I see this error in the pfSense logs:

racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out"

192.168.0.1 is the Netgear endpoint's LAN
192.168.1.1 is the pfSense endpoint's LAN

Could you help me, please? ^^

hoba · Jan 31, 2007, 3:50 PM

@decibel83:

racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out"

This is usually only a debug message that can be ignored. If it works one way the tunnel should be up fine. Does the netgear support some filtering for the vpn traffic? Maybe you need to create a rule to allow traffic? The pfSense currently can't filter VPN traffic so it can't be an issue on the pfSense end of the connection. Are you trying to ping from behind the netgear or from the netgear itself? Usually devices encapsulating the connection can't use it directly without adding a fake static route or pinging from their LAN IP.