Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense to Netgear VPN

    Scheduled Pinned Locked Moved IPsec
    14 Posts 3 Posters 17.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      decibel83
      last edited by

      Sorry, I found it.
      My Netgear system doesn't support the aggressive mode.
      I setted up the Netgear and the pfSense systems to main mode, but it doesn't work anymore.
      Now pfSense is telling me these errors:

      racoon: ERROR: couldn't find the pskey for 123.123.123.123 (which is the dynamic IP of the Netgear's endpoint).

      The Netgear is setted up as netgear.myvpnsite.com (which is the Identifier of the pre-shared key).
      If I set up the local identify of the Netgear and the identifier of the pre-shared key as the its dynamic IP address of the Netgear it works without problem.

      Could you help me, please?

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        At the pfSense use "My IP-Adress" as identifier. Looks like you didn't follow the tutorial too closely  ;)

        1 Reply Last reply Reply Quote 0
        • D
          decibel83
          last edited by

          Yes, at my pfSense i'm using "My IP-Address" as identifier, but the error is the same…

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            I don't own a netgear to check this out with.

            1 Reply Last reply Reply Quote 0
            • D
              decibel83
              last edited by

              The problem is solved when I set up the WAN dynamic IP address of the Netgear as the identifier of the pre-shared key and as the local identifier on the Netgear.
              But as the WAN IP address of the Netgear is dynamic, I can't use it as the identifier of the pre-shared key.
              If I setup a FQDN as the identifier, I get that error…

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                Are you sure the netgear supports this kind of config that you need here?

                1 Reply Last reply Reply Quote 0
                • D
                  decibel83
                  last edited by

                  I think so, because the connection works with a static IP address…

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    That's not the same. If it was that easy dynamic to dynamic would just work too  ;)

                    1 Reply Last reply Reply Quote 0
                    • D
                      decibel83
                      last edited by

                      Ok. Now the VPN from pfSense to Netgear is working.
                      I can ping from pfSense to Netgear, but not from Netgear to pfSense.
                      When the VPN connection is established I see this error in the pfSense logs:

                      racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out"

                      192.168.0.1 is the Netgear endpoint's LAN
                      192.168.1.1 is the pfSense endpoint's LAN

                      Could you help me, please? ^^

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by

                        @decibel83:

                        racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out"

                        This is usually only a debug message that can be ignored. If it works one way the tunnel should be up fine. Does the netgear support some filtering for the vpn traffic? Maybe you need to create a rule to allow traffic? The pfSense currently can't filter VPN traffic so it can't be an issue on the pfSense end of the connection. Are you trying to ping from behind the netgear or from the netgear itself? Usually devices encapsulating the connection can't use it directly without adding a fake static route or pinging from their LAN IP.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.