PfSense to Netgear VPN
-
Sorry, I found it.
My Netgear system doesn't support the aggressive mode.
I setted up the Netgear and the pfSense systems to main mode, but it doesn't work anymore.
Now pfSense is telling me these errors:racoon: ERROR: couldn't find the pskey for 123.123.123.123 (which is the dynamic IP of the Netgear's endpoint).
The Netgear is setted up as netgear.myvpnsite.com (which is the Identifier of the pre-shared key).
If I set up the local identify of the Netgear and the identifier of the pre-shared key as the its dynamic IP address of the Netgear it works without problem.Could you help me, please?
-
At the pfSense use "My IP-Adress" as identifier. Looks like you didn't follow the tutorial too closely ;)
-
Yes, at my pfSense i'm using "My IP-Address" as identifier, but the error is the same…
-
I don't own a netgear to check this out with.
-
The problem is solved when I set up the WAN dynamic IP address of the Netgear as the identifier of the pre-shared key and as the local identifier on the Netgear.
But as the WAN IP address of the Netgear is dynamic, I can't use it as the identifier of the pre-shared key.
If I setup a FQDN as the identifier, I get that error… -
Are you sure the netgear supports this kind of config that you need here?
-
I think so, because the connection works with a static IP address…
-
That's not the same. If it was that easy dynamic to dynamic would just work too ;)
-
Ok. Now the VPN from pfSense to Netgear is working.
I can ping from pfSense to Netgear, but not from Netgear to pfSense.
When the VPN connection is established I see this error in the pfSense logs:racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out"
192.168.0.1 is the Netgear endpoint's LAN
192.168.1.1 is the pfSense endpoint's LANCould you help me, please? ^^
-
racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out"
This is usually only a debug message that can be ignored. If it works one way the tunnel should be up fine. Does the netgear support some filtering for the vpn traffic? Maybe you need to create a rule to allow traffic? The pfSense currently can't filter VPN traffic so it can't be an issue on the pfSense end of the connection. Are you trying to ping from behind the netgear or from the netgear itself? Usually devices encapsulating the connection can't use it directly without adding a fake static route or pinging from their LAN IP.