Anybody successfully connected a Zyxel 662 via IPSEC to pfSense?

bill

Hi there

anybody successfully connected a Zyxel 662 via IPSEC to pfSense?
Zyxel 662 (mobile client) connecting to pfSense1.2rc1 (fix IP, CARP) is giving me e headache.
I have compared the settings many times, using 3DES and SHA1, same timeouts etc.
If I set the wrong enc algo, I see stuff on Zyxel log and pfSense log clearly indicating that there is the wrong algo set.
If I set the right enc algo, Zyxel is getting a timeout and pfSense is giving an error.

I have searched racoon and OpenSSL lists and it seems people having similar problems with other endpoints connecting to BSD IPSEC but in most cases, the make some changes to their config and then it is working. When I do the same type of changes - no success.  ???

Please help. (Or maybe somebody is confirming it is working…)

Thank you

GruensFroeschli

If I set the right enc algo, Zyxel is getting a timeout and pfSense is giving an error.

Could you post a copy of your IPSEC-log?

bill

Hi!
I got to the site and here is the log of the Zyxel:1  01/01/2000 00:38:56 Send<:[DEL]> ZyxelIP pfSenseIP IKE
2  01/01/2000 00:38:07 IKE Negotiation is in process ZyxelIP pfSenseIP IKE
3  01/01/2000 00:38:06 Recv<:[SA][KE][NONCE][ID][HASH]> pfSenseIP ZyxelIP IKE
4  01/01/2000 00:38:05 Send<:[SA][KE][NONCE][ID][VID]> ZyxelIP pfSenseIP IKE
5  01/01/2000 00:38:04 Send Mode request to <pfsenseip>ZyxelIP pfSenseIP IKE
6  01/01/2000 00:38:04 Rule [1] Sending IKE request ZyxelIP pfSenseIP IKE
7  01/01/2000 00:12:36 Send<:[DEL]> ZyxelIP pfSenseIP IKE
8  01/01/2000 00:11:45 IKE Negotiation is in process ZyxelIP pfSenseIP IKE
9  01/01/2000 00:11:45 Recv<:[SA][KE][NONCE][ID][HASH]> pfSenseIP ZyxelIP IKE
10  01/01/2000 00:11:44 IKE Packet Retransmit ZyxelIP pfSenseIP IKE
11  01/01/2000 00:11:40 Send<:[SA][KE][NONCE][ID][VID]> ZyxelIP pfSenseIP IKE
12  01/01/2000 00:11:40 Send Mode request to <pfsenseip>ZyxelIP pfSenseIP IKE
13  01/01/2000 00:11:40 Rule [1] Sending IKE request ZyxelIP pfSenseIP IKE
14  01/01/2000 00:11:36 Send<:[DEL]> ZyxelIP pfSenseIP IKE
15  01/01/2000 00:10:45 IKE Negotiation is in process ZyxelIP pfSenseIP IKE
16  01/01/2000 00:10:40 Recv<:[SA][KE][NONCE][ID][HASH]> pfSenseIP ZyxelIP IKE
17  01/01/2000 00:10:40 Send<:[SA][KE][NONCE][ID][VID]> ZyxelIP pfSenseIP IKE
18  01/01/2000 00:10:39 Send Mode request to <pfsenseip>ZyxelIP pfSenseIP IKE
19  01/01/2000 00:10:39 Rule [1] Sending IKE request ZyxelIP pfSenseIP IKE
20  01/01/2000 00:10:36 Send<:[DEL]> ZyxelIP pfSenseIP IKE
21  01/01/2000 00:09:44 IKE Negotiation is in process ZyxelIP pfSenseIP IKE
22  01/01/2000 00:09:40 Recv<:[SA][KE][NONCE][ID][HASH]> pfSenseIP ZyxelIP IKE
23  01/01/2000 00:09:39 Send<:[SA][KE][NONCE][ID][VID]> ZyxelIP pfSenseIP IKE
24  01/01/2000 00:09:39 Send Mode request to <pfsenseip>ZyxelIP pfSenseIP IKE
25  01/01/2000 00:09:39 Rule [1] Sending IKE request ZyxelIP pfSenseIP IKE
26  01/01/2000 00:09:36 Send<:[DEL]> ZyxelIP pfSenseIP IKE
27  01/01/2000 00:08:44 IKE Negotiation is in process ZyxelIP pfSenseIP IKE
28  01/01/2000 00:08:40 Recv<:[SA][KE][NONCE][ID][HASH]> pfSenseIP ZyxelIP IKE
29  01/01/2000 00:08:39 Send<:[SA][KE][NONCE][ID][VID]> ZyxelIP pfSenseIP IKE
30  01/01/2000 00:08:38 Send Mode request to <pfsenseip>ZyxelIP pfSenseIP IKE
31  01/01/2000 00:08:38 Rule [1] Sending IKE request ZyxelIP pfSenseIP IKE

The Zyxel is sending something, getting an answer back from the pfSense and then the "IKE Packet retransmit" and no further reply.

What do you think?</pfsenseip></pfsenseip></pfsenseip></pfsenseip></pfsenseip>

GruensFroeschli

I meant the log of the pfSense ^^"

bill

Dooooh! Sorry.

Another interesting thing I noticed: When turning on NAT Traversal on Zyxel there is much more feedback from pfSense…
44  01/01/2000 00:52:36 Send<:[DEL]> ZyxelIP pfSenseIP IKE
45  01/01/2000 00:51:56 IKE Negotiation is in process ZyxelIP pfSenseIP IKE
46  01/01/2000 00:51:52 Rule [1] Phase 1 hash mismatch pfSenseIP ZyxelIP IKE
47  01/01/2000 00:51:50 Recv<:[SA][KE][NONCE][ID][HASH]> pfSenseIP ZyxelIP IKE
48  01/01/2000 00:51:50 Recv Mode request from <pfsenseip>pfSenseIP ZyxelIP IKE
49  01/01/2000 00:51:50 Rule [1] Receiving IKE request pfSenseIP ZyxelIP IKE
50  01/01/2000 00:51:46 Recv<:[SA][KE][NONCE][ID][HASH]> pfSenseIP ZyxelIP IKE
51  01/01/2000 00:51:46 Send<:[SA][KE][NONCE][ID][VID][VID]> ZyxelIP pfSenseIP IKE
52  01/01/2000 00:51:45 Send Mode request to <pfsenseip>ZyxelIP pfSenseIP IKE
53  01/01/2000 00:51:45 Rule [1] Sending IKE request ZyxelIP pfSenseIP IKE

Here we go with the right log:
It does not like the payload type 0…
Sep 8 19:01:21 racoon: INFO: begin Aggressive mode.
Sep 8 19:01:21 racoon: INFO: respond new phase 1 negotiation: pfSenseIP[500]<=>ZyxelIP[500]
Sep 8 19:01:20 racoon: ERROR: unknown Informational exchange received.
Sep 8 19:01:10 racoon: ERROR: unknown Informational exchange received.
Sep 8 19:01:04 racoon: ERROR: phase1 negotiation failed due to time up. 86e2df611cfd7b26:f67792338085929c
Sep 8 19:00:48 racoon: ERROR: phase1 negotiation failed due to time up. 593b4cc03a0921e3:03fefcd6737a380b
Sep 8 19:00:16 racoon: ERROR: reject the packet, received unexpecting payload type 0.
Sep 8 19:00:16 racoon: ERROR: reject the packet, received unexpecting payload type 0.
Sep 8 19:00:04 racoon: INFO: begin Aggressive mode.
Sep 8 19:00:04 racoon: INFO: respond new phase 1 negotiation: pfSenseIP[500]<=>ZyxelIP[500]
Sep 8 19:00:02 racoon: ERROR: reject the packet, received unexpecting payload type 0.
Sep 8 18:59:48 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Sep 8 18:59:48 racoon: INFO: begin Aggressive mode.
Sep 8 18:59:48 racoon: INFO: respond new phase 1 negotiation: pfSenseIP[500]<=>ZyxelIP[500]

What could that be?

Thanks!</pfsenseip></pfsenseip>

bill

Found that this is NAT-T enabled and then disabled again. during the change there is something weird going on, but the tunnel still does not get established.
Please look at the second log I sent.
This is looking at a similar problem. http://forum.pfsense.org/index.php/topic,5473.0.html
But I am using the IPSEC on the WAN interface so probably not a routing problem - problem with CARP?
-I don't think so because I have a different site with a m0n0wall connecting perfectly, only the Zyxel is bugging me!
I set the MTU on the zyxel to 1400 just to make sure it is not ADSL that is eliminating the reply and thus the timeout, but no result.

Any ideas?

Thanks!