VPN into POS Host

crichardson · Apr 23, 2008, 5:10 PM

I am trying to use PFsense to replace our sonicwall routers in our retail locations. I have everythin working except for our VPN needed to run the Point of Sale.

A major hurdle I am running into is that the company that hosts the POS database uses a unique identifier for the local Identifier. For instance the ID may be "Basic - Corp" The PFsense only give me the option to use an IP or a Domain Name. Is there anyway I can override this and use this unique identifier?

Thanks for any help in advance.

hoba · Apr 23, 2008, 9:55 PM

This identifier breaks ipsec specifications and usually is not allowed. I would fix it at the other end. Not sure if it would work if you manually edit the tunnel in the config.xml as rthe gui won't allow creation of such an identifier.

crichardson · Apr 24, 2008, 12:09 PM

Unfortunately I do not host the other side and I doubt they will be willing to change the Identifier. I will look into the config file and give it a shot. Thanks for the advice.

crichardson · Apr 24, 2008, 7:03 PM

Ok I had them create a new policy and use the IP as the IKE ID.

Errors to follow….

Log:
Apr 24 23:45:34 racoon: INFO: delete phase 2 handler.
Apr 24 23:45:34 racoon: [IQVPND041053]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 66.45.111.154[0]->10.0.2.15[0]
Apr 24 23:45:31 racoon: ERROR: phase1 negotiation failed due to time up. da944a6326191f68:0000000000000000
Apr 24 23:45:21 racoon: ERROR: delete phase1 handle.
Apr 24 23:45:11 racoon: ERROR: delete phase1 handle.
Apr 24 23:45:04 racoon: [IQVPND041053]: INFO: phase2 sa deleted 10.0.2.15-66.45.111.154
Apr 24 23:45:03 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Apr 24 23:45:03 racoon: [IQVPND041053]: INFO: phase2 sa expired 10.0.2.15-66.45.111.154
Apr 24 23:45:01 last message repeated 2 times
Apr 24 23:44:41 racoon: ERROR: delete phase1 handle.
Apr 24 23:44:41 racoon: INFO: begin Aggressive mode.
Apr 24 23:44:41 racoon: [IQVPND041053]: INFO: initiate new phase 1 negotiation: 10.0.2.15[500]<=>66.45.111.154[500]

Any Ideas? I hate not being able to mess with the otherside….

crichardson · Apr 24, 2008, 7:46 PM

OK I have the tunnel up. (didn't need aggressive), just need to be able to ping now ;(

dotdash · Apr 24, 2008, 10:21 PM

Are you allowing ICMP at Firewall, Rules (IPSEC tab)?

hoba · Apr 25, 2008, 8:18 AM

Not sure how you test this but make sure that you test the connectivity from behind the pfSense. The pfSense itself can't make use of the tunnel unless you add some fake static route.