Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN into POS Host

    IPsec
    3
    7
    5.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      crichardson
      last edited by

      I am trying to use PFsense to replace our sonicwall routers in our retail locations. I have everythin working except for our VPN needed to run the Point of Sale.

      A major hurdle I am running into is that the company that hosts the POS database uses a unique identifier for the local Identifier. For instance the ID may be "Basic - Corp" The PFsense only give me the option to use an IP or a Domain Name. Is there anyway I can override this and use this unique identifier?

      Thanks for any help in advance.

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        This identifier breaks ipsec specifications and usually is not allowed. I would fix it at the other end. Not sure if it would work if you manually edit the tunnel in the config.xml as rthe gui won't allow creation of such an identifier.

        1 Reply Last reply Reply Quote 0
        • C
          crichardson
          last edited by

          Unfortunately I do not host the other side and I doubt they will be willing to change the Identifier. I will look into the config file and give it a shot. Thanks for the advice.

          1 Reply Last reply Reply Quote 0
          • C
            crichardson
            last edited by

            Ok I had them create a new policy and use the IP as the IKE ID.

            Errors to follow….

            Log:
            Apr 24 23:45:34 racoon: INFO: delete phase 2 handler.
            Apr 24 23:45:34 racoon: [IQVPND041053]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 66.45.111.154[0]->10.0.2.15[0]
            Apr 24 23:45:31 racoon: ERROR: phase1 negotiation failed due to time up. da944a6326191f68:0000000000000000
            Apr 24 23:45:21 racoon: ERROR: delete phase1 handle.
            Apr 24 23:45:11 racoon: ERROR: delete phase1 handle.
            Apr 24 23:45:04 racoon: [IQVPND041053]: INFO: phase2 sa deleted 10.0.2.15-66.45.111.154
            Apr 24 23:45:03 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
            Apr 24 23:45:03 racoon: [IQVPND041053]: INFO: phase2 sa expired 10.0.2.15-66.45.111.154
            Apr 24 23:45:01 last message repeated 2 times
            Apr 24 23:44:41 racoon: ERROR: delete phase1 handle.
            Apr 24 23:44:41 racoon: INFO: begin Aggressive mode.
            Apr 24 23:44:41 racoon: [IQVPND041053]: INFO: initiate new phase 1 negotiation: 10.0.2.15[500]<=>66.45.111.154[500]

            Any Ideas?  I hate not being able to mess with the otherside….

            1 Reply Last reply Reply Quote 0
            • C
              crichardson
              last edited by

              OK I have the tunnel up. (didn't need aggressive), just need to be able to ping now ;(

              1 Reply Last reply Reply Quote 0
              • dotdashD
                dotdash
                last edited by

                Are you allowing ICMP at Firewall, Rules (IPSEC tab)?

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  Not sure how you test this but make sure that you test the connectivity from behind the pfSense. The pfSense itself can't make use of the tunnel unless you add some fake static route.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.