IPSec issues - pfSense <=> SonicWall

Auxientius

Hi All.

I am currently configuring a pfSense box (1.2.2) to replace a number of different appliances across our office network.

I am trying to get an IPSec VPN working between my pfSense box and a SonicWall TZ170 Running the standard OS.

Setup:

Phase one Main Mode / Group 2 / 3DES / SHA1

SonicWall:
Phase two ESP / 3DES / SHA1 (PFS Off)

pfSense:
Phase two ESP / 3DES / Blowfish / SHA1 (PFS Off)

NOTE: I read in the how-to that I was supposed to have Blowfish and 3DES on if I was using 3DES - but I have tried it on and off.

This is what I am seeing in pfSense (i have reverse log order on, ive also masked the IPs)

Jan 23 14:30:27 racoon: ERROR: phase1 negotiation failed.
Jan 23 14:30:27 racoon: ERROR: failed to process packet.
Jan 23 14:30:27 racoon: ERROR: phase1 negotiation failed due to send error. f41cb02a8dec9a92:13e3ffba3d08723f
Jan 23 14:30:27 racoon: ERROR: sendfromto failed
Jan 23 14:30:27 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jan 23 14:30:27 racoon: INFO: begin Identity Protection mode.
Jan 23 14:30:27 racoon: [VPN to BANGKOK]: INFO: respond new phase 1 negotiation: 203.152.xxx.xxx[500]<=>203.147.xx.x[500]

On the SonicWall end all I see is:

37 01/22/2009 17:19:43.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
38 01/22/2009 17:19:31.944 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
39 01/22/2009 17:19:27.048 IKE Initiator: Start Main Mode negotiation (Phase 1) 203.147.xx.x, 500 203.152.xxx.xxx, 500     
40 01/22/2009 17:19:25.944 IKE negotiation aborted due to timeout 203.147.xx.x 203.152.xxx.xxx     
42 01/22/2009 17:18:53.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
43 01/22/2009 17:18:35.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
44 01/22/2009 17:18:25.944 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
45 01/22/2009 17:18:21.032 IKE Initiator: Start Main Mode negotiation (Phase 1) 203.147.xx.x, 500 203.xxx.xxx.xxx, 500     
46 01/22/2009 17:18:11.944 IKE negotiation aborted due to timeout 203.147.xx.x 203.152.xxx.xxx       
49 01/22/2009 17:17:37.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
50 01/22/2009 17:17:21.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500

I've tried differnet combinations of proposals, deleting and remaking, all sorts.  From what I can guess, its having issues with communication between points however both sites are pingable by eachother?

Any ideas?

Thanks
Gareth

heiko

Any further informations? Static to Static ? or dynamic sides? which identifier e.g.?

Regards
Heiko

Auxientius

Sorry, it's static to static addresses (sorta standard corporate site-to-site VPN)

It's worth noting that i get further trying a VPN from the pfSense to an IPCop box (although I cant get phase two of the authentication going, but im sure thats just me.)

cmb

You have a mismatch of some sort on phase 1.

focalguy

I had to open port 500 on the pfsense box. At least open it to connections coming from the IP of the sonicwall.

I'm sure you already have checked but make sure again all your phase 1 settings are the same on both sides.