Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec VPN to Sonicwall NSA 2400

    IPsec
    3
    12
    25.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dmitche
      last edited by

      This post describes my problem. However, there was no resolution and the topic was closed.
      http://forum.pfsense.org/index.php/topic,12934.msg69758.html#msg69758

      I have a SonicWall NSA 2400 (local subnet of 192.168.99.0/24) and pfSense 1.2.3 (local subnet of 10.10.11.0/24) running on a Firebox X700. Both locations have static IPs from the same ISP. The tunnel appears to be up (there are green icons on both ends). However, no traffic seems to pass through (I am pinging a local ip on the remote end with all packets dropped).

      Apr 27 21:37:00 racoon: ERROR: failed to pre-process packet.
      Apr 27 21:37:00 racoon: ERROR: failed to get sainfo.
      Apr 27 21:37:00 racoon: ERROR: failed to get sainfo.
      Apr 27 21:37:00 racoon: [First Church VPN]: INFO: respond new phase 2 negotiation: pfSenseWANip[0]<=>SonicWallWANip[0]
      Apr 27 21:36:43 racoon: ERROR: failed to pre-process packet.
      Apr 27 21:36:43 racoon: ERROR: failed to get sainfo.
      Apr 27 21:36:43 racoon: ERROR: failed to get sainfo.
      Apr 27 21:36:43 racoon: [First Church VPN]: INFO: respond new phase 2 negotiation: pfSenseWANip[0]<=>SonicWallWANip[0]

      This log is reported on the Sonicwall every 4 minutes 25 seconds:
      Notice VPN IPSec IPSec (ESP) packet dropped pfSense WAN IP, 0, X1   SonicWall WAN IP Inbound: SeqNum=-1310720, SPI=0x800A7BE

      Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2). Sonicwall WAN IP, 500 pfSense WAN IP, 500 VPN Policy: Bread of Life

      I ran this command:
      racoon -F -d -v -f /var/etc/racoon.conf

      $ racoon -F -d -v -f /var/etc/racoon.conf
      Foreground mode.
      2010-04-27 11:10:20: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
      2010-04-27 11:10:20: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
      2010-04-27 11:10:20: INFO: Reading configuration from "/var/etc/racoon.conf"
      2010-04-27 11:10:20: DEBUG: call pfkey_send_register for AH
      2010-04-27 11:10:20: DEBUG: call pfkey_send_register for ESP
      2010-04-27 11:10:20: DEBUG: call pfkey_send_register for IPCOMP
      2010-04-27 11:10:20: DEBUG: reading config file /var/etc/racoon.conf
      2010-04-27 11:10:20: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
      2010-04-27 11:10:20: DEBUG: getsainfo params: loc='10.10.11.0/24', rmt='192.168.99.0/24', peer='NULL', id=0
      2010-04-27 11:10:20: DEBUG: getsainfo pass #2
      2010-04-27 11:10:20: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
      2010-04-27 11:10:20: DEBUG: my interface: pfSenseWANip (re0)
      2010-04-27 11:10:20: DEBUG: my interface: 10.10.11.1 (re1)
      2010-04-27 11:10:20: DEBUG: my interface: 10.10.12.1 (re2)
      2010-04-27 11:10:20: DEBUG: my interface: 10.10.13.1 (re3)
      2010-04-27 11:10:20: DEBUG: my interface: 127.0.0.1 (lo0)
      2010-04-27 11:10:20: DEBUG: configuring default isakmp port.
      2010-04-27 11:10:20: DEBUG: 5 addrs are configured successfully
      2010-04-27 11:10:20: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use).
      2010-04-27 11:10:20: ERROR: failed to bind to address 10.10.13.1[500] (Address already in use).
      2010-04-27 11:10:20: ERROR: failed to bind to address 10.10.12.1[500] (Address already in use).
      2010-04-27 11:10:20: ERROR: failed to bind to address 10.10.11.1[500] (Address already in use).
      2010-04-27 11:10:20: ERROR: failed to bind to address pfSenseWANip[500] (Address already in use).
      2010-04-27 11:10:20: ERROR: no address could be bound.

      I feel like I am close but something isn't working. I appreciate your help.

      1 Reply Last reply Reply Quote 0
      • K
        KForce
        last edited by

        Give me a few minutes I am doing a complete step by step picture guide.

        1 Reply Last reply Reply Quote 0
        • K
          KForce
          last edited by

          Sonicwall first.

          Click VPN

          Name can be anything.

          Network tab same window.

          You will need to create a new network object, mine is called SLSC.Net. Make it a network object and put in your pFSense Local Subnet ie 10.10.10.0 255.255.255.0

          Proposals tab same vpn window. Make everything exactly as you see here. Be sure to check Perfect Forward Secrecy and use GP2

          Advanced tab same vpn window. Click ok when done with this step.

          pFSense Setup side.

          Create new vpn.

          Phase 1 PF. Make sure you add the 28800 also.

          Phase 2 PF. Be sure to uncheck everything not checked in the picture.

          Click Preshared Keys and add a new one. YOURKEY is the same as the tunnels preshared key. IP is the IP of the PFSENSE you are currently on, same as wan address. ie 24.111.111.111 is public of the pF box then put that in there. This identifies to the sonicwall.

          Lastly add firewall rules in PF to allow traffix via IPSEC.

          Any questions post em. This works for sure I have 8 sonicwalls connected to my main pF. Including a NSA 2400.

          Kyle

          1 Reply Last reply Reply Quote 0
          • D
            dmitche
            last edited by

            Well, I have followed your directions to a T. There are some subtle difference in the SonicWall setup, namely the General Tab of the VPN policy. I have an extra drop down box that allows me to select Site to Site or Tunnel. I used both, but Tunnel Interface doesn't give me the 'Network' Tab. So Site-to-Site it is. I am running SonicOS Enhanced 5.5.1.0-5o.

            Using Aggressive Mode the tunnel never becomes active. However as soon as I switch to Main mode it comes up. Still no traffic though. One thing I thought was strange was the Address Object created in the SonicWall for the Remote Location has a Zone assignment of LAN rather than VPN. I tried it with both with no success.

            Here is the IPsec Log from the pfSense box
            Apr 29 03:03:44 racoon: [First Church]: INFO: IPsec-SA established: ESP X.X.X.X[0]->X.X.X.X[0] spi=3462423859(0xce606533)
            Apr 29 03:03:44 racoon: [First Church]: INFO: IPsec-SA established: ESP X.X.X.X[0]->X.X.X.X[0] spi=137167584(0x82d02e0)
            Apr 29 03:03:44 racoon: [First Church]: INFO: respond new phase 2 negotiation: X.X.X.X[0]<=>X.X.X.X[0]

            Here is the VPN IKE log from the SonicWall
            16:03:43.896 Info VPN IKE  IKE negotiation complete. Adding IPSec SA. (Phase 2) X.X.X.X, 500  X.X.X.X, 500  VPN Policy: TBOL; ESP:3DES; HMAC_SHA1; Group 2; Lifetime=28800 secs; inSPI:0xce606533; outSPI:0x82d02e0
            16:03:43.896 Info VPN IKE  IKE Initiator: Accepting IPSec proposal (Phase 2) X.X.X.X, 500  X.X.X.X, 500  VPN Policy: TBOL; Local network 192.168.99.0 / 255.255.255.0; Remote network 10.10.11.0/255.255.255.0
            16:03:43.816 Info VPN IKE  IKE Initiator: Start Quick Mode (Phase 2). X.X.X.X, 500  X.X.X.X, 500  VPN Policy: TBOL

            It appears to me as though the tunnel is up. So I must have something configured incorrectly in the firewall rules. Am I correct in thinking I should be able to ping a local device on the remote subnet (10.10.11.10, for instance) from a LAN subnet on the SonicWall (192.168.99.X)?

            Thanks

            pfsense_IPsec.JPG
            pfsense_IPsec.JPG_thumb

            1 Reply Last reply Reply Quote 0
            • K
              KForce
              last edited by

              switch back to aggressive. then from sw lan 192.x ping the pf lan ip 10.x. give it a packet or two and it will make the tunnel come up. try that. let me know.

              1 Reply Last reply Reply Quote 0
              • K
                KForce
                last edited by

                also my network address object is in zone lan.

                firewall rules are auto added on sw.

                1 Reply Last reply Reply Quote 0
                • K
                  KForce
                  last edited by

                  well get it working?

                  1 Reply Last reply Reply Quote 0
                  • D
                    dmitche
                    last edited by

                    The tunnel is up with aggressive mode and have a set the Address object to LAN. However, no traffic is being passed yet. I continue to get this message in the SW:
                    Notice VPN IPSec IPSec (ESP) packet dropped xxx.xxx.xxx.xxx (remote public ip), 0, X1 xxx.xxx.xxx.xxx (local Public IP) Inbound: SeqNum=65578, SPI=0x8004D31

                    Here are some screen shots to show the tunnel is active and the firewall rule that I was able to find.

                    sw.JPG
                    sw.JPG_thumb
                    firewall.JPG
                    firewall.JPG_thumb
                    pfsense.JPG
                    pfsense.JPG_thumb

                    1 Reply Last reply Reply Quote 0
                    • D
                      dcaves
                      last edited by

                      Did you guys end up finding a solution to this? I am having the exact same problem.  My tunnel appears to be active, but no traffic is passing through, and I am seeing      IPSec (ESP) packet dropped        on the Sonicwall in the logs.

                      1 Reply Last reply Reply Quote 0
                      • D
                        dmitche
                        last edited by

                        No, no luck even after all this time. I have successfully used VPN IPsec over two pfGuards though. Setup was nearly identical to this. I believe there is some strange Sonicwall rule blocking things.
                        Their technical support simply tells me to upgrade to the latest firmware as the existing firmware has 'VPN issues' I have done this on two different occasions but it didn't change anything.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dcaves
                          last edited by

                          Wow, well that's terrible news.  Thanks a lot for the quick response.  I'm going to try upgrading my firmware (if there is an upgrade available) and see what happens.  I'll let you know if I have any success.

                          1 Reply Last reply Reply Quote 0
                          • D
                            dmitche
                            last edited by

                            Still no luck. I am running 5.6.0.5-46o on the SW. The tunnel is active however no traffic is passed. Still getting dropped packets on the SW.

                            12/16/2010 11:55:15.256 Notice VPN IPSec IPSec (ESP) packet dropped xxx.xxx.xxx.xxx, 0, X1 xxx.xxx.xxx.xxx Inbound: SeqNum=1446931972, SPI=0x4D32000

                            When I hover over the log record I get 'Message id: 533 Legacy Category: Network Access'

                            Any luck on your end?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.