IPSec between Netscreen 5GT and pfsense 1.2.3

merylen

Hi,
i´ve searched for an solution the last 3 days, but i don´t get the point.
Perhaps someone here can help me.

My config looks like this:

LAN(10.15.6.0/24) – ||Netscreen 5GT||-- WAN(Dyn. IP) -------WAN(stat. IP: 213.x.y.z/32) -- || pfsense v1.2.3|| -- LAN (192.168.0.0/24)

I would like to establish an IPSec-connection over the WAN. Then i want to communicate between both LANs in both directions.
The tunnel should be static an reactivate himself wenn a disconnect occours.

My current pfsense Config:
Allow mobile Clients deact..

Interface: LAN
Local Subnet: LAN subnet
Remote subnet: 10.15.6.0/24
Remote Gateway: a.b.c.d (dyndns-Adress)

phase1:
Negotiation mode: aggressive
My identifier: My IP address
Ency. algo: 3DES
Hash algo: SHA1
DH key group: 2
PSK
PSk-Key: topsecret

phase2:
Proto: ESP
Encry. algo: 3DES
Hash algo: SHA1
PFS key group: 2

Under status:ipsec
Overview and SAD are empty beside: "No IPsec security associations."

SPD shows:

10.15.6.0/24     192.168.0.0/24     >    ESP     88.65.126.145 - 192.168.0.1    
192.168.0.0/24    10.15.6.0/24    <   ESP    192.168.0.1 - 88.65.126.6

Wenn i stop and start IPSec i get:

Aug 2 17:04:53    racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=17)
Aug 2 17:04:53    racoon: [Self]: INFO: 213.x.y.z[500] used as isakmp port (fd=16)
Aug 2 17:04:53    racoon: [Self]: INFO: 172.16.a.b[500] used as isakmp port (fd=15)
Aug 2 17:04:53    racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Aug 2 17:04:53    racoon: INFO: unsupported PF_KEY message REGISTER
Aug 2 17:04:53    racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=17)
Aug 2 17:04:53    racoon: [Self]: INFO: 213.x.y.z[500] used as isakmp port (fd=16)
Aug 2 17:04:53    racoon: [Self]: INFO: 172.16.a.b[500] used as isakmp port (fd=15)
Aug 2 17:04:53    racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Aug 2 17:04:53    racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 2 17:04:53    racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Aug 2 17:04:53    racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)

nothing more.

When i try  " racoon -d -F -v -f /var/etc/racoon.conf " on the console i get:

racoon -d -F -v -f /var/etc/racoon.conf

Foreground mode.
2010-08-02 17:12:50: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
2010-08-02 17:12:50: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
2010-08-02 17:12:50: INFO: Reading configuration from "/var/etc/racoon.conf"
2010-08-02 17:12:50: DEBUG: call pfkey_send_register for AH
2010-08-02 17:12:50: DEBUG: call pfkey_send_register for ESP
2010-08-02 17:12:50: DEBUG: call pfkey_send_register for IPCOMP
2010-08-02 17:12:50: DEBUG: reading config file /var/etc/racoon.conf
2010-08-02 17:12:50: DEBUG: hmac(modp1024)
2010-08-02 17:12:50: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2010-08-02 17:12:50: DEBUG: getsainfo params: loc='192.168.0.0/24', rmt='10.15.6.0/24', peer='NULL', id=0
2010-08-02 17:12:50: DEBUG: getsainfo pass #2
2010-08-02 17:12:50: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
2010-08-02 17:12:50: DEBUG: my interface: 192.168.0.1 (re0)
2010-08-02 17:12:50: DEBUG: my interface: 213.x.y.z (re1)
2010-08-02 17:12:50: DEBUG: my interface: 172.16.a.b (re2)
2010-08-02 17:12:50: DEBUG: my interface: 127.0.0.1 (lo0)
2010-08-02 17:12:50: DEBUG: configuring default isakmp port.
2010-08-02 17:12:50: DEBUG: 4 addrs are configured successfully
2010-08-02 17:12:50: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
2010-08-02 17:12:50: INFO: 172.16.a.b[500] used as isakmp port (fd=8)
2010-08-02 17:12:50: INFO: 213.x.y.z[500] used as isakmp port (fd=9)
2010-08-02 17:12:50: INFO: 192.168.0.1[500] used as isakmp port (fd=10)
2010-08-02 17:12:50: DEBUG: pk_recv: retry[0] recv()
2010-08-02 17:12:50: DEBUG: get pfkey X_SPDDUMP message
2010-08-02 17:12:50: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
^C2010-08-02 17:12:52: INFO: caught signal 2
2010-08-02 17:12:52: DEBUG: pk_recv: retry[0] recv()
2010-08-02 17:12:52: DEBUG: get pfkey FLUSH message
2010-08-02 17:12:53: DEBUG: call pfkey_send_dump
2010-08-02 17:12:53: DEBUG: pk_recv: retry[0] recv()
2010-08-02 17:12:53: INFO: racoon shutdown

At "pfkey X_SPDDUMP failed: No such file or directory" it stops and i break with ctrl-c .

Under Rules IPSEC i permit everything:

LAN to any
Any to LAN
every Service allowed.

The Netscreen is also in aggressiv mode and the phases und tht PSK are identicaly.

I dont´t think the probelm is on the NS side. For me it seems that the phase 1 isn´t activates at all.

I wounder about the "no such file" and searched around. But didn´t get any usefull information.
An hint or some help would be wonderful!

Thanks
merylen

beaven67

If the Netscreen is the side with the dynamic address you will need to setup the vpn similiar to a Road Warrior type of VPN.
Refer to the howto for a road warrior type of setup. then just make sure you match esp and hash and sa lifetime settings.
You can do this its just a little bit different than a standard VPN. the key is the local and remote ID information. Hope this helps.

cmb

@beaven67:

If the Netscreen is the side with the dynamic address you will need to setup the vpn similiar to a Road Warrior type of VPN.

Not with 1.2.3 and newer, just need a dynamic DNS name.