IPSec between Netscreen 5GT and pfsense 1.2.3
- 
 Hi, 
 i´ve searched for an solution the last 3 days, but i don´t get the point.
 Perhaps someone here can help me.My config looks like this: LAN(10.15.6.0/24) – ||Netscreen 5GT||-- WAN(Dyn. IP) -------WAN(stat. IP: 213.x.y.z/32) -- || pfsense v1.2.3|| -- LAN (192.168.0.0/24) I would like to establish an IPSec-connection over the WAN. Then i want to communicate between both LANs in both directions. 
 The tunnel should be static an reactivate himself wenn a disconnect occours.My current pfsense Config: 
 Allow mobile Clients deact..Interface: LAN 
 Local Subnet: LAN subnet
 Remote subnet: 10.15.6.0/24
 Remote Gateway: a.b.c.d (dyndns-Adress)phase1: 
 Negotiation mode: aggressive
 My identifier: My IP address
 Ency. algo: 3DES
 Hash algo: SHA1
 DH key group: 2
 PSK
 PSk-Key: topsecretphase2: 
 Proto: ESP
 Encry. algo: 3DES
 Hash algo: SHA1
 PFS key group: 2Under status:ipsec 
 Overview and SAD are empty beside: "No IPsec security associations."SPD shows: 10.15.6.0/24 192.168.0.0/24 > ESP 88.65.126.145 - 192.168.0.1 
 192.168.0.0/24 10.15.6.0/24 < ESP 192.168.0.1 - 88.65.126.6Wenn i stop and start IPSec i get: Aug 2 17:04:53 racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=17) 
 Aug 2 17:04:53 racoon: [Self]: INFO: 213.x.y.z[500] used as isakmp port (fd=16)
 Aug 2 17:04:53 racoon: [Self]: INFO: 172.16.a.b[500] used as isakmp port (fd=15)
 Aug 2 17:04:53 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
 Aug 2 17:04:53 racoon: INFO: unsupported PF_KEY message REGISTER
 Aug 2 17:04:53 racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=17)
 Aug 2 17:04:53 racoon: [Self]: INFO: 213.x.y.z[500] used as isakmp port (fd=16)
 Aug 2 17:04:53 racoon: [Self]: INFO: 172.16.a.b[500] used as isakmp port (fd=15)
 Aug 2 17:04:53 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
 Aug 2 17:04:53 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
 Aug 2 17:04:53 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
 Aug 2 17:04:53 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)nothing more. When i try " racoon -d -F -v -f /var/etc/racoon.conf " on the console i get: racoon -d -F -v -f /var/etc/racoon.confForeground mode. 
 2010-08-02 17:12:50: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
 2010-08-02 17:12:50: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
 2010-08-02 17:12:50: INFO: Reading configuration from "/var/etc/racoon.conf"
 2010-08-02 17:12:50: DEBUG: call pfkey_send_register for AH
 2010-08-02 17:12:50: DEBUG: call pfkey_send_register for ESP
 2010-08-02 17:12:50: DEBUG: call pfkey_send_register for IPCOMP
 2010-08-02 17:12:50: DEBUG: reading config file /var/etc/racoon.conf
 2010-08-02 17:12:50: DEBUG: hmac(modp1024)
 2010-08-02 17:12:50: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
 2010-08-02 17:12:50: DEBUG: getsainfo params: loc='192.168.0.0/24', rmt='10.15.6.0/24', peer='NULL', id=0
 2010-08-02 17:12:50: DEBUG: getsainfo pass #2
 2010-08-02 17:12:50: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
 2010-08-02 17:12:50: DEBUG: my interface: 192.168.0.1 (re0)
 2010-08-02 17:12:50: DEBUG: my interface: 213.x.y.z (re1)
 2010-08-02 17:12:50: DEBUG: my interface: 172.16.a.b (re2)
 2010-08-02 17:12:50: DEBUG: my interface: 127.0.0.1 (lo0)
 2010-08-02 17:12:50: DEBUG: configuring default isakmp port.
 2010-08-02 17:12:50: DEBUG: 4 addrs are configured successfully
 2010-08-02 17:12:50: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
 2010-08-02 17:12:50: INFO: 172.16.a.b[500] used as isakmp port (fd=8)
 2010-08-02 17:12:50: INFO: 213.x.y.z[500] used as isakmp port (fd=9)
 2010-08-02 17:12:50: INFO: 192.168.0.1[500] used as isakmp port (fd=10)
 2010-08-02 17:12:50: DEBUG: pk_recv: retry[0] recv()
 2010-08-02 17:12:50: DEBUG: get pfkey X_SPDDUMP message
 2010-08-02 17:12:50: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
 ^C2010-08-02 17:12:52: INFO: caught signal 2
 2010-08-02 17:12:52: DEBUG: pk_recv: retry[0] recv()
 2010-08-02 17:12:52: DEBUG: get pfkey FLUSH message
 2010-08-02 17:12:53: DEBUG: call pfkey_send_dump
 2010-08-02 17:12:53: DEBUG: pk_recv: retry[0] recv()
 2010-08-02 17:12:53: INFO: racoon shutdownAt "pfkey X_SPDDUMP failed: No such file or directory" it stops and i break with ctrl-c . Under Rules IPSEC i permit everything: LAN to any 
 Any to LAN
 every Service allowed.The Netscreen is also in aggressiv mode and the phases und tht PSK are identicaly. I dont´t think the probelm is on the NS side. For me it seems that the phase 1 isn´t activates at all. I wounder about the "no such file" and searched around. But didn´t get any usefull information. 
 An hint or some help would be wonderful!Thanks 
 merylen
- 
 If the Netscreen is the side with the dynamic address you will need to setup the vpn similiar to a Road Warrior type of VPN. 
 Refer to the howto for a road warrior type of setup. then just make sure you match esp and hash and sa lifetime settings.
 You can do this its just a little bit different than a standard VPN. the key is the local and remote ID information. Hope this helps.
- 
 If the Netscreen is the side with the dynamic address you will need to setup the vpn similiar to a Road Warrior type of VPN. Not with 1.2.3 and newer, just need a dynamic DNS name.