Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense - zyxel usg100 vpn crashes both firewalls!

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sten2004
      last edited by

      Hi, i am pfsense newbie and non-linux minded  ??? but long time networker.

      I am trying to make a site-to-site ipsec tunnel work between pfsense 1.2-RC4
      built on Sat Jan 5 23:19:27 UTC 2008 (ARCA appliance box)  and Zyxel usg 100 fw 2.20 aqq.4.

      I manage to get the tunnel up and running and can ping between both sites, but the minute i try to make a connection eg. rdp or http to remote both firewalls halts and reboots and connection is lost. Tunnel is rebuild upon bootup.

      I am monitoring with syslog but none of my logs gives me any hints of what happens.

      Any hints or suggestions are welcome.

      Below pfsense ipsec config which so far proves to be most "stable":

      • <ipsec><preferredoldsa>- <tunnel><disabled>  (disabled on purpose!)
          <interface>wan</interface>
      • <local-subnet><address>214.x.x.x/24</address></local-subnet>
          <remote-subnet>192.168.130.0/24</remote-subnet>
          <remote-gateway>8x.x.x.x</remote-gateway>
      • <p1><mode>aggressive</mode>
      • <myident><fqdn>dr.dk</fqdn></myident>
          <encryption-algorithm>3des</encryption-algorithm>
          <hash-algorithm>sha1</hash-algorithm>
          <dhgroup>2</dhgroup>
          <lifetime>28800</lifetime>
          <pre-shared-key>%Ftesting</pre-shared-key>
          <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
      • <p2><protocol>esp</protocol>
          <encryption-algorithm-option>3des</encryption-algorithm-option>
          <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
          <pfsgroup>2</pfsgroup>
          <lifetime>86400</lifetime></p2>
          <descr>Vejle</descr>
          <pinghost>192.168.130.1</pinghost>
         </disabled></tunnel>
          <enable></enable></preferredoldsa></ipsec>
      1 Reply Last reply Reply Quote 0
      • S
        spiritbreaker
        last edited by

        Hi,

        test tunnel with newer release or v2.0 if possible.

        Found similar thread http://forum.pfsense.org/index.php?topic=19000.0 with 1.2.2

        Changing algorithm doesnt change anything?

        Get both firewalls too hot ? :D

        EDIT:

        1. what about this?

        <pfsgroup>2</pfsgroup>
         <lifetime>86400</lifetime>

        p2 lifetime is larger than in p1?

        -> change p2 lifetime to 3600 on both firewalls
        -> try to disable Perfect Foward Secrecy (pfsgroup) in p2 for better compatibility on both ends

        2. use MAIN mode for Site to Site on both ends
        3. uncheck "prefer older sa" option
        4. try not to use pinghost directive
        5. use DPD 60s on both ends

        cya

        Pfsense running at 11 Locations
        -mobile OPENVPN and IPSEC
        -multiwan failover
        -filtering proxy(squidguard) in bridgemode with ntop monitoring

        1 Reply Last reply Reply Quote 0
        • S
          sten2004
          last edited by

          I have dropped trying to connect the USG-100 and Pfsense firewall. The Pfense handles PPTP vpn's and i am not villing to give this feature up.

          I was advised not to try v2.0 from the provider of the pfsense appliance due to reported stabitlity issues.

          I tried various setteings as per your suggestions, before my initial post.

          I ended up buying 2 smb cisco routers for the vpn tunnel instead.

          Will look in to posts covering 1 GB WAN IPSEC where i will implement pfsense to pfsense vpn to keep it simpel and cost effective.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.