Help required for Juniper SSG 140 - Cannot establish IPSEC tunnel to PF Sense
-
Hi, a newbie here…
I am trying to configure a VPN tunnel between a Juniper SSG140 and Pfsense 2.0.1
At present I am not having much luck...
I have created a tunnel to a ZyXEL firewall from the juniper - so all is working there..
Have also created a Pfsense to Pfsense tunnel - so I know this is working...The best results that I have had is that Phase 2 is establishing... but nothing thereafter...
Does anyone have a crib sheet or any information that they can forward me regarding a working configuration??
Many thanks.
-
Have you added firewall rules to allow traffic over IPsec the tunnel ?
-
Hello, yes the firewall rules are there… and as mentioned, a tunnel will build to another PFSense install and a ZyXEL firewall...
My problem is at the moment that neither logs reveal much sadly...
Is there a white paper / configuration guide...?
-
Hi, further information shows the following on the Juniper..
IKE 84.45.109.82 phase 1:The symmetric crypto key has been generated successfully.
Pfsense gives me..
Sep 3 15:33:05 racoon: INFO: unsupported PF_KEY message REGISTER
Sep 3 15:33:05 racoon: DEBUG: got pfkey REGISTER message
Sep 3 15:33:05 racoon: DEBUG: pk_recv: retry[0] recv()
Sep 3 15:33:05 racoon: [HQ Phase 1]: [87.82.201.9] DEBUG: configuration "87.82.201.9[500]" selected.
Sep 3 15:33:05 racoon: [HQ Phase 1]: [87.82.201.9] DEBUG: getrmconf_by_ph1: remote 87.82.201.9[500], identity 87.82.201.9.
Sep 3 15:33:05 racoon: DEBUG: getsainfo params: loc='10.253.0.0/24' rmt='10.254.0.0/24' peer='NULL' client='NULL' id=1
Sep 3 15:33:05 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
Sep 3 15:33:05 racoon: DEBUG: reading config file /var/etc/racoon.conf
Sep 3 15:33:05 racoon: DEBUG: pk_recv: retry[2] recv()
Sep 3 15:33:05 racoon: DEBUG: pk_recv: retry[1] recv()
Sep 3 15:33:05 racoon: DEBUG: pk_recv: retry[0] recv()Any suggestions?
-
Well, obviously ensure you're using same P1 / P2 config at both ends of the tunnel.
There can be a number of issues, since IPsec is a complex protocol (there even have been some incompatibilities between vendor implementations in the past, although this almost certainly isn't the issue in your case). pfSense is using ipsec-tools (racoon), which is very widely deployed.
For diagnostics you'd need to check/provide the contents of racoon.conf and spf.conf in /var/etc/ and/or debug-level logs (System -> Advanced -> Misc -> start racoon in debug mode)
-
Hello - files attached.
-
Good morning - I have tried configuring a tunnel against another firewall (ZyXEL) with which I am more familiar - and although I see the initial send/receive main mode request - I then see an IKE Packet re-transmit… its as if the phases are in a continuous loop.
We are actually hosting PFSense in the cloud with a static public IP for your reference... The key is to get the tunnel working between the Juniper SSG 140 and PFSense.
I have attached screens from the config on the Juniper... & The PFSense screens and the current logs...
Again, thanks for anyone's help on this - I am new to both these products...
Generally, my understanding is that apart from the standard phase 1 / phase 2 algorithm settings, there are additional local / remote ID checks.. (previously I have used IP, DNS or Email as an option).
Within PFSense, the only fields that I can see relating to this - are the LocalID field in the gateway and the MyIdentity field in the PSK area.. but I am not too sure if these are relevant.
Once again, thank you for your excellent report...
-
Two further images
-
Last image..
-
In the P1's My/Peer Identifier fields, put "My IP address" & "Peer IP address" respectively.
PS: Also keep in mind that DES and 3DES are different ciphers.