Can't establish VPN tunnel between PFSense & Sonicwall (06.08.17 it works!)
-
I am still with no luck
Perhaps something to do with your username…
Here are a few observations, recommendations-- Don't use 3DES, the Sonic will support AES
- Use main mode on the pfSense side, not aggressive
- Don't put the public IP in the ping host on the phase2. This should be a private IP reachable via the tunnel.
- You should be able to leave the identifiers at 'my ip address' and 'peer ip address'
- Two Comcast lines? They are not at the same location are they?
6) If the tunnel is disabled, it will never work. Find out why this is happening first. Start your config from scratch if necessary.
-
I am still with no luck
Perhaps something to do with your username…
Here are a few observations, recommendations-- Don't use 3DES, the Sonic will support AES
- Use main mode on the pfSense side, not aggressive
- Don't put the public IP in the ping host on the phase2. This should be a private IP reachable via the tunnel.
- You should be able to leave the identifiers at 'my ip address' and 'peer ip address'
- Two Comcast lines? They are not at the same location are they?
6) If the tunnel is disabled, it will never work. Find out why this is happening first. Start your config from scratch if necessary.
Thank you for your reply. I doubt my name scares people away :)
I changed everything you mentioned in 1-4.
The two lines are Comcast and they are not in the same location. Two separate offices in different cities.
I rebuilt the config from scratch and still nothing. Here you can see, when I click edit phase 1 the check mark is always on "Set this option to disable this phase1 without removing it from the list". The both phases are enabled but only phase 1 has this check mark on. I try to unmark it, save and apply change, then I go back to edit and that mark is checked again.
And of course I changed config settings on SonicWALL to match pfSense.
-
I doubt my name scares people away :)
Maybe not scared away…Something is up with your phase1 settings- It doesn't start disabled, and I've never seen it disable itself.
Post all of your phase1 settings, there must be something it doesn't like. Are you getting any IPSec errors in the log when you try to enable it? -
I doubt my name scares people away :)
Maybe not scared away…Something is up with your phase1 settings- It doesn't start disabled, and I've never seen it disable itself.
Post all of your phase1 settings, there must be something it doesn't like. Are you getting any IPSec errors in the log when you try to enable it?Here are my phase 1 settings and IPsec Logs. I first cleared the logs and then disabled IPsec. Then I clicked to edit it, unmarked that disable feature in phase 1, then enabled Ipsec log and this is what info came up in log for IPsec. Now, I even myself noticed both firewalls talked to each other but something went wrong and it beyond my experience, I just began learning of encryption.
 -
Still pretty tough to tell looking at only one side.
You should probably post a new set of screen shots from both sides showing the current state of things as a pair.
The sonicwall doesn't like something and is returning "INVALID_SYNTAX" in the Phase 1 negotiation. Concentrate on Phase 1/IKE for now since you are not even getting to phase 2. The reason the sonicwall is returning that might be in the sonicwall logs.
Set the following to Diag in VPN > IPsec, Advanced, Logging: IKE SA, IKE CHILD SA, and Configuration Backend. Set everything else to Control.
-
Yeah, most of the stuff in the logs is normal until you get to the last shot.
Try setting Key Exchange to V1 instead of Auto.
The syntax error is unusual, I think this is what is disabling the phase1. Try deleting the phase2 and unchecking the disabled box on the phase1. Then verify the service remains running. If that's good, add the phase2 back in. -
Set the following to Diag in VPN > IPsec, Advanced, Logging: IKE SA, IKE CHILD SA, and Configuration Backend. Set everything else to Control.
I dont see such option here, everything is set to control by default, as you see in the picture
2nd pictures is Sonicwall logs for that particular time.
 -
Set the following to Diag in VPN > IPsec, Advanced, Logging: IKE SA, IKE CHILD SA, and Configuration Backend. Set everything else to Control.
Ah sorry, my bad English kicked in. Going to change now to Diag those configs.
-
Those sonicwall logs don't really say much. I assume they are descending later to earlier in time?
-
Those sonicwall logs don't really say much. I assume they are descending later to earlier in time?
No, that is the only info in logs for VPN between these pfSense and Sonicwall. Nothing before or after.
-
Looks like pfSense proposed a v2 exchange and the Sonic was set for v1.
Change the auto setting to v1 and try again. -
I set those configs to Diag. Here are the logs for IPsec and Sonicwall
 -
You know you can copy and paste text instead of screen shots of those logs right?
-
OK so you're now getting through phase 1. The INVAL_ID error means the networks on your side do not match what the other side has configured.
You have:
Local: 192.168.0.0/16
Remote: 192.168.3.0/24That /16 is almost certainly wrong and probably will not work.
-
Ok, so rebuilt pfSense tunnel from scratch again with IKEv1 version and 192.168.10.0/24 subnet
pfSense logs:
May 25 09:56:28 charon 10[IKE] <con1000|1>reinitiating already active tasks
May 25 09:56:28 charon 10[IKE] <con1000|1>ISAKMP_VENDOR task
May 25 09:56:28 charon 10[IKE] <con1000|1>MAIN_MODE task
May 25 09:56:28 charon 10[ENC] <con1000|1>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
May 25 09:56:28 charon 10[NET] <con1000|1>sending packet: from pfsense[500] to sonicWall[500] (244 bytes)
May 25 09:56:28 charon 11[NET] <con1000|1>received packet: from sonicWall[500] to pfsense[500] (276 bytes)
May 25 09:56:28 charon 11[ENC] <con1000|1>parsed ID_PROT response 0 [ KE NAT-D NAT-D No V V V ]
May 25 09:56:28 charon 11[ENC] <con1000|1>received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
May 25 09:56:28 charon 11[IKE] <con1000|1>received XAuth vendor ID
May 25 09:56:28 charon 11[IKE] <con1000|1>received DPD vendor ID
May 25 09:56:28 charon 11[IKE] <con1000|1>reinitiating already active tasks
May 25 09:56:28 charon 11[IKE] <con1000|1>ISAKMP_VENDOR task
May 25 09:56:28 charon 11[IKE] <con1000|1>MAIN_MODE task
May 25 09:56:28 charon 11[ENC] <con1000|1>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
May 25 09:56:28 charon 11[NET] <con1000|1>sending packet: from pfsense[500] to SonicWall[500] (108 bytes)
May 25 09:56:28 charon 08[NET] <con1000|1>received packet: from SonicWall[500] to pfsense[500] (76 bytes)
May 25 09:56:28 charon 08[ENC] <con1000|1>parsed ID_PROT response 0 [ ID HASH ]
May 25 09:56:28 charon 08[IKE] <con1000|1>IKE_SA con1000[1] established between pfsense[pfsense]…SonicWall[SonicWall]
May 25 09:56:28 charon 08[IKE] <con1000|1>IKE_SA con1000[1] state change: CONNECTING => ESTABLISHED
May 25 09:56:28 charon 08[IKE] <con1000|1>scheduling reauthentication in 28174s
May 25 09:56:28 charon 08[IKE] <con1000|1>maximum IKE_SA lifetime 28714s
May 25 09:56:28 charon 08[IKE] <con1000|1>activating new tasks
May 25 09:56:28 charon 08[IKE] <con1000|1>activating QUICK_MODE task
May 25 09:56:28 charon 08[CFG] <con1000|1>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
May 25 09:56:28 charon 08[CFG] <con1000|1>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
May 25 09:56:28 charon 08[CFG] <con1000|1>proposing traffic selectors for us:
May 25 09:56:28 charon 08[CFG] <con1000|1>192.168.10.0/24|/0
May 25 09:56:28 charon 08[CFG] <con1000|1>proposing traffic selectors for other:
May 25 09:56:28 charon 08[CFG] <con1000|1>192.168.3.0/24|/0
May 25 09:56:28 charon 08[ENC] <con1000|1>generating QUICK_MODE request 4263043729 [ HASH SA No ID ID ]
May 25 09:56:28 charon 08[NET] <con1000|1>sending packet: from pfsense[500] to SonicWall[500] (188 bytes)
May 25 09:56:28 charon 07[NET] <con1000|1>received packet: from SonicWall[500] to pfsense[500] (108 bytes)
May 25 09:56:28 charon 07[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 2520402767 [ HASH N(NO_PROP) ]
May 25 09:56:28 charon 07[IKE] <con1000|1>received NO_PROPOSAL_CHOSEN error notify
May 25 09:56:31 charon 00[DMN] signal of type SIGINT received. Shutting down
May 25 09:56:31 charon 00[IKE] <con1000|1>queueing ISAKMP_DELETE task
May 25 09:56:31 charon 00[IKE] <con1000|1>activating new tasks
May 25 09:56:31 charon 00[IKE] <con1000|1>activating ISAKMP_DELETE task
May 25 09:56:31 charon 00[IKE] <con1000|1>deleting IKE_SA con1000[1] between pfsense[pfsense]…SonicWall[SonicWall]
May 25 09:56:31 charon 00[IKE] <con1000|1>sending DELETE for IKE_SA con1000[1]
May 25 09:56:31 charon 00[IKE] <con1000|1>IKE_SA con1000[1] state change: ESTABLISHED => DELETING
May 25 09:56:31 charon 00[ENC] <con1000|1>generating INFORMATIONAL_V1 request 3586940182 [ HASH D ]
May 25 09:56:31 charon 00[NET] <con1000|1>sending packet: from pfsense[500] to SonicWall[500] (92 bytes)
May 25 09:56:31 charon 00[IKE] <con1000|1>IKE_SA con1000[1] state change: DELETING => DESTROYING
May 25 09:56:31 charon 00[CFG] proposing traffic selectors for us:
May 25 09:56:31 charon 00[CFG] 192.168.10.0/24|/0
May 25 09:56:31 charon 00[CFG] proposing traffic selectors for other:
May 25 09:56:31 charon 00[CFG] 192.168.10.0/24|/0
May 25 09:56:31 ipsec_starter 42453 charon stopped after 200 ms
May 25 09:56:31 ipsec_starter 42453 ipsec starter stoppedSonicWall logs:
09:57:40 May 25 403 VPN Inform IKE negotiation aborted due to Timeout sonicwall, 500 pfsense, 500 udp VPN Policy09:57:06 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) Sonicwall, 500 pfsense, 500 udp
09:57:06 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy
09:56:48 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp
09:56:48 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy: VPN
09:56:37 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp
09:56:37 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy: VPN
09:56:31 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp
09:56:31 May 25 351 VPN Inform IKE Initiator: Start Main Mode negotiation (Phase 1) sonicwall, 500 pfsense, 500 udp VPN Policy: VPN
to HQ
09:56:31 May 25 413 VPN Inform Received IKE SA delete request pfsense, 500 sonicwall, 500 VPN Policy: VPN
to HQ
09:56:31 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK INFO (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0xD5CC5D16) *(HASH, DEL) pfsense, 500 sonicwall, 500 udp09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK INFO (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x963A4B4F) *(HASH, NOTIFY: NO_PROPOSAL_CHOSEN) sonicwall, pfsense, 500 udp
09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK QM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0xFE18E291) *(HASH, SA, NON, ID, ID) pfsense, 500 sonicwall, 500 udp
09:56:28 May 25 352 VPN Inform IKE Responder: Received Quick Mode Request (Phase 2) pfsense, 500 sonicwall, 500 udp VPN Policy: VPN
09:56:28 May 25 88 VPN Warning IKE Responder: IPsec proposal does not match (Phase 2) pfsense, 500 sonicwall, 500 udp VPN Policy: VPN
09:56:28 May 25 259 VPN Warning IKE Responder: ESP Perfect Forward Secrecy mismatch pfsense, 500 sonicwall, 500 udp VPN Policy: VPN
09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) *(ID, HASH) sonicwall, 500 pfsense, 500 udp
09:56:28 May 25 357 VPN Inform IKE Responder: Main Mode complete (Phase 1) pfsense, 500 sonicwall, 500 VPN Policy: VPN
09:56:28 May 25 241 VPN Inform NAT Discovery : No NAT/NAPT device detected between IPsec Security gateways pfsense, 500 sonicwall, 500 VPN Policy: VPN
09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) *(ID, HASH, NOTIFY: INITIAL_CONTACT) pfsense, 500 sonicwall, 500 udp
09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) (KE, NATD, NATD, NON, VID, VID, VID) sonicwall, 500 pfsense, 500 udp
09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) (KE, NON, NATD, NATD) pfsense, 500 sonicwall, 500 udp
09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) (SA, VID, VID) sonicwall, 500 5pfsense, 500 udp
09:56:28 May 25 355 VPN Inform IKE Responder: Received Main Mode Request (Phase 1) pfsense, 500 sonicwall, 500 udp
09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) pfsense, 500 sonicwall, 500 udp
09:56:24 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x26b927c746756b4c RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp
09:56:24 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy: VPN
09:56:19 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x26b927c746756b4c RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp
09:56:19 May 25 351 VPN Inform IKE Initiator: Start Main Mode negotiation (Phase 1) sonicwall, 500 pfsense, 500 udp VPN Policy: VPN
What does it mean in bold? It refers to Comcast modem? Its there just in bridge mode</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1>
-
This is pfSense IPsec config, I don't know is there an option to copy/paste short log config of IPsec, so I just screen caped it.
 -
The errors point to a settings mismatch. Verify the phase 1 and phase 2 setting match exactly. (Of course the remote gateways and local/remote networks would be switched.)
-
The errors point to a settings mismatch. Verify the phase 1 and phase 2 setting match exactly. (Of course the remote gateways and local/remote networks would be switched.)
I will check later tonight again, don't have time at the moment.
But i just want to say thank you very much for reading and responding to my post. -
If there is NAT between two IPsec endpoints they switch from using ESP as the transport (the actual ipsec tunnels, aka phase 2) to using ESP encapsulated in UDP/4500 to help get through the NAT translation/firewall. What you are seeing is normal.
Your problem appears to be a settings mismatch, as has been stated above.
-
Sorry for not replying, was very busy with other projects.
So, i figured out the problem which was… well the phase 2 Sonicwall had PFS Grp 1 and pfSense had PFS grp 2.
I also added public IPs for IKE authentication in Sonicwall. Now everything works great and our proprietary software works over VPN as we wanted even without NetBios over TCP/IP.However, I would still like to know how to enable this feature so the Windows itself could see server on the network. I get the point why its disabled to prevent clog ups on the network because everything will be broadcasting. Is there some special rule on pfSense to add just a certain IP for broadcast like local IP of the server which sits behind Sonicwall?
