Can't establish VPN tunnel between PFSense & Sonicwall (06.08.17 it works!)

pfrickroll · May 24, 2017, 8:41 PM

Set the following to Diag in VPN > IPsec, Advanced, Logging: IKE SA, IKE CHILD SA, and Configuration Backend. Set everything else to Control.

Ah sorry, my bad English kicked in. Going to change now to Diag those configs.

Derelict · May 24, 2017, 8:43 PM

Those sonicwall logs don't really say much. I assume they are descending later to earlier in time?

pfrickroll · May 24, 2017, 8:47 PM

@Derelict:

Those sonicwall logs don't really say much. I assume they are descending later to earlier in time?

No, that is the only info in logs for VPN between these pfSense and Sonicwall. Nothing before or after.

dotdash · May 24, 2017, 8:48 PM

Looks like pfSense proposed a v2 exchange and the Sonic was set for v1.
Change the auto setting to v1 and try again.

pfrickroll · May 24, 2017, 9:16 PM

I set those configs to Diag. Here are the logs for IPsec and Sonicwall

![IPseclog 1.PNG](/public/imported_attachments/1/IPseclog 1.PNG)
![IPseclog 1.PNG_thumb](/public/imported_attachments/1/IPseclog 1.PNG_thumb)
![IPseclog 2.PNG](/public/imported_attachments/1/IPseclog 2.PNG)
![IPseclog 2.PNG_thumb](/public/imported_attachments/1/IPseclog 2.PNG_thumb)
![IPseclog 3.PNG](/public/imported_attachments/1/IPseclog 3.PNG)
![IPseclog 3.PNG_thumb](/public/imported_attachments/1/IPseclog 3.PNG_thumb)
![Soniwall log 2.PNG](/public/imported_attachments/1/Soniwall log 2.PNG)
![Soniwall log 2.PNG_thumb](/public/imported_attachments/1/Soniwall log 2.PNG_thumb)
![Sonicwall log 3.PNG](/public/imported_attachments/1/Sonicwall log 3.PNG)
![Sonicwall log 3.PNG_thumb](/public/imported_attachments/1/Sonicwall log 3.PNG_thumb)

Derelict · May 24, 2017, 9:18 PM

You know you can copy and paste text instead of screen shots of those logs right?

Derelict · May 24, 2017, 9:21 PM

OK so you're now getting through phase 1. The INVAL_ID error means the networks on your side do not match what the other side has configured.

You have:

Local: 192.168.0.0/16
Remote: 192.168.3.0/24

That /16 is almost certainly wrong and probably will not work.

pfrickroll · May 25, 2017, 2:23 PM

Ok, so rebuilt pfSense tunnel from scratch again with IKEv1 version and 192.168.10.0/24 subnet

pfSense logs:
May 25 09:56:28 charon 10[IKE] <con1000|1>reinitiating already active tasks
May 25 09:56:28 charon 10[IKE] <con1000|1>ISAKMP_VENDOR task
May 25 09:56:28 charon 10[IKE] <con1000|1>MAIN_MODE task
May 25 09:56:28 charon 10[ENC] <con1000|1>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
May 25 09:56:28 charon 10[NET] <con1000|1>sending packet: from pfsense[500] to sonicWall[500] (244 bytes)
May 25 09:56:28 charon 11[NET] <con1000|1>received packet: from sonicWall[500] to pfsense[500] (276 bytes)
May 25 09:56:28 charon 11[ENC] <con1000|1>parsed ID_PROT response 0 [ KE NAT-D NAT-D No V V V ]
May 25 09:56:28 charon 11[ENC] <con1000|1>received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
May 25 09:56:28 charon 11[IKE] <con1000|1>received XAuth vendor ID
May 25 09:56:28 charon 11[IKE] <con1000|1>received DPD vendor ID
May 25 09:56:28 charon 11[IKE] <con1000|1>reinitiating already active tasks
May 25 09:56:28 charon 11[IKE] <con1000|1>ISAKMP_VENDOR task
May 25 09:56:28 charon 11[IKE] <con1000|1>MAIN_MODE task
May 25 09:56:28 charon 11[ENC] <con1000|1>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
May 25 09:56:28 charon 11[NET] <con1000|1>sending packet: from pfsense[500] to SonicWall[500] (108 bytes)
May 25 09:56:28 charon 08[NET] <con1000|1>received packet: from SonicWall[500] to pfsense[500] (76 bytes)
May 25 09:56:28 charon 08[ENC] <con1000|1>parsed ID_PROT response 0 [ ID HASH ]
May 25 09:56:28 charon 08[IKE] <con1000|1>IKE_SA con1000[1] established between pfsense[pfsense]…SonicWall[SonicWall]
May 25 09:56:28 charon 08[IKE] <con1000|1>IKE_SA con1000[1] state change: CONNECTING => ESTABLISHED
May 25 09:56:28 charon 08[IKE] <con1000|1>scheduling reauthentication in 28174s
May 25 09:56:28 charon 08[IKE] <con1000|1>maximum IKE_SA lifetime 28714s
May 25 09:56:28 charon 08[IKE] <con1000|1>activating new tasks
May 25 09:56:28 charon 08[IKE] <con1000|1>activating QUICK_MODE task
May 25 09:56:28 charon 08[CFG] <con1000|1>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
May 25 09:56:28 charon 08[CFG] <con1000|1>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
May 25 09:56:28 charon 08[CFG] <con1000|1>proposing traffic selectors for us:
May 25 09:56:28 charon 08[CFG] <con1000|1>192.168.10.0/24|/0
May 25 09:56:28 charon 08[CFG] <con1000|1>proposing traffic selectors for other:
May 25 09:56:28 charon 08[CFG] <con1000|1>192.168.3.0/24|/0
May 25 09:56:28 charon 08[ENC] <con1000|1>generating QUICK_MODE request 4263043729 [ HASH SA No ID ID ]
May 25 09:56:28 charon 08[NET] <con1000|1>sending packet: from pfsense[500] to SonicWall[500] (188 bytes)
May 25 09:56:28 charon 07[NET] <con1000|1>received packet: from SonicWall[500] to pfsense[500] (108 bytes)
May 25 09:56:28 charon 07[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 2520402767 [ HASH N(NO_PROP) ]
May 25 09:56:28 charon 07[IKE] <con1000|1>received NO_PROPOSAL_CHOSEN error notify
May 25 09:56:31 charon 00[DMN] signal of type SIGINT received. Shutting down
May 25 09:56:31 charon 00[IKE] <con1000|1>queueing ISAKMP_DELETE task
May 25 09:56:31 charon 00[IKE] <con1000|1>activating new tasks
May 25 09:56:31 charon 00[IKE] <con1000|1>activating ISAKMP_DELETE task
May 25 09:56:31 charon 00[IKE] <con1000|1>deleting IKE_SA con1000[1] between pfsense[pfsense]…SonicWall[SonicWall]
May 25 09:56:31 charon 00[IKE] <con1000|1>sending DELETE for IKE_SA con1000[1]
May 25 09:56:31 charon 00[IKE] <con1000|1>IKE_SA con1000[1] state change: ESTABLISHED => DELETING
May 25 09:56:31 charon 00[ENC] <con1000|1>generating INFORMATIONAL_V1 request 3586940182 [ HASH D ]
May 25 09:56:31 charon 00[NET] <con1000|1>sending packet: from pfsense[500] to SonicWall[500] (92 bytes)
May 25 09:56:31 charon 00[IKE] <con1000|1>IKE_SA con1000[1] state change: DELETING => DESTROYING
May 25 09:56:31 charon 00[CFG] proposing traffic selectors for us:
May 25 09:56:31 charon 00[CFG] 192.168.10.0/24|/0
May 25 09:56:31 charon 00[CFG] proposing traffic selectors for other:
May 25 09:56:31 charon 00[CFG] 192.168.10.0/24|/0
May 25 09:56:31 ipsec_starter 42453 charon stopped after 200 ms
May 25 09:56:31 ipsec_starter 42453 ipsec starter stopped

SonicWall logs:
09:57:40 May 25 403 VPN Inform IKE negotiation aborted due to Timeout sonicwall, 500 pfsense, 500 udp VPN Policy

09:57:06 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) Sonicwall, 500 pfsense, 500 udp

09:57:06 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy

09:56:48 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp

09:56:48 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy: VPN

09:56:37 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp

09:56:37 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy: VPN

09:56:31 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp
09:56:31 May 25 351 VPN Inform IKE Initiator: Start Main Mode negotiation (Phase 1) sonicwall, 500 pfsense, 500 udp VPN Policy: VPN
to HQ
09:56:31 May 25 413 VPN Inform Received IKE SA delete request pfsense, 500 sonicwall, 500 VPN Policy: VPN
to HQ
09:56:31 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK INFO (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0xD5CC5D16) *(HASH, DEL) pfsense, 500 sonicwall, 500 udp

09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK INFO (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x963A4B4F) *(HASH, NOTIFY: NO_PROPOSAL_CHOSEN) sonicwall, pfsense, 500 udp

09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK QM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0xFE18E291) *(HASH, SA, NON, ID, ID) pfsense, 500 sonicwall, 500 udp

09:56:28 May 25 352 VPN Inform IKE Responder: Received Quick Mode Request (Phase 2) pfsense, 500 sonicwall, 500 udp VPN Policy: VPN

09:56:28 May 25 88 VPN Warning IKE Responder: IPsec proposal does not match (Phase 2) pfsense, 500 sonicwall, 500 udp VPN Policy: VPN

09:56:28 May 25 259 VPN Warning IKE Responder: ESP Perfect Forward Secrecy mismatch pfsense, 500 sonicwall, 500 udp VPN Policy: VPN

09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) *(ID, HASH) sonicwall, 500 pfsense, 500 udp

09:56:28 May 25 357 VPN Inform IKE Responder: Main Mode complete (Phase 1) pfsense, 500 sonicwall, 500 VPN Policy: VPN

09:56:28 May 25 241 VPN Inform NAT Discovery : No NAT/NAPT device detected between IPsec Security gateways pfsense, 500 sonicwall, 500 VPN Policy: VPN

09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) *(ID, HASH, NOTIFY: INITIAL_CONTACT) pfsense, 500 sonicwall, 500 udp

09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) (KE, NATD, NATD, NON, VID, VID, VID) sonicwall, 500 pfsense, 500 udp

09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) (KE, NON, NATD, NATD) pfsense, 500 sonicwall, 500 udp

09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) (SA, VID, VID) sonicwall, 500 5pfsense, 500 udp

09:56:28 May 25 355 VPN Inform IKE Responder: Received Main Mode Request (Phase 1) pfsense, 500 sonicwall, 500 udp

09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) pfsense, 500 sonicwall, 500 udp

09:56:24 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x26b927c746756b4c RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp

09:56:24 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy: VPN

09:56:19 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x26b927c746756b4c RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp

09:56:19 May 25 351 VPN Inform IKE Initiator: Start Main Mode negotiation (Phase 1) sonicwall, 500 pfsense, 500 udp VPN Policy: VPN

What does it mean in bold? It refers to Comcast modem? Its there just in bridge mode</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1>

pfrickroll · May 25, 2017, 2:33 PM

This is pfSense IPsec config, I don't know is there an option to copy/paste short log config of IPsec, so I just screen caped it.

![IPsec Config.PNG](/public/imported_attachments/1/IPsec Config.PNG)
![IPsec Config.PNG_thumb](/public/imported_attachments/1/IPsec Config.PNG_thumb)

dotdash · May 25, 2017, 2:58 PM

The errors point to a settings mismatch. Verify the phase 1 and phase 2 setting match exactly. (Of course the remote gateways and local/remote networks would be switched.)

pfrickroll · May 25, 2017, 3:23 PM

@dotdash:

The errors point to a settings mismatch. Verify the phase 1 and phase 2 setting match exactly. (Of course the remote gateways and local/remote networks would be switched.)

I will check later tonight again, don't have time at the moment.
But i just want to say thank you very much for reading and responding to my post.

Derelict · May 25, 2017, 4:49 PM

If there is NAT between two IPsec endpoints they switch from using ESP as the transport (the actual ipsec tunnels, aka phase 2) to using ESP encapsulated in UDP/4500 to help get through the NAT translation/firewall. What you are seeing is normal.

Your problem appears to be a settings mismatch, as has been stated above.

pfrickroll · Jun 8, 2017, 3:06 PM

Sorry for not replying, was very busy with other projects.

So, i figured out the problem which was… well the phase 2 Sonicwall had PFS Grp 1 and pfSense had PFS grp 2.
I also added public IPs for IKE authentication in Sonicwall. Now everything works great and our proprietary software works over VPN as we wanted even without NetBios over TCP/IP.

However, I would still like to know how to enable this feature so the Windows itself could see server on the network. I get the point why its disabled to prevent clog ups on the network because everything will be broadcasting. Is there some special rule on pfSense to add just a certain IP for broadcast like local IP of the server which sits behind Sonicwall?

Derelict · Jun 8, 2017, 4:44 PM

Use DNS.