Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't establish VPN tunnel between PFSense & Sonicwall (06.08.17 it works!)

    Scheduled Pinned Locked Moved IPsec
    25 Posts 3 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • pfrickrollP
      pfrickroll
      last edited by

      Set the following to Diag in VPN > IPsec, Advanced, Logging: IKE SA, IKE CHILD SA, and Configuration Backend. Set everything else to Control.

      Ah sorry, my bad English kicked in. Going to change now to Diag those configs.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Those sonicwall logs don't really say much. I assume they are descending later to earlier in time?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • pfrickrollP
          pfrickroll
          last edited by

          @Derelict:

          Those sonicwall logs don't really say much. I assume they are descending later to earlier in time?

          No, that is the only info in logs for VPN between these pfSense and Sonicwall. Nothing before or after.

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            Looks like pfSense proposed a v2 exchange and the Sonic was set for v1.
            Change the auto setting to v1 and try again.

            1 Reply Last reply Reply Quote 0
            • pfrickrollP
              pfrickroll
              last edited by

              I set those configs to Diag. Here are the logs for IPsec and Sonicwall

              ![IPseclog 1.PNG](/public/imported_attachments/1/IPseclog 1.PNG)
              ![IPseclog 1.PNG_thumb](/public/imported_attachments/1/IPseclog 1.PNG_thumb)
              ![IPseclog 2.PNG](/public/imported_attachments/1/IPseclog 2.PNG)
              ![IPseclog 2.PNG_thumb](/public/imported_attachments/1/IPseclog 2.PNG_thumb)
              ![IPseclog 3.PNG](/public/imported_attachments/1/IPseclog 3.PNG)
              ![IPseclog 3.PNG_thumb](/public/imported_attachments/1/IPseclog 3.PNG_thumb)
              ![Soniwall log 2.PNG](/public/imported_attachments/1/Soniwall log 2.PNG)
              ![Soniwall log 2.PNG_thumb](/public/imported_attachments/1/Soniwall log 2.PNG_thumb)
              ![Sonicwall log 3.PNG](/public/imported_attachments/1/Sonicwall log 3.PNG)
              ![Sonicwall log 3.PNG_thumb](/public/imported_attachments/1/Sonicwall log 3.PNG_thumb)

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                You know you can copy and paste text instead of screen shots of those logs right?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  OK so you're now getting through phase 1. The INVAL_ID error means the networks on your side do not match what the other side has configured.

                  You have:

                  Local: 192.168.0.0/16
                  Remote: 192.168.3.0/24

                  That /16 is almost certainly wrong and probably will not work.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • pfrickrollP
                    pfrickroll
                    last edited by

                    Ok, so rebuilt pfSense tunnel from scratch again with IKEv1 version and 192.168.10.0/24 subnet

                    pfSense logs:
                    May 25 09:56:28  charon  10[IKE] <con1000|1>reinitiating already active tasks 
                    May 25 09:56:28  charon  10[IKE] <con1000|1>ISAKMP_VENDOR task 
                    May 25 09:56:28  charon  10[IKE] <con1000|1>MAIN_MODE task 
                    May 25 09:56:28  charon  10[ENC] <con1000|1>generating ID_PROT request 0 [ KE No NAT-D NAT-D ] 
                    May 25 09:56:28  charon  10[NET] <con1000|1>sending packet: from pfsense[500] to sonicWall[500] (244 bytes) 
                    May 25 09:56:28  charon  11[NET] <con1000|1>received packet: from sonicWall[500] to pfsense[500] (276 bytes) 
                    May 25 09:56:28  charon  11[ENC] <con1000|1>parsed ID_PROT response 0 [ KE NAT-D NAT-D No V V V ] 
                    May 25 09:56:28  charon  11[ENC] <con1000|1>received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6 
                    May 25 09:56:28  charon  11[IKE] <con1000|1>received XAuth vendor ID 
                    May 25 09:56:28  charon  11[IKE] <con1000|1>received DPD vendor ID 
                    May 25 09:56:28  charon  11[IKE] <con1000|1>reinitiating already active tasks 
                    May 25 09:56:28  charon  11[IKE] <con1000|1>ISAKMP_VENDOR task 
                    May 25 09:56:28  charon  11[IKE] <con1000|1>MAIN_MODE task 
                    May 25 09:56:28  charon  11[ENC] <con1000|1>generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] 
                    May 25 09:56:28  charon  11[NET] <con1000|1>sending packet: from pfsense[500] to SonicWall[500] (108 bytes) 
                    May 25 09:56:28  charon  08[NET] <con1000|1>received packet: from SonicWall[500] to pfsense[500] (76 bytes) 
                    May 25 09:56:28  charon  08[ENC] <con1000|1>parsed ID_PROT response 0 [ ID HASH ] 
                    May 25 09:56:28  charon  08[IKE] <con1000|1>IKE_SA con1000[1] established between pfsense[pfsense]…SonicWall[SonicWall] 
                    May 25 09:56:28  charon  08[IKE] <con1000|1>IKE_SA con1000[1] state change: CONNECTING => ESTABLISHED 
                    May 25 09:56:28  charon  08[IKE] <con1000|1>scheduling reauthentication in 28174s 
                    May 25 09:56:28  charon  08[IKE] <con1000|1>maximum IKE_SA lifetime 28714s 
                    May 25 09:56:28  charon  08[IKE] <con1000|1>activating new tasks 
                    May 25 09:56:28  charon  08[IKE] <con1000|1>activating QUICK_MODE task 
                    May 25 09:56:28  charon  08[CFG] <con1000|1>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ 
                    May 25 09:56:28  charon  08[CFG] <con1000|1>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ 
                    May 25 09:56:28  charon  08[CFG] <con1000|1>proposing traffic selectors for us: 
                    May 25 09:56:28  charon  08[CFG] <con1000|1>192.168.10.0/24|/0 
                    May 25 09:56:28  charon  08[CFG] <con1000|1>proposing traffic selectors for other: 
                    May 25 09:56:28  charon  08[CFG] <con1000|1>192.168.3.0/24|/0 
                    May 25 09:56:28  charon  08[ENC] <con1000|1>generating QUICK_MODE request 4263043729 [ HASH SA No ID ID ] 
                    May 25 09:56:28  charon  08[NET] <con1000|1>sending packet: from pfsense[500] to SonicWall[500] (188 bytes) 
                    May 25 09:56:28  charon  07[NET] <con1000|1>received packet: from SonicWall[500] to pfsense[500] (108 bytes) 
                    May 25 09:56:28  charon  07[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 2520402767 [ HASH N(NO_PROP) ] 
                    May 25 09:56:28  charon  07[IKE] <con1000|1>received NO_PROPOSAL_CHOSEN error notify 
                    May 25 09:56:31  charon  00[DMN] signal of type SIGINT received. Shutting down 
                    May 25 09:56:31  charon  00[IKE] <con1000|1>queueing ISAKMP_DELETE task 
                    May 25 09:56:31  charon  00[IKE] <con1000|1>activating new tasks 
                    May 25 09:56:31  charon  00[IKE] <con1000|1>activating ISAKMP_DELETE task 
                    May 25 09:56:31  charon  00[IKE] <con1000|1>deleting IKE_SA con1000[1] between pfsense[pfsense]…SonicWall[SonicWall] 
                    May 25 09:56:31  charon  00[IKE] <con1000|1>sending DELETE for IKE_SA con1000[1] 
                    May 25 09:56:31  charon  00[IKE] <con1000|1>IKE_SA con1000[1] state change: ESTABLISHED => DELETING 
                    May 25 09:56:31  charon  00[ENC] <con1000|1>generating INFORMATIONAL_V1 request 3586940182 [ HASH D ] 
                    May 25 09:56:31  charon  00[NET] <con1000|1>sending packet: from pfsense[500] to SonicWall[500] (92 bytes) 
                    May 25 09:56:31  charon  00[IKE] <con1000|1>IKE_SA con1000[1] state change: DELETING => DESTROYING 
                    May 25 09:56:31  charon  00[CFG] proposing traffic selectors for us: 
                    May 25 09:56:31  charon  00[CFG] 192.168.10.0/24|/0 
                    May 25 09:56:31  charon  00[CFG] proposing traffic selectors for other: 
                    May 25 09:56:31  charon  00[CFG] 192.168.10.0/24|/0 
                    May 25 09:56:31  ipsec_starter  42453  charon stopped after 200 ms 
                    May 25 09:56:31  ipsec_starter  42453  ipsec starter stopped

                    SonicWall logs:
                    09:57:40 May 25 403 VPN Inform IKE negotiation aborted due to Timeout sonicwall, 500 pfsense, 500 udp VPN Policy

                    09:57:06 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) Sonicwall, 500 pfsense, 500 udp

                    09:57:06 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy

                    09:56:48 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp

                    09:56:48 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy: VPN

                    09:56:37 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp

                    09:56:37 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy: VPN

                    09:56:31 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x7f9802c36a3f9670 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp
                    09:56:31 May 25 351 VPN Inform IKE Initiator: Start Main Mode negotiation (Phase 1) sonicwall, 500 pfsense, 500 udp VPN Policy: VPN
                    to HQ
                    09:56:31 May 25 413 VPN Inform Received IKE SA delete request pfsense, 500 sonicwall, 500 VPN Policy: VPN
                    to HQ
                    09:56:31 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK INFO (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0xD5CC5D16) *(HASH, DEL) pfsense, 500 sonicwall, 500 udp

                    09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK INFO (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x963A4B4F) *(HASH, NOTIFY: NO_PROPOSAL_CHOSEN) sonicwall, pfsense, 500 udp

                    09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK QM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0xFE18E291) *(HASH, SA, NON, ID, ID) pfsense, 500 sonicwall, 500 udp

                    09:56:28 May 25 352 VPN Inform IKE Responder: Received Quick Mode Request (Phase 2) pfsense, 500 sonicwall, 500 udp VPN Policy: VPN

                    09:56:28 May 25 88 VPN Warning IKE Responder: IPsec proposal does not match (Phase 2) pfsense, 500 sonicwall, 500 udp VPN Policy: VPN

                    09:56:28 May 25 259 VPN Warning IKE Responder: ESP Perfect Forward Secrecy mismatch pfsense, 500 sonicwall, 500 udp VPN Policy: VPN

                    09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) *(ID, HASH) sonicwall, 500 pfsense, 500 udp

                    09:56:28 May 25 357 VPN Inform IKE Responder: Main Mode complete (Phase 1) pfsense, 500 sonicwall, 500 VPN Policy: VPN

                    09:56:28 May 25 241 VPN Inform NAT Discovery : No NAT/NAPT device detected between IPsec Security gateways pfsense, 500 sonicwall, 500 VPN Policy: VPN

                    09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) *(ID, HASH, NOTIFY: INITIAL_CONTACT) pfsense, 500 sonicwall, 500 udp

                    09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) (KE, NATD, NATD, NON, VID, VID, VID) sonicwall, 500 pfsense, 500 udp

                    09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) (KE, NON, NATD, NATD) pfsense, 500 sonicwall, 500 udp

                    09:56:28 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x02d555f9af2c4338, MsgID: 0x0) (SA, VID, VID) sonicwall, 500 5pfsense, 500 udp

                    09:56:28 May 25 355 VPN Inform IKE Responder: Received Main Mode Request (Phase 1) pfsense, 500 sonicwall, 500 udp

                    09:56:28 May 25 171 VPN Debug RECEIVED<<< ISAKMP OAK MM (InitCookie:0x0edac780e119a512 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) pfsense, 500 sonicwall, 500 udp

                    09:56:24 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x26b927c746756b4c RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp

                    09:56:24 May 25 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request. sonicwall, 500 pfsense, 500 udp VPN Policy: VPN

                    09:56:19 May 25 171 VPN Debug SENDING>>>> ISAKMP OAK MM (InitCookie:0x26b927c746756b4c RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID) sonicwall, 500 pfsense, 500 udp

                    09:56:19 May 25 351 VPN Inform IKE Initiator: Start Main Mode negotiation (Phase 1) sonicwall, 500 pfsense, 500 udp VPN Policy: VPN

                    What does it mean in bold? It refers to Comcast modem? Its there just in bridge mode</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1>

                    1 Reply Last reply Reply Quote 0
                    • pfrickrollP
                      pfrickroll
                      last edited by

                      This is pfSense IPsec config, I don't know is there an option to copy/paste short log config of IPsec, so I just screen caped it.

                      ![IPsec Config.PNG](/public/imported_attachments/1/IPsec Config.PNG)
                      ![IPsec Config.PNG_thumb](/public/imported_attachments/1/IPsec Config.PNG_thumb)

                      1 Reply Last reply Reply Quote 0
                      • dotdashD
                        dotdash
                        last edited by

                        The errors point to a settings mismatch. Verify the phase 1 and phase 2 setting match exactly. (Of course the remote gateways and local/remote networks would be switched.)

                        1 Reply Last reply Reply Quote 0
                        • pfrickrollP
                          pfrickroll
                          last edited by

                          @dotdash:

                          The errors point to a settings mismatch. Verify the phase 1 and phase 2 setting match exactly. (Of course the remote gateways and local/remote networks would be switched.)

                          I will check later tonight again, don't have time at the moment.
                          But i just want to say thank you very much for reading and responding to my post.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            If there is NAT between two IPsec endpoints they switch from using ESP as the transport (the actual ipsec tunnels, aka phase 2) to using ESP encapsulated in UDP/4500 to help get through the NAT translation/firewall. What you are seeing is normal.

                            Your problem appears to be a settings mismatch, as has been stated above.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • pfrickrollP
                              pfrickroll
                              last edited by

                              Sorry for not replying, was very busy with other projects.

                              So, i figured out the problem which was… well the phase 2 Sonicwall had PFS Grp 1 and pfSense had PFS grp 2.
                              I also added public IPs for IKE authentication in Sonicwall. Now everything works great and our proprietary software works over VPN as we wanted even without NetBios over TCP/IP.

                              However, I would still like to know how to enable this feature so the Windows itself could see server on the network. I get the point why its disabled to prevent clog ups on the network because everything will be broadcasting. Is there some special rule on pfSense to add just a certain IP for broadcast like local IP of the server which sits behind Sonicwall?

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                Use DNS.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.