S2S pfS <-> USG 20 - Initiation only works from USG20



  • Hello

    I try to set up a site2site IPSec VPN between an USG20 and a pfSense (2.3.2-RELEASE-p12.3.2-RELEASE-p1). The tunnel can be opened from the USG20 but not from the side of the pfSense. My pfSense is connected to the internet directly by PPPoE, I do not work with NAT traversal. I get the following log information when trying to open the tunnel:

    Nov 21 16:34:18 charon 10[CFG] received stroke: terminate 'con1000'
    Nov 21 16:34:18 charon 10[CFG] no IKE_SA named 'con1000' found
    Nov 21 16:34:18 charon 13[CFG] received stroke: initiate 'con1000'
    Nov 21 16:34:18 charon 10[IKE] <con1000|27>initiating Main Mode IKE_SA con1000[27] to x.x.x.x
    Nov 21 16:34:18 charon 10[ENC] <con1000|27>generating ID_PROT request 0 [ SA V V V V V ]
    Nov 21 16:34:18 charon 10[NET] <con1000|27>sending packet: from x.x.x.x[500] to x.x.x.x[500] (184 bytes)
    Nov 21 16:34:18 charon 10[NET] <con1000|27>received packet: from x.x.x.x[500] to x.x.x.x[500] (88 bytes)
    Nov 21 16:34:18 charon 10[ENC] <con1000|27>parsed ID_PROT response 0 [ SA ]
    Nov 21 16:34:18 charon 10[ENC] <con1000|27>generating ID_PROT request 0 [ KE No ]
    Nov 21 16:34:18 charon 10[NET] <con1000|27>sending packet: from x.x.x.x[500] to x.x.x.x[500] (196 bytes)
    Nov 21 16:34:18 charon 10[NET] <con1000|27>received packet: from x.x.x.x[500] to x.x.x.x[500] (91 bytes)
    Nov 21 16:34:18 charon 10[ENC] <con1000|27>parsed INFORMATIONAL_V1 request 1440699603 [ N(AUTH_FAILED) ]
    Nov 21 16:34:18 charon 10[IKE] <con1000|27>received AUTHENTICATION_FAILED error notify </con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27>

    I already tried to switch negotiation mode which is proposed in the FAQ but it didn't solve the problem. My P1 IPSec config on the pfSense looks the following (I know that security is equal to 0 but we have to stick to those settings).

    IKE Version 1
    Internet Protocol: IPv4
    Interface: WAN
    Remote Gateway: Public IP of the USG20

    Authentication Method: Mutual PSK
    Negotiation Mode: Main
    My identifier: My IP address
    Peer IDentifier: Peer IP address
    PSK: PSK

    Proposal: AES128
    Hash Algorithm: SHA1
    DH Group: DH2
    Lifetime: 86400

    Disable rekey: Unchecked
    Responder only: Unchecked

    NAT traversal: Auto
    DPD: Unchecked

    Let me know if you need any furher info. Any help would be appreciated.

    Regards
    A

    No ideas?

    As soon as the tunnel gets connected from the ZyWall side I see the following under IPSec status:

    Role: IKEv1
    responder

    Algo: AES_CBC
    HMAC_SHA1_96
    PRF_HMAC_SHA1
    MODP_1024

    STATUS: ESTABLISHED
    xxxx seconds