Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    S2S pfS <-> USG 20 - Initiation only works from USG20

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 490 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      StrIT
      last edited by

      Hello

      I try to set up a site2site IPSec VPN between an USG20 and a pfSense (2.3.2-RELEASE-p12.3.2-RELEASE-p1). The tunnel can be opened from the USG20 but not from the side of the pfSense. My pfSense is connected to the internet directly by PPPoE, I do not work with NAT traversal. I get the following log information when trying to open the tunnel:

      Nov 21 16:34:18 charon 10[CFG] received stroke: terminate 'con1000'
      Nov 21 16:34:18 charon 10[CFG] no IKE_SA named 'con1000' found
      Nov 21 16:34:18 charon 13[CFG] received stroke: initiate 'con1000'
      Nov 21 16:34:18 charon 10[IKE] <con1000|27>initiating Main Mode IKE_SA con1000[27] to x.x.x.x
      Nov 21 16:34:18 charon 10[ENC] <con1000|27>generating ID_PROT request 0 [ SA V V V V V ]
      Nov 21 16:34:18 charon 10[NET] <con1000|27>sending packet: from x.x.x.x[500] to x.x.x.x[500] (184 bytes)
      Nov 21 16:34:18 charon 10[NET] <con1000|27>received packet: from x.x.x.x[500] to x.x.x.x[500] (88 bytes)
      Nov 21 16:34:18 charon 10[ENC] <con1000|27>parsed ID_PROT response 0 [ SA ]
      Nov 21 16:34:18 charon 10[ENC] <con1000|27>generating ID_PROT request 0 [ KE No ]
      Nov 21 16:34:18 charon 10[NET] <con1000|27>sending packet: from x.x.x.x[500] to x.x.x.x[500] (196 bytes)
      Nov 21 16:34:18 charon 10[NET] <con1000|27>received packet: from x.x.x.x[500] to x.x.x.x[500] (91 bytes)
      Nov 21 16:34:18 charon 10[ENC] <con1000|27>parsed INFORMATIONAL_V1 request 1440699603 [ N(AUTH_FAILED) ]
      Nov 21 16:34:18 charon 10[IKE] <con1000|27>received AUTHENTICATION_FAILED error notify </con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27></con1000|27>

      I already tried to switch negotiation mode which is proposed in the FAQ but it didn't solve the problem. My P1 IPSec config on the pfSense looks the following (I know that security is equal to 0 but we have to stick to those settings).

      IKE Version 1
      Internet Protocol: IPv4
      Interface: WAN
      Remote Gateway: Public IP of the USG20

      Authentication Method: Mutual PSK
      Negotiation Mode: Main
      My identifier: My IP address
      Peer IDentifier: Peer IP address
      PSK: PSK

      Proposal: AES128
      Hash Algorithm: SHA1
      DH Group: DH2
      Lifetime: 86400

      Disable rekey: Unchecked
      Responder only: Unchecked

      NAT traversal: Auto
      DPD: Unchecked

      Let me know if you need any furher info. Any help would be appreciated.

      Regards
      A

      No ideas?

      As soon as the tunnel gets connected from the ZyWall side I see the following under IPSec status:

      Role: IKEv1
      responder

      Algo: AES_CBC
      HMAC_SHA1_96
      PRF_HMAC_SHA1
      MODP_1024

      STATUS: ESTABLISHED
      xxxx seconds

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.