IPsec Site-to-Site Tunnel pfSense/Zyxel USG20-VPN



  • Hallo,

    bin am verzweifeln, ich bringe einen IPsec VPN Tunnel zwischen pfSense und einer Zyxel USG20-VPN nicht zum Laufen.
    Eigentlich denke ich, dass ich alles beachtet habe, was in den Anleitungen zu Site-to-Site IPsec VPN Verbindungen so steht.
    Irgendwo haperts trotzdem noch.

    Site 1:
    pfSense mit fixer öffentlicher IP

    Site 2:
    USG20 als exposed Host hinter A1 DSL Modem mit dynamischer öffentlicher IP/DDNS

    Im Anhang screenshots von den Einstellungen
    pfSense:
    pfSense_IPSEC_Phase1_settings.png
    pfSense_IPSEC_Phase2_settings.png

    USG20:
    USG20_IPSEC_Phase1_settings.png
    USG20_IPSEC_Phase2_settings.png

    Log der pfSense:

    Dec 9 22:00:08 	charon 		13[NET] <bypasslan|29>sending packet: from 80.nnn.nnn.nnn[4500] to 178.nnn.nnn.nnn[4500] (76 bytes)
    Dec 9 22:00:08 	charon 		13[ENC] <bypasslan|29>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Dec 9 22:00:08 	charon 		13[IKE] <bypasslan|29>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Dec 9 22:00:08 	charon 		13[IKE] <bypasslan|29>no shared key found for '%any' - '192.168.1.1'
    Dec 9 22:00:08 	charon 		13[CFG] <bypasslan|29>selected peer config 'bypasslan'
    Dec 9 22:00:08 	charon 		13[CFG] <29> looking for peer configs matching 80.nnn.nnn.nnn[%any]...178.nnn.nnn.nnn[192.168.1.1]
    Dec 9 22:00:08 	charon 		13[IKE] <29> received 1 cert requests for an unknown ca
    Dec 9 22:00:08 	charon 		13[ENC] <29> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
    Dec 9 22:00:08 	charon 		13[NET] <29> received packet: from 178.nnn.nnn.nnn[4500] to 80.nnn.nnn.nnn[4500] (252 bytes)
    Dec 9 22:00:08 	charon 		13[NET] <29> sending packet: from 80.nnn.nnn.nnn[500] to 178.nnn.nnn.nnn[500] (312 bytes)
    Dec 9 22:00:08 	charon 		13[ENC] <29> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
    Dec 9 22:00:08 	charon 		13[IKE] <29> remote host is behind NAT
    Dec 9 22:00:08 	charon 		13[IKE] <29> 178.nnn.nnn.nnn is initiating an IKE_SA
    Dec 9 22:00:08 	charon 		13[ENC] <29> received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:20:00
    Dec 9 22:00:08 	charon 		13[ENC] <29> received unknown vendor ID: c4:4f:ed:c7:49:f9:e6:ae:5b:04:ec:96:9c:b2:5d:69
    Dec 9 22:00:08 	charon 		13[ENC] <29> received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
    Dec 9 22:00:08 	charon 		13[ENC] <29> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V ]
    Dec 9 22:00:08 	charon 		13[NET] <29> received packet: from 178.nnn.nnn.nnn[500] to 80.nnn.nnn.nnn[500] (368 bytes)
    Dec 9 21:58:39 	charon 		14[NET] <bypasslan|28>sending packet: from 80.nnn.nnn.nnn[4500] to 178.nnn.nnn.nnn[4500] (76 bytes)
    Dec 9 21:58:39 	charon 		14[ENC] <bypasslan|28>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Dec 9 21:58:39 	charon 		14[IKE] <bypasslan|28>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Dec 9 21:58:39 	charon 		14[IKE] <bypasslan|28>no shared key found for '%any' - '192.168.1.1'
    Dec 9 21:58:39 	charon 		14[CFG] <bypasslan|28>selected peer config 'bypasslan'
    Dec 9 21:58:39 	charon 		14[CFG] <28> looking for peer configs matching 80.nnn.nnn.nnn[%any]...178.nnn.nnn.nnn[192.168.1.1]
    Dec 9 21:58:39 	charon 		14[IKE] <28> received 1 cert requests for an unknown ca
    Dec 9 21:58:39 	charon 		14[ENC] <28> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
    Dec 9 21:58:39 	charon 		14[NET] <28> received packet: from 178.nnn.nnn.nnn[4500] to 80.nnn.nnn.nnn[4500] (252 bytes)
    Dec 9 21:58:39 	charon 		14[NET] <28> sending packet: from 80.nnn.nnn.nnn[500] to 178.nnn.nnn.nnn[500] (312 bytes)
    Dec 9 21:58:39 	charon 		14[ENC] <28> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
    Dec 9 21:58:39 	charon 		14[IKE] <28> remote host is behind NAT
    Dec 9 21:58:39 	charon 		14[IKE] <28> 178.nnn.nnn.nnn is initiating an IKE_SA
    Dec 9 21:58:39 	charon 		14[ENC] <28> received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:20:00
    Dec 9 21:58:39 	charon 		14[ENC] <28> received unknown vendor ID: c4:4f:ed:c7:49:f9:e6:ae:5b:04:ec:96:9c:b2:5d:69
    Dec 9 21:58:39 	charon 		14[ENC] <28> received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
    Dec 9 21:58:39 	charon 		14[ENC] <28> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V ]
    Dec 9 21:58:39 	charon 		14[NET] <28> received packet: from 178.nnn.nnn.nnn[500] to 80.nnn.nnn.nnn[500] (368 bytes)
    Dec 9 21:57:18 	charon 		14[NET] <bypasslan|27>sending packet: from 80.nnn.nnn.nnn[4500] to 178.nnn.nnn.nnn[4500] (76 bytes)
    Dec 9 21:57:18 	charon 		14[ENC] <bypasslan|27>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Dec 9 21:57:18 	charon 		14[IKE] <bypasslan|27>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Dec 9 21:57:18 	charon 		14[IKE] <bypasslan|27>no shared key found for '%any' - '192.168.1.1'
    Dec 9 21:57:18 	charon 		14[CFG] <bypasslan|27>selected peer config 'bypasslan'
    Dec 9 21:57:18 	charon 		14[CFG] <27> looking for peer configs matching 80.nnn.nnn.nnn[%any]...178.nnn.nnn.nnn[192.168.1.1]
    Dec 9 21:57:18 	charon 		14[IKE] <27> received 1 cert requests for an unknown ca
    Dec 9 21:57:18 	charon 		14[ENC] <27> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
    Dec 9 21:57:18 	charon 		14[NET] <27> received packet: from 178.nnn.nnn.nnn[4500] to 80.nnn.nnn.nnn[4500] (252 bytes)
    Dec 9 21:57:18 	charon 		14[NET] <27> sending packet: from 80.nnn.nnn.nnn[500] to 178.nnn.nnn.nnn[500] (312 bytes)
    Dec 9 21:57:18 	charon 		14[ENC] <27> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
    Dec 9 21:57:18 	charon 		14[IKE] <27> remote host is behind NAT
    Dec 9 21:57:18 	charon 		14[IKE] <27> 178.nnn.nnn.nnn is initiating an IKE_SA
    Dec 9 21:57:18 	charon 		14[ENC] <27> received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:20:00</bypasslan|27></bypasslan|27></bypasslan|27></bypasslan|27></bypasslan|27></bypasslan|28></bypasslan|28></bypasslan|28></bypasslan|28></bypasslan|28></bypasslan|29></bypasslan|29></bypasslan|29></bypasslan|29></bypasslan|29> 
    

    Genügt das, um das Problem zu lokalisieren?

    Vielen Dank im Voraus!
    Grüße
    Thomas