IPsec Site-to-Site Tunnel pfSense/Zyxel USG20-VPN
-
Hallo,
bin am verzweifeln, ich bringe einen IPsec VPN Tunnel zwischen pfSense und einer Zyxel USG20-VPN nicht zum Laufen.
Eigentlich denke ich, dass ich alles beachtet habe, was in den Anleitungen zu Site-to-Site IPsec VPN Verbindungen so steht.
Irgendwo haperts trotzdem noch.Site 1:
pfSense mit fixer öffentlicher IPSite 2:
USG20 als exposed Host hinter A1 DSL Modem mit dynamischer öffentlicher IP/DDNSIm Anhang screenshots von den Einstellungen
pfSense:
pfSense_IPSEC_Phase1_settings.png
pfSense_IPSEC_Phase2_settings.pngUSG20:
USG20_IPSEC_Phase1_settings.png
USG20_IPSEC_Phase2_settings.pngLog der pfSense:
Dec 9 22:00:08 charon 13[NET] <bypasslan|29>sending packet: from 80.nnn.nnn.nnn[4500] to 178.nnn.nnn.nnn[4500] (76 bytes) Dec 9 22:00:08 charon 13[ENC] <bypasslan|29>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Dec 9 22:00:08 charon 13[IKE] <bypasslan|29>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Dec 9 22:00:08 charon 13[IKE] <bypasslan|29>no shared key found for '%any' - '192.168.1.1' Dec 9 22:00:08 charon 13[CFG] <bypasslan|29>selected peer config 'bypasslan' Dec 9 22:00:08 charon 13[CFG] <29> looking for peer configs matching 80.nnn.nnn.nnn[%any]...178.nnn.nnn.nnn[192.168.1.1] Dec 9 22:00:08 charon 13[IKE] <29> received 1 cert requests for an unknown ca Dec 9 22:00:08 charon 13[ENC] <29> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] Dec 9 22:00:08 charon 13[NET] <29> received packet: from 178.nnn.nnn.nnn[4500] to 80.nnn.nnn.nnn[4500] (252 bytes) Dec 9 22:00:08 charon 13[NET] <29> sending packet: from 80.nnn.nnn.nnn[500] to 178.nnn.nnn.nnn[500] (312 bytes) Dec 9 22:00:08 charon 13[ENC] <29> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Dec 9 22:00:08 charon 13[IKE] <29> remote host is behind NAT Dec 9 22:00:08 charon 13[IKE] <29> 178.nnn.nnn.nnn is initiating an IKE_SA Dec 9 22:00:08 charon 13[ENC] <29> received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:20:00 Dec 9 22:00:08 charon 13[ENC] <29> received unknown vendor ID: c4:4f:ed:c7:49:f9:e6:ae:5b:04:ec:96:9c:b2:5d:69 Dec 9 22:00:08 charon 13[ENC] <29> received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03 Dec 9 22:00:08 charon 13[ENC] <29> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V ] Dec 9 22:00:08 charon 13[NET] <29> received packet: from 178.nnn.nnn.nnn[500] to 80.nnn.nnn.nnn[500] (368 bytes) Dec 9 21:58:39 charon 14[NET] <bypasslan|28>sending packet: from 80.nnn.nnn.nnn[4500] to 178.nnn.nnn.nnn[4500] (76 bytes) Dec 9 21:58:39 charon 14[ENC] <bypasslan|28>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Dec 9 21:58:39 charon 14[IKE] <bypasslan|28>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Dec 9 21:58:39 charon 14[IKE] <bypasslan|28>no shared key found for '%any' - '192.168.1.1' Dec 9 21:58:39 charon 14[CFG] <bypasslan|28>selected peer config 'bypasslan' Dec 9 21:58:39 charon 14[CFG] <28> looking for peer configs matching 80.nnn.nnn.nnn[%any]...178.nnn.nnn.nnn[192.168.1.1] Dec 9 21:58:39 charon 14[IKE] <28> received 1 cert requests for an unknown ca Dec 9 21:58:39 charon 14[ENC] <28> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] Dec 9 21:58:39 charon 14[NET] <28> received packet: from 178.nnn.nnn.nnn[4500] to 80.nnn.nnn.nnn[4500] (252 bytes) Dec 9 21:58:39 charon 14[NET] <28> sending packet: from 80.nnn.nnn.nnn[500] to 178.nnn.nnn.nnn[500] (312 bytes) Dec 9 21:58:39 charon 14[ENC] <28> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Dec 9 21:58:39 charon 14[IKE] <28> remote host is behind NAT Dec 9 21:58:39 charon 14[IKE] <28> 178.nnn.nnn.nnn is initiating an IKE_SA Dec 9 21:58:39 charon 14[ENC] <28> received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:20:00 Dec 9 21:58:39 charon 14[ENC] <28> received unknown vendor ID: c4:4f:ed:c7:49:f9:e6:ae:5b:04:ec:96:9c:b2:5d:69 Dec 9 21:58:39 charon 14[ENC] <28> received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03 Dec 9 21:58:39 charon 14[ENC] <28> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V ] Dec 9 21:58:39 charon 14[NET] <28> received packet: from 178.nnn.nnn.nnn[500] to 80.nnn.nnn.nnn[500] (368 bytes) Dec 9 21:57:18 charon 14[NET] <bypasslan|27>sending packet: from 80.nnn.nnn.nnn[4500] to 178.nnn.nnn.nnn[4500] (76 bytes) Dec 9 21:57:18 charon 14[ENC] <bypasslan|27>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Dec 9 21:57:18 charon 14[IKE] <bypasslan|27>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Dec 9 21:57:18 charon 14[IKE] <bypasslan|27>no shared key found for '%any' - '192.168.1.1' Dec 9 21:57:18 charon 14[CFG] <bypasslan|27>selected peer config 'bypasslan' Dec 9 21:57:18 charon 14[CFG] <27> looking for peer configs matching 80.nnn.nnn.nnn[%any]...178.nnn.nnn.nnn[192.168.1.1] Dec 9 21:57:18 charon 14[IKE] <27> received 1 cert requests for an unknown ca Dec 9 21:57:18 charon 14[ENC] <27> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] Dec 9 21:57:18 charon 14[NET] <27> received packet: from 178.nnn.nnn.nnn[4500] to 80.nnn.nnn.nnn[4500] (252 bytes) Dec 9 21:57:18 charon 14[NET] <27> sending packet: from 80.nnn.nnn.nnn[500] to 178.nnn.nnn.nnn[500] (312 bytes) Dec 9 21:57:18 charon 14[ENC] <27> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Dec 9 21:57:18 charon 14[IKE] <27> remote host is behind NAT Dec 9 21:57:18 charon 14[IKE] <27> 178.nnn.nnn.nnn is initiating an IKE_SA Dec 9 21:57:18 charon 14[ENC] <27> received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:20:00</bypasslan|27></bypasslan|27></bypasslan|27></bypasslan|27></bypasslan|27></bypasslan|28></bypasslan|28></bypasslan|28></bypasslan|28></bypasslan|28></bypasslan|29></bypasslan|29></bypasslan|29></bypasslan|29></bypasslan|29>
Genügt das, um das Problem zu lokalisieren?
Vielen Dank im Voraus!
Grüße
Thomas