PfSense 2.3.2 <-> Juniper FW
-
Hi,
I'm trying to build a ipsec vpn between pfsense an a Juniper firewall with no success.
We checked all the proposals and everything is right on both sides.Feb 7 18:20:40 charon 08[IKE] <136475> IKE_SA (unnamed)[136475] state change: CONNECTING => DESTROYING Feb 7 18:20:40 charon 08[IKE] IKE_SA (unnamed)[136475] state change: CONNECTING => DESTROYING Feb 7 18:20:40 charon 08[NET] <136475> sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (84 bytes) Feb 7 18:20:40 charon 08[ENC] <136475> generating INFORMATIONAL_V1 request 3961898376 [ HASH N(AUTH_FAILED) ] Feb 7 18:20:40 charon 08[IKE] <136475> activating INFORMATIONAL task Feb 7 18:20:40 charon 08[IKE] <136475> activating new tasks Feb 7 18:20:40 charon 08[IKE] <136475> queueing INFORMATIONAL task Feb 7 18:20:40 charon 08[IKE] <136475> found 1 matching config, but none allows pre-shared key authentication using Main Mode Feb 7 18:20:40 charon 08[CFG] <136475> candidate "bypasslan", match: 1/1/24 (me/other/ike) Feb 7 18:20:40 charon 08[CFG] <136475> looking for pre-shared key peer configs matching 11.11.11.11...22.22.22.22[22.22.22.22] Feb 7 18:20:40 charon 08[ENC] <136475> parsed ID_PROT request 0 [ ID HASH ] Feb 7 18:20:40 charon 08[NET] <136475> received packet: from 22.22.22.22[500] to 11.11.11.11[500] (68 bytes) Feb 7 18:20:40 charon 15[NET] <136475> sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (196 bytes) Feb 7 18:20:40 charon 15[ENC] <136475> generating ID_PROT response 0 [ KE No ] Feb 7 18:20:40 charon 15[ENC] <136475> parsed ID_PROT request 0 [ KE No ] Feb 7 18:20:40 charon 15[NET] <136475> received packet: from 22.22.22.22[500] to 11.11.11.11[500] (196 bytes) Feb 7 18:20:40 charon 10[NET] <136475> sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (112 bytes) Feb 7 18:20:40 charon 10[ENC] <136475> generating ID_PROT response 0 [ SA V V ] Feb 7 18:20:40 charon 10[IKE] <136475> sending DPD vendor ID Feb 7 18:20:40 charon 10[IKE] <136475> sending XAuth vendor ID Feb 7 18:20:40 charon 10[CFG] <136475> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 7 18:20:40 charon 10[CFG] <136475> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 Feb 7 18:20:40 charon 10[CFG] <136475> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 7 18:20:40 charon 10[CFG] <136475> proposal matches Feb 7 18:20:40 charon 10[CFG] <136475> selecting proposal: Feb 7 18:20:40 charon 10[CFG] <136475> no acceptable ENCRYPTION_ALGORITHM found Feb 7 18:20:40 charon 10[CFG] <136475> selecting proposal: Feb 7 18:20:40 charon 10[IKE] <136475> IKE_SA (unnamed)[136475] state change: CREATED => CONNECTING Feb 7 18:20:40 charon 10[IKE] IKE_SA (unnamed)[136475] state change: CREATED => CONNECTING Feb 7 18:20:40 charon 10[IKE] <136475> 22.22.22.22 is initiating a Main Mode IKE_SA Feb 7 18:20:40 charon 10[ENC] <136475> received unknown vendor ID: 48:65:61:72:74:42:65:61:74:5f:4e:6f:74:69:66:79:38:6b:01:00 Feb 7 18:20:40 charon 10[IKE] <136475> received DPD vendor ID Feb 7 18:20:40 charon 10[ENC] <136475> received unknown vendor ID: 94:36:e8:d6:71:74:ef:9a:ed:06:8d:5a:d5:21:3f:18:7a:3f:8b:a6:00:00:00:16:00:00:06:1e Feb 7 18:20:40 charon 10[CFG] <136475> found matching ike config: %any...%any with prio 24 Feb 7 18:20:40 charon 10[CFG] <136475> candidate: %any...%any, prio 24 Feb 7 18:20:40 charon 10[CFG] <136475> looking for an ike config for 11.11.11.11...22.22.22.22 Feb 7 18:20:40 charon 10[ENC] <136475> parsed ID_PROT request 0 [ SA V V V ] Feb 7 18:20:40 charon 10[NET] <136475> received packet: from 22.22.22.22[500] to 11.11.11.11[500] (156 bytes)
It looks like the P1 proposals are not right, but they are.
Any ideas?
Thanks
Christian -
Problem found by my self.
It is unbelievable but the ipsec process was a zombi.
I can not restart the service via webgui even on the command shell with the php skript.
I needed to kill the process and start it again via webgui.
Now the vpn ist up and running.