Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.3.2 <-> Juniper FW

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      cherzberg
      last edited by

      Hi,

      I'm trying to build a ipsec vpn between pfsense an a Juniper firewall with no success.
      We checked all the proposals and everything is right on both sides.

      Feb 7 18:20:40	charon		08[IKE] <136475> IKE_SA (unnamed)[136475] state change: CONNECTING => DESTROYING
Feb 7 18:20:40	charon		08[IKE] IKE_SA (unnamed)[136475] state change: CONNECTING => DESTROYING
Feb 7 18:20:40	charon		08[NET] <136475> sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (84 bytes)
Feb 7 18:20:40	charon		08[ENC] <136475> generating INFORMATIONAL_V1 request 3961898376 [ HASH N(AUTH_FAILED) ]
Feb 7 18:20:40	charon		08[IKE] <136475> activating INFORMATIONAL task
Feb 7 18:20:40	charon		08[IKE] <136475> activating new tasks
Feb 7 18:20:40	charon		08[IKE] <136475> queueing INFORMATIONAL task
Feb 7 18:20:40	charon		08[IKE] <136475> found 1 matching config, but none allows pre-shared key authentication using Main Mode
Feb 7 18:20:40	charon		08[CFG] <136475> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Feb 7 18:20:40	charon		08[CFG] <136475> looking for pre-shared key peer configs matching 11.11.11.11...22.22.22.22[22.22.22.22]
Feb 7 18:20:40	charon		08[ENC] <136475> parsed ID_PROT request 0 [ ID HASH ]
Feb 7 18:20:40	charon		08[NET] <136475> received packet: from 22.22.22.22[500] to 11.11.11.11[500] (68 bytes)
Feb 7 18:20:40	charon		15[NET] <136475> sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (196 bytes)
Feb 7 18:20:40	charon		15[ENC] <136475> generating ID_PROT response 0 [ KE No ]
Feb 7 18:20:40	charon		15[ENC] <136475> parsed ID_PROT request 0 [ KE No ]
Feb 7 18:20:40	charon		15[NET] <136475> received packet: from 22.22.22.22[500] to 11.11.11.11[500] (196 bytes)
Feb 7 18:20:40	charon		10[NET] <136475> sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (112 bytes)
Feb 7 18:20:40	charon		10[ENC] <136475> generating ID_PROT response 0 [ SA V V ]
Feb 7 18:20:40	charon		10[IKE] <136475> sending DPD vendor ID
Feb 7 18:20:40	charon		10[IKE] <136475> sending XAuth vendor ID
Feb 7 18:20:40	charon		10[CFG] <136475> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 7 18:20:40	charon		10[CFG] <136475> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Feb 7 18:20:40	charon		10[CFG] <136475> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 7 18:20:40	charon		10[CFG] <136475> proposal matches
Feb 7 18:20:40	charon		10[CFG] <136475> selecting proposal:
Feb 7 18:20:40	charon		10[CFG] <136475> no acceptable ENCRYPTION_ALGORITHM found
Feb 7 18:20:40	charon		10[CFG] <136475> selecting proposal:
Feb 7 18:20:40	charon		10[IKE] <136475> IKE_SA (unnamed)[136475] state change: CREATED => CONNECTING
Feb 7 18:20:40	charon		10[IKE] IKE_SA (unnamed)[136475] state change: CREATED => CONNECTING
Feb 7 18:20:40	charon		10[IKE] <136475> 22.22.22.22 is initiating a Main Mode IKE_SA
Feb 7 18:20:40	charon		10[ENC] <136475> received unknown vendor ID: 48:65:61:72:74:42:65:61:74:5f:4e:6f:74:69:66:79:38:6b:01:00
Feb 7 18:20:40	charon		10[IKE] <136475> received DPD vendor ID
Feb 7 18:20:40	charon		10[ENC] <136475> received unknown vendor ID: 94:36:e8:d6:71:74:ef:9a:ed:06:8d:5a:d5:21:3f:18:7a:3f:8b:a6:00:00:00:16:00:00:06:1e
Feb 7 18:20:40	charon		10[CFG] <136475> found matching ike config: %any...%any with prio 24
Feb 7 18:20:40	charon		10[CFG] <136475> candidate: %any...%any, prio 24
Feb 7 18:20:40	charon		10[CFG] <136475> looking for an ike config for 11.11.11.11...22.22.22.22
Feb 7 18:20:40	charon		10[ENC] <136475> parsed ID_PROT request 0 [ SA V V V ]
Feb 7 18:20:40	charon		10[NET] <136475> received packet: from 22.22.22.22[500] to 11.11.11.11[500] (156 bytes)

      It looks like the P1 proposals are not right, but they are.

      Any ideas?

      Thanks
      Christian

      1 Reply Last reply Reply Quote 0
      • C Offline
        cherzberg
        last edited by

        Problem found by my self.

        It is unbelievable but the ipsec process was a zombi.

        I can not restart the service via webgui even on the command shell with the php skript.

        I needed to kill the process and start it again via webgui.

        Now the vpn ist up and running.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.