PfSense 2.3.2 <-> Juniper FW



  • Hi,

    I'm trying to build a ipsec vpn between pfsense an a Juniper firewall with no success.
    We checked all the proposals and everything is right on both sides.

    Feb 7 18:20:40	charon		08[IKE] <136475> IKE_SA (unnamed)[136475] state change: CONNECTING => DESTROYING
    Feb 7 18:20:40	charon		08[IKE] IKE_SA (unnamed)[136475] state change: CONNECTING => DESTROYING
    Feb 7 18:20:40	charon		08[NET] <136475> sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (84 bytes)
    Feb 7 18:20:40	charon		08[ENC] <136475> generating INFORMATIONAL_V1 request 3961898376 [ HASH N(AUTH_FAILED) ]
    Feb 7 18:20:40	charon		08[IKE] <136475> activating INFORMATIONAL task
    Feb 7 18:20:40	charon		08[IKE] <136475> activating new tasks
    Feb 7 18:20:40	charon		08[IKE] <136475> queueing INFORMATIONAL task
    Feb 7 18:20:40	charon		08[IKE] <136475> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    Feb 7 18:20:40	charon		08[CFG] <136475> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Feb 7 18:20:40	charon		08[CFG] <136475> looking for pre-shared key peer configs matching 11.11.11.11...22.22.22.22[22.22.22.22]
    Feb 7 18:20:40	charon		08[ENC] <136475> parsed ID_PROT request 0 [ ID HASH ]
    Feb 7 18:20:40	charon		08[NET] <136475> received packet: from 22.22.22.22[500] to 11.11.11.11[500] (68 bytes)
    Feb 7 18:20:40	charon		15[NET] <136475> sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (196 bytes)
    Feb 7 18:20:40	charon		15[ENC] <136475> generating ID_PROT response 0 [ KE No ]
    Feb 7 18:20:40	charon		15[ENC] <136475> parsed ID_PROT request 0 [ KE No ]
    Feb 7 18:20:40	charon		15[NET] <136475> received packet: from 22.22.22.22[500] to 11.11.11.11[500] (196 bytes)
    Feb 7 18:20:40	charon		10[NET] <136475> sending packet: from 11.11.11.11[500] to 22.22.22.22[500] (112 bytes)
    Feb 7 18:20:40	charon		10[ENC] <136475> generating ID_PROT response 0 [ SA V V ]
    Feb 7 18:20:40	charon		10[IKE] <136475> sending DPD vendor ID
    Feb 7 18:20:40	charon		10[IKE] <136475> sending XAuth vendor ID
    Feb 7 18:20:40	charon		10[CFG] <136475> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Feb 7 18:20:40	charon		10[CFG] <136475> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
    Feb 7 18:20:40	charon		10[CFG] <136475> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Feb 7 18:20:40	charon		10[CFG] <136475> proposal matches
    Feb 7 18:20:40	charon		10[CFG] <136475> selecting proposal:
    Feb 7 18:20:40	charon		10[CFG] <136475> no acceptable ENCRYPTION_ALGORITHM found
    Feb 7 18:20:40	charon		10[CFG] <136475> selecting proposal:
    Feb 7 18:20:40	charon		10[IKE] <136475> IKE_SA (unnamed)[136475] state change: CREATED => CONNECTING
    Feb 7 18:20:40	charon		10[IKE] IKE_SA (unnamed)[136475] state change: CREATED => CONNECTING
    Feb 7 18:20:40	charon		10[IKE] <136475> 22.22.22.22 is initiating a Main Mode IKE_SA
    Feb 7 18:20:40	charon		10[ENC] <136475> received unknown vendor ID: 48:65:61:72:74:42:65:61:74:5f:4e:6f:74:69:66:79:38:6b:01:00
    Feb 7 18:20:40	charon		10[IKE] <136475> received DPD vendor ID
    Feb 7 18:20:40	charon		10[ENC] <136475> received unknown vendor ID: 94:36:e8:d6:71:74:ef:9a:ed:06:8d:5a:d5:21:3f:18:7a:3f:8b:a6:00:00:00:16:00:00:06:1e
    Feb 7 18:20:40	charon		10[CFG] <136475> found matching ike config: %any...%any with prio 24
    Feb 7 18:20:40	charon		10[CFG] <136475> candidate: %any...%any, prio 24
    Feb 7 18:20:40	charon		10[CFG] <136475> looking for an ike config for 11.11.11.11...22.22.22.22
    Feb 7 18:20:40	charon		10[ENC] <136475> parsed ID_PROT request 0 [ SA V V V ]
    Feb 7 18:20:40	charon		10[NET] <136475> received packet: from 22.22.22.22[500] to 11.11.11.11[500] (156 bytes)
    

    It looks like the P1 proposals are not right, but they are.

    Any ideas?

    Thanks
    Christian



  • Problem found by my self.

    It is unbelievable but the ipsec process was a zombi.

    I can not restart the service via webgui even on the command shell with the php skript.

    I needed to kill the process and start it again via webgui.

    Now the vpn ist up and running.