Having problems with Site-to-Site

l3ol3o

Hey Guys

I'm trying to get a IPSec Site-to-Site to work, between a Ubiquiti EdgeRouter X SFP and a pfSense hosted on ESXi
where the Ubiquiti is the dailing part of the setup

I have followed this Guide to the line https://forum.pfsense.org/index.php?topic=111450

EdgeRouter
Version : EdgeOSv1.9.1.1

pfSense :
Version : 2.3.4-RELEASE (amd64)
FreeBSD 10.3-RELEASE-p19

I'm running this Setup

I have not port forwarded any thing on the 4G router
First time trying to make a IPSec tunnel with pfSense and Ubiquiti, I have only tried with Cisco before

But I'm getting this ERROR


EgdeRouter:

root@ubnt:~# show vpn log
Jun 27 15:52:17 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.14-UBNT, mips)
Jun 27 15:56:36 12[KNL] creating acquire job for policy 172.16.1.51/32[icmp/8] === 172.16.10.254/32[icmp/8] with reqid {1}
Jun 27 15:56:36 13[IKE] <peer-xxx.xxx.233.202-tunnel-1|1>initiating Main Mode IKE_SA peer-xxx.xxx.233.202-tunnel-1[1] to xxx.xxx.233.202
root@ubnt:~#

----------------------------------------------------------------------------------------------------------------------------------------------
pfSense:

Jun 27 17:56:37	charon		05[NET] <1> sending packet: from xxx.xxx.233.202[4500] to zzz.zzz.134.89[4500] (92 bytes)
Jun 27 17:56:37	charon		05[ENC] <1> generating INFORMATIONAL_V1 request 3703495120 [ HASH N(AUTH_FAILED) ]
Jun 27 17:56:37	charon		05[IKE] <1> found 1 matching config, but none allows pre-shared key authentication using Main Mode
Jun 27 17:56:37	charon		05[CFG] <1> looking for pre-shared key peer configs matching xxx.xxx.233.202...zzz.zzz.134.89[10.1.0.124]
Jun 27 17:56:37	charon		05[ENC] <1> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jun 27 17:56:37	charon		05[NET] <1> received packet: from zzz.zzz.134.89[4500] to xxx.xxx.233.202[4500] (108 bytes)
Jun 27 17:56:37	charon		05[NET] <1> sending packet: from xxx.xxx.233.202[500] to zzz.zzz.134.89[500] (244 bytes)
Jun 27 17:56:37	charon		05[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 27 17:56:37	charon		05[IKE] <1> remote host is behind NAT
Jun 27 17:56:37	charon		05[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 27 17:56:37	charon		05[NET] <1> received packet: from zzz.zzz.134.89[500] to xxx.xxx.233.202[500] (244 bytes)
Jun 27 17:56:36	charon		05[NET] <1> sending packet: from xxx.xxx.233.202[500] to zzz.zzz.134.89[500] (136 bytes)
Jun 27 17:56:36	charon		05[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
Jun 27 17:56:36	charon		05[IKE] <1> zzz.zzz.134.89 is initiating a Main Mode IKE_SA
Jun 27 17:56:36	charon		05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 27 17:56:36	charon		05[IKE] <1> received NAT-T (RFC 3947) vendor ID
Jun 27 17:56:36	charon		05[IKE] <1> received DPD vendor ID
Jun 27 17:56:36	charon		05[IKE] <1> received XAuth vendor ID
Jun 27 17:56:36	charon		05[ENC] <1> parsed ID_PROT request 0 [ SA V V V V ]
Jun 27 17:56:36	charon		05[NET] <1> received packet: from zzz.zzz.134.89[500] to xxx.xxx.233.202[500] (156 bytes)</peer-xxx.xxx.233.202-tunnel-1|1>

UBNT EdgeRouter IPSec Config


ubnt@ubnt# show vpn
 ipsec {
     auto-firewall-nat-exclude enable
     esp-group pfSense {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha1
         }
     }
     ike-group pfSense {
         dead-peer-detection {
             action restart
             interval 30
             timeout 60
         }
         ikev2-reauth no
         key-exchange ikev1
         lifetime 3600
         proposal 1 {
             dh-group 2
             encryption aes256
             hash sha1
         }
     }
     ipsec-interfaces {
         interface eth0
     }
     nat-networks {
         allowed-network 0.0.0.0/0 {
         }
     }
     nat-traversal enable
     site-to-site {
         peer xxx.xxx.233.202 {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret *************************************************
             }
             connection-type initiate
             ike-group pfSense
             ikev2-reauth inherit
             local-address 10.1.0.124
             tunnel 1 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 esp-group pfSense
                 local {
                     prefix 172.16.0.0/21
                 }
                 remote {
                     prefix 172.16.10.0/24
                 }
             }
         }
     }
 }
[edit]

pfSense IPSec Config


 <ipsec><phase1><ikeid>1</ikeid>
		<iketype>ikev1</iketype>
		<mode>main</mode>
		<interface>wan</interface>
		<remote-gateway>zzz.zzz.134.89</remote-gateway>
		<protocol>inet</protocol>
		<myid_type>myaddress</myid_type>
		<myid_data></myid_data>
		<peerid_type>peeraddress</peerid_type>
		<peerid_data></peerid_data>
		 <encryption-algorithm><name>aes</name>
			<keylen>256</keylen></encryption-algorithm> 
		<hash-algorithm>sha1</hash-algorithm>
		<dhgroup>2</dhgroup>
		<lifetime>3600</lifetime>
		<pre-shared-key>*****************************</pre-shared-key>
		<private-key></private-key>

		<caref></caref>
		<authentication_method>pre_shared_key</authentication_method>

		<nat_traversal>on</nat_traversal>
		<mobike>off</mobike>
		<dpd_delay>30</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></phase1> 
	 <phase2><ikeid>1</ikeid>
		<uniqid>59527e0de6b03</uniqid>
		<mode>tunnel</mode>
		<reqid>1</reqid>
		 <localid><type>opt2</type></localid> 
		 <remoteid><type>network</type>

<address>172.16.0.0</address>

			<netbits>21</netbits></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>aes</name>
			<keylen>256</keylen></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
		<pfsgroup>2</pfsgroup>
		<lifetime>3600</lifetime></phase2></ipsec>

pfSense Firewall rules


 <rule><tracker>1498307462</tracker>
	<type>pass</type>
	<interface>wan</interface>
	<ipprotocol>inet</ipprotocol>
	<tag></tag>
	<tagged></tagged>
	<max></max>
	<max-src-nodes></max-src-nodes>
	<max-src-conn></max-src-conn>
	<max-src-states></max-src-states>
	<statetimeout></statetimeout>
	<statetype>keep state</statetype>

	<protocol>tcp/udp</protocol>
	<source>
		<any></any>

	 <destination><network>wanip</network>
		<port>4500</port></destination></rule> 
 <rule><tracker>1498307487</tracker>
	<type>pass</type>
	<interface>wan</interface>
	<ipprotocol>inet</ipprotocol>
	<tag></tag>
	<tagged></tagged>
	<max></max>
	<max-src-nodes></max-src-nodes>
	<max-src-conn></max-src-conn>
	<max-src-states></max-src-states>
	<statetimeout></statetimeout>
	<statetype>keep state</statetype>

	<protocol>udp</protocol>
	<source>
		<any></any>

	 <destination><network>wanip</network>
		<port>500</port></destination></rule> 
 <rule><tracker>1498307550</tracker>
	<type>pass</type>
	<interface>wan</interface>
	<ipprotocol>inet</ipprotocol>
	<tag></tag>
	<tagged></tagged>
	<max></max>
	<max-src-nodes></max-src-nodes>
	<max-src-conn></max-src-conn>
	<max-src-states></max-src-states>
	<statetimeout></statetimeout>
	<statetype>keep state</statetype>

	<protocol>ah</protocol>
	<source>
		<any></any>

	 <destination><network>wanip</network></destination> 

	<tracker>1498307613</tracker>
	<type>pass</type>
	<interface>enc0</interface>
	<ipprotocol>inet</ipprotocol>
	<tag></tag>
	<tagged></tagged>
	<max></max>
	<max-src-nodes></max-src-nodes>
	<max-src-conn></max-src-conn>
	<max-src-states></max-src-states>
	<statetimeout></statetimeout>
	<statetype>keep state</statetype>

	<protocol>tcp</protocol>
	<source>
		<any></any>

	 <destination><any></any></destination></rule>

Having problems with Site-to-Site

Products

Services

Support

News

Resources

Company

Our Mission

Subscribe to our Newsletter