Having problems with Site-to-Site
-
Hey Guys
I'm trying to get a IPSec Site-to-Site to work, between a Ubiquiti EdgeRouter X SFP and a pfSense hosted on ESXi
where the Ubiquiti is the dailing part of the setupI have followed this Guide to the line https://forum.pfsense.org/index.php?topic=111450
EdgeRouter
Version : EdgeOSv1.9.1.1pfSense :
Version : 2.3.4-RELEASE (amd64)
FreeBSD 10.3-RELEASE-p19I'm running this Setup
I have not port forwarded any thing on the 4G router
First time trying to make a IPSec tunnel with pfSense and Ubiquiti, I have only tried with Cisco beforeBut I'm getting this ERROR
EgdeRouter: root@ubnt:~# show vpn log Jun 27 15:52:17 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.14-UBNT, mips) Jun 27 15:56:36 12[KNL] creating acquire job for policy 172.16.1.51/32[icmp/8] === 172.16.10.254/32[icmp/8] with reqid {1} Jun 27 15:56:36 13[IKE] <peer-xxx.xxx.233.202-tunnel-1|1>initiating Main Mode IKE_SA peer-xxx.xxx.233.202-tunnel-1[1] to xxx.xxx.233.202 root@ubnt:~# ---------------------------------------------------------------------------------------------------------------------------------------------- pfSense: Jun 27 17:56:37 charon 05[NET] <1> sending packet: from xxx.xxx.233.202[4500] to zzz.zzz.134.89[4500] (92 bytes) Jun 27 17:56:37 charon 05[ENC] <1> generating INFORMATIONAL_V1 request 3703495120 [ HASH N(AUTH_FAILED) ] Jun 27 17:56:37 charon 05[IKE] <1> found 1 matching config, but none allows pre-shared key authentication using Main Mode Jun 27 17:56:37 charon 05[CFG] <1> looking for pre-shared key peer configs matching xxx.xxx.233.202...zzz.zzz.134.89[10.1.0.124] Jun 27 17:56:37 charon 05[ENC] <1> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Jun 27 17:56:37 charon 05[NET] <1> received packet: from zzz.zzz.134.89[4500] to xxx.xxx.233.202[4500] (108 bytes) Jun 27 17:56:37 charon 05[NET] <1> sending packet: from xxx.xxx.233.202[500] to zzz.zzz.134.89[500] (244 bytes) Jun 27 17:56:37 charon 05[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Jun 27 17:56:37 charon 05[IKE] <1> remote host is behind NAT Jun 27 17:56:37 charon 05[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Jun 27 17:56:37 charon 05[NET] <1> received packet: from zzz.zzz.134.89[500] to xxx.xxx.233.202[500] (244 bytes) Jun 27 17:56:36 charon 05[NET] <1> sending packet: from xxx.xxx.233.202[500] to zzz.zzz.134.89[500] (136 bytes) Jun 27 17:56:36 charon 05[ENC] <1> generating ID_PROT response 0 [ SA V V V ] Jun 27 17:56:36 charon 05[IKE] <1> zzz.zzz.134.89 is initiating a Main Mode IKE_SA Jun 27 17:56:36 charon 05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jun 27 17:56:36 charon 05[IKE] <1> received NAT-T (RFC 3947) vendor ID Jun 27 17:56:36 charon 05[IKE] <1> received DPD vendor ID Jun 27 17:56:36 charon 05[IKE] <1> received XAuth vendor ID Jun 27 17:56:36 charon 05[ENC] <1> parsed ID_PROT request 0 [ SA V V V V ] Jun 27 17:56:36 charon 05[NET] <1> received packet: from zzz.zzz.134.89[500] to xxx.xxx.233.202[500] (156 bytes)</peer-xxx.xxx.233.202-tunnel-1|1>
UBNT EdgeRouter IPSec Config
ubnt@ubnt# show vpn ipsec { auto-firewall-nat-exclude enable esp-group pfSense { compression disable lifetime 3600 mode tunnel pfs enable proposal 1 { encryption aes256 hash sha1 } } ike-group pfSense { dead-peer-detection { action restart interval 30 timeout 60 } ikev2-reauth no key-exchange ikev1 lifetime 3600 proposal 1 { dh-group 2 encryption aes256 hash sha1 } } ipsec-interfaces { interface eth0 } nat-networks { allowed-network 0.0.0.0/0 { } } nat-traversal enable site-to-site { peer xxx.xxx.233.202 { authentication { mode pre-shared-secret pre-shared-secret ************************************************* } connection-type initiate ike-group pfSense ikev2-reauth inherit local-address 10.1.0.124 tunnel 1 { allow-nat-networks disable allow-public-networks disable esp-group pfSense local { prefix 172.16.0.0/21 } remote { prefix 172.16.10.0/24 } } } } } [edit]
pfSense IPSec Config
<ipsec><phase1><ikeid>1</ikeid> <iketype>ikev1</iketype> <mode>main</mode> <interface>wan</interface> <remote-gateway>zzz.zzz.134.89</remote-gateway> <protocol>inet</protocol> <myid_type>myaddress</myid_type> <myid_data></myid_data> <peerid_type>peeraddress</peerid_type> <peerid_data></peerid_data> <encryption-algorithm><name>aes</name> <keylen>256</keylen></encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup> <lifetime>3600</lifetime> <pre-shared-key>*****************************</pre-shared-key> <private-key></private-key> <caref></caref> <authentication_method>pre_shared_key</authentication_method> <nat_traversal>on</nat_traversal> <mobike>off</mobike> <dpd_delay>30</dpd_delay> <dpd_maxfail>5</dpd_maxfail></phase1> <phase2><ikeid>1</ikeid> <uniqid>59527e0de6b03</uniqid> <mode>tunnel</mode> <reqid>1</reqid> <localid><type>opt2</type></localid> <remoteid><type>network</type> <address>172.16.0.0</address> <netbits>21</netbits></remoteid> <protocol>esp</protocol> <encryption-algorithm-option><name>aes</name> <keylen>256</keylen></encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <pfsgroup>2</pfsgroup> <lifetime>3600</lifetime></phase2></ipsec>
pfSense Firewall rules
<rule><tracker>1498307462</tracker> <type>pass</type> <interface>wan</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype>keep state</statetype> <protocol>tcp/udp</protocol> <source> <any></any> <destination><network>wanip</network> <port>4500</port></destination></rule> <rule><tracker>1498307487</tracker> <type>pass</type> <interface>wan</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype>keep state</statetype> <protocol>udp</protocol> <source> <any></any> <destination><network>wanip</network> <port>500</port></destination></rule> <rule><tracker>1498307550</tracker> <type>pass</type> <interface>wan</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype>keep state</statetype> <protocol>ah</protocol> <source> <any></any> <destination><network>wanip</network></destination> <tracker>1498307613</tracker> <type>pass</type> <interface>enc0</interface> <ipprotocol>inet</ipprotocol> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype>keep state</statetype> <protocol>tcp</protocol> <source> <any></any> <destination><any></any></destination></rule>