Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Having problems with Site-to-Site

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 998 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      l3ol3o
      last edited by

      Hey Guys

      I'm trying to get a IPSec Site-to-Site to work, between a Ubiquiti EdgeRouter X SFP and a pfSense hosted on ESXi
      where the Ubiquiti is the dailing part of the setup

      I have followed this Guide to the line https://forum.pfsense.org/index.php?topic=111450

      EdgeRouter
      Version : EdgeOSv1.9.1.1

      pfSense :
      Version : 2.3.4-RELEASE (amd64) 
        FreeBSD 10.3-RELEASE-p19

      I'm running this Setup

      I have not port forwarded any thing on the 4G router
      First time trying to make a IPSec tunnel with pfSense and Ubiquiti, I have only tried with Cisco before

      But I'm getting this ERROR

      
      EgdeRouter:
      
      root@ubnt:~# show vpn log
      Jun 27 15:52:17 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.14-UBNT, mips)
      Jun 27 15:56:36 12[KNL] creating acquire job for policy 172.16.1.51/32[icmp/8] === 172.16.10.254/32[icmp/8] with reqid {1}
      Jun 27 15:56:36 13[IKE] <peer-xxx.xxx.233.202-tunnel-1|1>initiating Main Mode IKE_SA peer-xxx.xxx.233.202-tunnel-1[1] to xxx.xxx.233.202
      root@ubnt:~#
      
      ----------------------------------------------------------------------------------------------------------------------------------------------
      pfSense:
      
      Jun 27 17:56:37	charon		05[NET] <1> sending packet: from xxx.xxx.233.202[4500] to zzz.zzz.134.89[4500] (92 bytes)
      Jun 27 17:56:37	charon		05[ENC] <1> generating INFORMATIONAL_V1 request 3703495120 [ HASH N(AUTH_FAILED) ]
      Jun 27 17:56:37	charon		05[IKE] <1> found 1 matching config, but none allows pre-shared key authentication using Main Mode
      Jun 27 17:56:37	charon		05[CFG] <1> looking for pre-shared key peer configs matching xxx.xxx.233.202...zzz.zzz.134.89[10.1.0.124]
      Jun 27 17:56:37	charon		05[ENC] <1> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
      Jun 27 17:56:37	charon		05[NET] <1> received packet: from zzz.zzz.134.89[4500] to xxx.xxx.233.202[4500] (108 bytes)
      Jun 27 17:56:37	charon		05[NET] <1> sending packet: from xxx.xxx.233.202[500] to zzz.zzz.134.89[500] (244 bytes)
      Jun 27 17:56:37	charon		05[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Jun 27 17:56:37	charon		05[IKE] <1> remote host is behind NAT
      Jun 27 17:56:37	charon		05[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Jun 27 17:56:37	charon		05[NET] <1> received packet: from zzz.zzz.134.89[500] to xxx.xxx.233.202[500] (244 bytes)
      Jun 27 17:56:36	charon		05[NET] <1> sending packet: from xxx.xxx.233.202[500] to zzz.zzz.134.89[500] (136 bytes)
      Jun 27 17:56:36	charon		05[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
      Jun 27 17:56:36	charon		05[IKE] <1> zzz.zzz.134.89 is initiating a Main Mode IKE_SA
      Jun 27 17:56:36	charon		05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Jun 27 17:56:36	charon		05[IKE] <1> received NAT-T (RFC 3947) vendor ID
      Jun 27 17:56:36	charon		05[IKE] <1> received DPD vendor ID
      Jun 27 17:56:36	charon		05[IKE] <1> received XAuth vendor ID
      Jun 27 17:56:36	charon		05[ENC] <1> parsed ID_PROT request 0 [ SA V V V V ]
      Jun 27 17:56:36	charon		05[NET] <1> received packet: from zzz.zzz.134.89[500] to xxx.xxx.233.202[500] (156 bytes)</peer-xxx.xxx.233.202-tunnel-1|1> 
      

      UBNT EdgeRouter IPSec Config

      
      ubnt@ubnt# show vpn
       ipsec {
           auto-firewall-nat-exclude enable
           esp-group pfSense {
               compression disable
               lifetime 3600
               mode tunnel
               pfs enable
               proposal 1 {
                   encryption aes256
                   hash sha1
               }
           }
           ike-group pfSense {
               dead-peer-detection {
                   action restart
                   interval 30
                   timeout 60
               }
               ikev2-reauth no
               key-exchange ikev1
               lifetime 3600
               proposal 1 {
                   dh-group 2
                   encryption aes256
                   hash sha1
               }
           }
           ipsec-interfaces {
               interface eth0
           }
           nat-networks {
               allowed-network 0.0.0.0/0 {
               }
           }
           nat-traversal enable
           site-to-site {
               peer xxx.xxx.233.202 {
                   authentication {
                       mode pre-shared-secret
                       pre-shared-secret *************************************************
                   }
                   connection-type initiate
                   ike-group pfSense
                   ikev2-reauth inherit
                   local-address 10.1.0.124
                   tunnel 1 {
                       allow-nat-networks disable
                       allow-public-networks disable
                       esp-group pfSense
                       local {
                           prefix 172.16.0.0/21
                       }
                       remote {
                           prefix 172.16.10.0/24
                       }
                   }
               }
           }
       }
      [edit]
      
      

      pfSense IPSec Config

      
       <ipsec><phase1><ikeid>1</ikeid>
      		<iketype>ikev1</iketype>
      		<mode>main</mode>
      		<interface>wan</interface>
      		<remote-gateway>zzz.zzz.134.89</remote-gateway>
      		<protocol>inet</protocol>
      		<myid_type>myaddress</myid_type>
      		<myid_data></myid_data>
      		<peerid_type>peeraddress</peerid_type>
      		<peerid_data></peerid_data>
      		 <encryption-algorithm><name>aes</name>
      			<keylen>256</keylen></encryption-algorithm> 
      		<hash-algorithm>sha1</hash-algorithm>
      		<dhgroup>2</dhgroup>
      		<lifetime>3600</lifetime>
      		<pre-shared-key>*****************************</pre-shared-key>
      		<private-key></private-key>
      
      		<caref></caref>
      		<authentication_method>pre_shared_key</authentication_method>
      
      		<nat_traversal>on</nat_traversal>
      		<mobike>off</mobike>
      		<dpd_delay>30</dpd_delay>
      		<dpd_maxfail>5</dpd_maxfail></phase1> 
      	 <phase2><ikeid>1</ikeid>
      		<uniqid>59527e0de6b03</uniqid>
      		<mode>tunnel</mode>
      		<reqid>1</reqid>
      		 <localid><type>opt2</type></localid> 
      		 <remoteid><type>network</type>
      
      <address>172.16.0.0</address>
      
      			<netbits>21</netbits></remoteid> 
      		<protocol>esp</protocol>
      		 <encryption-algorithm-option><name>aes</name>
      			<keylen>256</keylen></encryption-algorithm-option> 
      		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
      		<pfsgroup>2</pfsgroup>
      		<lifetime>3600</lifetime></phase2></ipsec> 
      
      

      pfSense Firewall rules

      
       <rule><tracker>1498307462</tracker>
      	<type>pass</type>
      	<interface>wan</interface>
      	<ipprotocol>inet</ipprotocol>
      	<tag></tag>
      	<tagged></tagged>
      	<max></max>
      	<max-src-nodes></max-src-nodes>
      	<max-src-conn></max-src-conn>
      	<max-src-states></max-src-states>
      	<statetimeout></statetimeout>
      	<statetype>keep state</statetype>
      
      	<protocol>tcp/udp</protocol>
      	<source>
      		<any></any>
      
      	 <destination><network>wanip</network>
      		<port>4500</port></destination></rule> 
       <rule><tracker>1498307487</tracker>
      	<type>pass</type>
      	<interface>wan</interface>
      	<ipprotocol>inet</ipprotocol>
      	<tag></tag>
      	<tagged></tagged>
      	<max></max>
      	<max-src-nodes></max-src-nodes>
      	<max-src-conn></max-src-conn>
      	<max-src-states></max-src-states>
      	<statetimeout></statetimeout>
      	<statetype>keep state</statetype>
      
      	<protocol>udp</protocol>
      	<source>
      		<any></any>
      
      	 <destination><network>wanip</network>
      		<port>500</port></destination></rule> 
       <rule><tracker>1498307550</tracker>
      	<type>pass</type>
      	<interface>wan</interface>
      	<ipprotocol>inet</ipprotocol>
      	<tag></tag>
      	<tagged></tagged>
      	<max></max>
      	<max-src-nodes></max-src-nodes>
      	<max-src-conn></max-src-conn>
      	<max-src-states></max-src-states>
      	<statetimeout></statetimeout>
      	<statetype>keep state</statetype>
      
      	<protocol>ah</protocol>
      	<source>
      		<any></any>
      
      	 <destination><network>wanip</network></destination> 
      
      	<tracker>1498307613</tracker>
      	<type>pass</type>
      	<interface>enc0</interface>
      	<ipprotocol>inet</ipprotocol>
      	<tag></tag>
      	<tagged></tagged>
      	<max></max>
      	<max-src-nodes></max-src-nodes>
      	<max-src-conn></max-src-conn>
      	<max-src-states></max-src-states>
      	<statetimeout></statetimeout>
      	<statetype>keep state</statetype>
      
      	<protocol>tcp</protocol>
      	<source>
      		<any></any>
      
      	 <destination><any></any></destination></rule> 
      
      
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.