Having problems with Site-to-Site



  • Hey Guys

    I'm trying to get a IPSec Site-to-Site to work, between a Ubiquiti EdgeRouter X SFP and a pfSense hosted on ESXi
    where the Ubiquiti is the dailing part of the setup

    I have followed this Guide to the line https://forum.pfsense.org/index.php?topic=111450

    EdgeRouter
    Version : EdgeOSv1.9.1.1

    pfSense :
    Version : 2.3.4-RELEASE (amd64) 
      FreeBSD 10.3-RELEASE-p19

    I'm running this Setup

    I have not port forwarded any thing on the 4G router
    First time trying to make a IPSec tunnel with pfSense and Ubiquiti, I have only tried with Cisco before

    But I'm getting this ERROR

    
    EgdeRouter:
    
    root@ubnt:~# show vpn log
    Jun 27 15:52:17 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.14-UBNT, mips)
    Jun 27 15:56:36 12[KNL] creating acquire job for policy 172.16.1.51/32[icmp/8] === 172.16.10.254/32[icmp/8] with reqid {1}
    Jun 27 15:56:36 13[IKE] <peer-xxx.xxx.233.202-tunnel-1|1>initiating Main Mode IKE_SA peer-xxx.xxx.233.202-tunnel-1[1] to xxx.xxx.233.202
    root@ubnt:~#
    
    ----------------------------------------------------------------------------------------------------------------------------------------------
    pfSense:
    
    Jun 27 17:56:37	charon		05[NET] <1> sending packet: from xxx.xxx.233.202[4500] to zzz.zzz.134.89[4500] (92 bytes)
    Jun 27 17:56:37	charon		05[ENC] <1> generating INFORMATIONAL_V1 request 3703495120 [ HASH N(AUTH_FAILED) ]
    Jun 27 17:56:37	charon		05[IKE] <1> found 1 matching config, but none allows pre-shared key authentication using Main Mode
    Jun 27 17:56:37	charon		05[CFG] <1> looking for pre-shared key peer configs matching xxx.xxx.233.202...zzz.zzz.134.89[10.1.0.124]
    Jun 27 17:56:37	charon		05[ENC] <1> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    Jun 27 17:56:37	charon		05[NET] <1> received packet: from zzz.zzz.134.89[4500] to xxx.xxx.233.202[4500] (108 bytes)
    Jun 27 17:56:37	charon		05[NET] <1> sending packet: from xxx.xxx.233.202[500] to zzz.zzz.134.89[500] (244 bytes)
    Jun 27 17:56:37	charon		05[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
    Jun 27 17:56:37	charon		05[IKE] <1> remote host is behind NAT
    Jun 27 17:56:37	charon		05[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Jun 27 17:56:37	charon		05[NET] <1> received packet: from zzz.zzz.134.89[500] to xxx.xxx.233.202[500] (244 bytes)
    Jun 27 17:56:36	charon		05[NET] <1> sending packet: from xxx.xxx.233.202[500] to zzz.zzz.134.89[500] (136 bytes)
    Jun 27 17:56:36	charon		05[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
    Jun 27 17:56:36	charon		05[IKE] <1> zzz.zzz.134.89 is initiating a Main Mode IKE_SA
    Jun 27 17:56:36	charon		05[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Jun 27 17:56:36	charon		05[IKE] <1> received NAT-T (RFC 3947) vendor ID
    Jun 27 17:56:36	charon		05[IKE] <1> received DPD vendor ID
    Jun 27 17:56:36	charon		05[IKE] <1> received XAuth vendor ID
    Jun 27 17:56:36	charon		05[ENC] <1> parsed ID_PROT request 0 [ SA V V V V ]
    Jun 27 17:56:36	charon		05[NET] <1> received packet: from zzz.zzz.134.89[500] to xxx.xxx.233.202[500] (156 bytes)</peer-xxx.xxx.233.202-tunnel-1|1> 
    

    UBNT EdgeRouter IPSec Config

    
    ubnt@ubnt# show vpn
     ipsec {
         auto-firewall-nat-exclude enable
         esp-group pfSense {
             compression disable
             lifetime 3600
             mode tunnel
             pfs enable
             proposal 1 {
                 encryption aes256
                 hash sha1
             }
         }
         ike-group pfSense {
             dead-peer-detection {
                 action restart
                 interval 30
                 timeout 60
             }
             ikev2-reauth no
             key-exchange ikev1
             lifetime 3600
             proposal 1 {
                 dh-group 2
                 encryption aes256
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         nat-networks {
             allowed-network 0.0.0.0/0 {
             }
         }
         nat-traversal enable
         site-to-site {
             peer xxx.xxx.233.202 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret *************************************************
                 }
                 connection-type initiate
                 ike-group pfSense
                 ikev2-reauth inherit
                 local-address 10.1.0.124
                 tunnel 1 {
                     allow-nat-networks disable
                     allow-public-networks disable
                     esp-group pfSense
                     local {
                         prefix 172.16.0.0/21
                     }
                     remote {
                         prefix 172.16.10.0/24
                     }
                 }
             }
         }
     }
    [edit]
    
    

    pfSense IPSec Config

    
     <ipsec><phase1><ikeid>1</ikeid>
    		<iketype>ikev1</iketype>
    		<mode>main</mode>
    		<interface>wan</interface>
    		<remote-gateway>zzz.zzz.134.89</remote-gateway>
    		<protocol>inet</protocol>
    		<myid_type>myaddress</myid_type>
    		<myid_data></myid_data>
    		<peerid_type>peeraddress</peerid_type>
    		<peerid_data></peerid_data>
    		 <encryption-algorithm><name>aes</name>
    			<keylen>256</keylen></encryption-algorithm> 
    		<hash-algorithm>sha1</hash-algorithm>
    		<dhgroup>2</dhgroup>
    		<lifetime>3600</lifetime>
    		<pre-shared-key>*****************************</pre-shared-key>
    		<private-key></private-key>
    
    		<caref></caref>
    		<authentication_method>pre_shared_key</authentication_method>
    
    		<nat_traversal>on</nat_traversal>
    		<mobike>off</mobike>
    		<dpd_delay>30</dpd_delay>
    		<dpd_maxfail>5</dpd_maxfail></phase1> 
    	 <phase2><ikeid>1</ikeid>
    		<uniqid>59527e0de6b03</uniqid>
    		<mode>tunnel</mode>
    		<reqid>1</reqid>
    		 <localid><type>opt2</type></localid> 
    		 <remoteid><type>network</type>
    
    <address>172.16.0.0</address>
    
    			<netbits>21</netbits></remoteid> 
    		<protocol>esp</protocol>
    		 <encryption-algorithm-option><name>aes</name>
    			<keylen>256</keylen></encryption-algorithm-option> 
    		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    		<pfsgroup>2</pfsgroup>
    		<lifetime>3600</lifetime></phase2></ipsec> 
    
    

    pfSense Firewall rules

    
     <rule><tracker>1498307462</tracker>
    	<type>pass</type>
    	<interface>wan</interface>
    	<ipprotocol>inet</ipprotocol>
    	<tag></tag>
    	<tagged></tagged>
    	<max></max>
    	<max-src-nodes></max-src-nodes>
    	<max-src-conn></max-src-conn>
    	<max-src-states></max-src-states>
    	<statetimeout></statetimeout>
    	<statetype>keep state</statetype>
    
    	<protocol>tcp/udp</protocol>
    	<source>
    		<any></any>
    
    	 <destination><network>wanip</network>
    		<port>4500</port></destination></rule> 
     <rule><tracker>1498307487</tracker>
    	<type>pass</type>
    	<interface>wan</interface>
    	<ipprotocol>inet</ipprotocol>
    	<tag></tag>
    	<tagged></tagged>
    	<max></max>
    	<max-src-nodes></max-src-nodes>
    	<max-src-conn></max-src-conn>
    	<max-src-states></max-src-states>
    	<statetimeout></statetimeout>
    	<statetype>keep state</statetype>
    
    	<protocol>udp</protocol>
    	<source>
    		<any></any>
    
    	 <destination><network>wanip</network>
    		<port>500</port></destination></rule> 
     <rule><tracker>1498307550</tracker>
    	<type>pass</type>
    	<interface>wan</interface>
    	<ipprotocol>inet</ipprotocol>
    	<tag></tag>
    	<tagged></tagged>
    	<max></max>
    	<max-src-nodes></max-src-nodes>
    	<max-src-conn></max-src-conn>
    	<max-src-states></max-src-states>
    	<statetimeout></statetimeout>
    	<statetype>keep state</statetype>
    
    	<protocol>ah</protocol>
    	<source>
    		<any></any>
    
    	 <destination><network>wanip</network></destination> 
    
    	<tracker>1498307613</tracker>
    	<type>pass</type>
    	<interface>enc0</interface>
    	<ipprotocol>inet</ipprotocol>
    	<tag></tag>
    	<tagged></tagged>
    	<max></max>
    	<max-src-nodes></max-src-nodes>
    	<max-src-conn></max-src-conn>
    	<max-src-states></max-src-states>
    	<statetimeout></statetimeout>
    	<statetype>keep state</statetype>
    
    	<protocol>tcp</protocol>
    	<source>
    		<any></any>
    
    	 <destination><any></any></destination></rule>