Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN for Alcatel pbx

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 552 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alexeik
      last edited by

      Hi

      we provide service for Alcatel PBX. For remote service Alcatel developed a new system where you can trigger the pbx to open a ipsec vpn to our site. The only thing i can configure is in the screenshot:

      http://imgur.com/3YotO65

      For the ipsec endpoint on our side Alcatel provides only a reference guide for Fortigate. The peer should look like the following:

      config system interface
      	edit "wan1"
      		set vdom "root"
      		set ip 10.0.0.2 255.255.255.0
      		set allowaccess ping
      		set type physical
      	next
      	edit "internal" set vdom "root"
      		set ip 172.26.190.2 255.255.255.0
      		set allowaccess ping https ssh
      		set type physical
      	next
      	edit "oxovpn"
      		set vdom "root"
      		set ip 0.0.0.0 255.255.255.255
      		set allowaccess ping
      		set type tunnel
      		set interface "wan1"
      	next
      end
      config user group
      	edit "oxovpnusers"
      		set member "user1"
      	next
      end
      config user local
      	edit "user1"
      		set type password
      		set passwd user1_password
      	next
      end
      config router static edit 1
      		set device "wan1"
      		set gateway 10.0.0.1
      	next
      end
      config vpn ipsec phase1-interface
      	edit "oxovpn"
      		set type dynamic
      		set interface "wan1"
      		set keylife 14400
      		set xauthtype auto
      		set mode aggressive
      		set mode-cfg enable
      		set proposal aes256-sha256
      		set localid "30.0.0.1"
      		set dhgrp 14
      		set authusrgrp "oxovpnusers"
      		set ipv4-start-ip 10.215.0.1
      		set ipv4-end-ip 10.215.0.255
      		set ipv4-netmask 255.255.255.0
      		set psksecret presharedkey
      		set keepalive 30
      	next
      end
      config vpn ipsec phase2-interface edit "oxovpnp2"
      		set keepalive enable
      		set phase1name "oxovpn"
      		set proposal aes256-sha256
      		set keylifeseconds 12000
      		set dhgrp 14
      	next
      end
      config firewall vip
      	edit "oxo2forti"
      		set extip 30.0.0.1
      		set extintf "oxovpn"
      		set mappedip 10.0.0.2
      	next
      end
      config firewall ippool
      	edit "natr"
      		set endip 30.0.0.1
      		set startip 30.0.0.1
      		set arp-reply disable
      	next
      end
      config firewall address
      	edit “oxovpn_range”
      		set type iprange
      		set start-ip 10.215.0.1
      		set end-ip 10.215.0.255
      	next
      	edit “ws_range”
      		set associated-interface “internal”
      		set subnet 172.26.190.0 255.255.255.0
      		set allow-routing enable
      	next
      end
      config firewall policy
      	edit 1
      		set srcintf "internal"
      		set dstintf "oxovpn"
      		set srcaddr "ws_range"
      		set dstaddr "oxovpn_range"
      		set action accept
      		set schedule "always"
      		set service "HTTPS"
      		set nat enable
      		set ippool enable
      		set poolname "natr"
      	next
      	edit 2
      		set srcintf "oxovpn"
      		set dstintf "wan1"
      		set srcaddr "oxovpn_range"
      		set dstaddr "oxo2forti"
      		set action accept
      		set schedule "always"
      		set service "ALL_ICMP"
      		next
      end
      

      I want to do this with pfsense but failed pretty hard. my ipsec.conf looks like this

      999.999.999.999 is our public ip
      111.111.111.111 is the dynamic ip, where the pbx is located

      
      conn con2
      	fragmentation = yes
      	keyexchange = ike
      	reauth = yes
      	forceencaps = yes
      	mobike = yes
      
      	rekey = no
      	installpolicy = yes
      	type = tunnel
      	dpdaction = none
      	auto = add
      	left = 999.999.999.999
      	right = %any
      	leftid = "pfsense"
      	ikelifetime = 14400s
      	lifetime = 12000s
      	rightsourceip = 10.1.254.10/24
      	ike = aes256-sha256-modp2048!
      	esp = aes256-sha256-modp2048!
      	leftauth = psk
      	rightauth = psk
      	aggressive = yes
      	leftsubnet = 10.1.254.0/24
      
      

      If i trigger the vpn connection i have the following log:

      
      Aug 29 12:27:55	charon		15[NET] <1> received packet: from 111.111.111.111[798] to 999.999.999.999[500] (448 bytes)
      Aug 29 12:27:55	charon		15[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
      Aug 29 12:27:55	charon		15[CFG] <1> looking for an ike config for 999.999.999.999...111.111.111.111
      Aug 29 12:27:55	charon		15[CFG] <1> candidate: 999.999.999.999...%any, prio 1048
      Aug 29 12:27:55	charon		15[CFG] <1> found matching ike config: 999.999.999.999...%any with prio 1048
      Aug 29 12:27:55	charon		15[IKE] <1> 111.111.111.111 is initiating an IKE_SA
      Aug 29 12:27:55	charon		15[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
      Aug 29 12:27:55	charon		15[CFG] <1> selecting proposal:
      Aug 29 12:27:55	charon		15[CFG] <1> proposal matches
      Aug 29 12:27:55	charon		15[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      Aug 29 12:27:55	charon		15[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      Aug 29 12:27:55	charon		15[CFG] <1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      Aug 29 12:27:55	charon		15[IKE] <1> remote host is behind NAT
      Aug 29 12:27:55	charon		15[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
      Aug 29 12:27:55	charon		15[NET] <1> sending packet: from 999.999.999.999[500] to 111.111.111.111[798] (456 bytes)
      Aug 29 12:27:56	charon		09[NET] <1> received packet: from 111.111.111.111[55227] to 999.999.999.999[4500] (288 bytes)
      Aug 29 12:27:56	charon		09[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
      Aug 29 12:27:56	charon		09[CFG] <1> looking for peer configs matching 999.999.999.999[999.999.999.999]...111.111.111.111[OXO]
      Aug 29 12:27:56	charon		09[CFG] <1> no matching peer config found
      Aug 29 12:27:56	charon		09[IKE] <1> processing INTERNAL_IP4_ADDRESS attribute
      Aug 29 12:27:56	charon		09[IKE] <1> processing INTERNAL_IP4_DNS attribute
      Aug 29 12:27:56	charon		09[IKE] <1> peer supports MOBIKE
      Aug 29 12:27:56	charon		09[ENC] <1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Aug 29 12:27:56	charon		09[NET] <1> sending packet: from 999.999.999.999[4500] to 111.111.111.111[55227] (80 bytes)
      Aug 29 12:27:56	charon		09[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
      
      

      I have no ides why i get the message "no matching peer config found". maybe someone of you is familiar with both systems and can give me a hint where to find my error…

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.