VPN for Alcatel pbx

alexeik

Hi

we provide service for Alcatel PBX. For remote service Alcatel developed a new system where you can trigger the pbx to open a ipsec vpn to our site. The only thing i can configure is in the screenshot:

http://imgur.com/3YotO65

For the ipsec endpoint on our side Alcatel provides only a reference guide for Fortigate. The peer should look like the following:

config system interface
	edit "wan1"
		set vdom "root"
		set ip 10.0.0.2 255.255.255.0
		set allowaccess ping
		set type physical
	next
	edit "internal" set vdom "root"
		set ip 172.26.190.2 255.255.255.0
		set allowaccess ping https ssh
		set type physical
	next
	edit "oxovpn"
		set vdom "root"
		set ip 0.0.0.0 255.255.255.255
		set allowaccess ping
		set type tunnel
		set interface "wan1"
	next
end
config user group
	edit "oxovpnusers"
		set member "user1"
	next
end
config user local
	edit "user1"
		set type password
		set passwd user1_password
	next
end
config router static edit 1
		set device "wan1"
		set gateway 10.0.0.1
	next
end
config vpn ipsec phase1-interface
	edit "oxovpn"
		set type dynamic
		set interface "wan1"
		set keylife 14400
		set xauthtype auto
		set mode aggressive
		set mode-cfg enable
		set proposal aes256-sha256
		set localid "30.0.0.1"
		set dhgrp 14
		set authusrgrp "oxovpnusers"
		set ipv4-start-ip 10.215.0.1
		set ipv4-end-ip 10.215.0.255
		set ipv4-netmask 255.255.255.0
		set psksecret presharedkey
		set keepalive 30
	next
end
config vpn ipsec phase2-interface edit "oxovpnp2"
		set keepalive enable
		set phase1name "oxovpn"
		set proposal aes256-sha256
		set keylifeseconds 12000
		set dhgrp 14
	next
end
config firewall vip
	edit "oxo2forti"
		set extip 30.0.0.1
		set extintf "oxovpn"
		set mappedip 10.0.0.2
	next
end
config firewall ippool
	edit "natr"
		set endip 30.0.0.1
		set startip 30.0.0.1
		set arp-reply disable
	next
end
config firewall address
	edit “oxovpn_range”
		set type iprange
		set start-ip 10.215.0.1
		set end-ip 10.215.0.255
	next
	edit “ws_range”
		set associated-interface “internal”
		set subnet 172.26.190.0 255.255.255.0
		set allow-routing enable
	next
end
config firewall policy
	edit 1
		set srcintf "internal"
		set dstintf "oxovpn"
		set srcaddr "ws_range"
		set dstaddr "oxovpn_range"
		set action accept
		set schedule "always"
		set service "HTTPS"
		set nat enable
		set ippool enable
		set poolname "natr"
	next
	edit 2
		set srcintf "oxovpn"
		set dstintf "wan1"
		set srcaddr "oxovpn_range"
		set dstaddr "oxo2forti"
		set action accept
		set schedule "always"
		set service "ALL_ICMP"
		next
end

I want to do this with pfsense but failed pretty hard. my ipsec.conf looks like this

999.999.999.999 is our public ip
111.111.111.111 is the dynamic ip, where the pbx is located

conn con2
	fragmentation = yes
	keyexchange = ike
	reauth = yes
	forceencaps = yes
	mobike = yes

	rekey = no
	installpolicy = yes
	type = tunnel
	dpdaction = none
	auto = add
	left = 999.999.999.999
	right = %any
	leftid = "pfsense"
	ikelifetime = 14400s
	lifetime = 12000s
	rightsourceip = 10.1.254.10/24
	ike = aes256-sha256-modp2048!
	esp = aes256-sha256-modp2048!
	leftauth = psk
	rightauth = psk
	aggressive = yes
	leftsubnet = 10.1.254.0/24

If i trigger the vpn connection i have the following log:

Aug 29 12:27:55	charon		15[NET] <1> received packet: from 111.111.111.111[798] to 999.999.999.999[500] (448 bytes)
Aug 29 12:27:55	charon		15[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Aug 29 12:27:55	charon		15[CFG] <1> looking for an ike config for 999.999.999.999...111.111.111.111
Aug 29 12:27:55	charon		15[CFG] <1> candidate: 999.999.999.999...%any, prio 1048
Aug 29 12:27:55	charon		15[CFG] <1> found matching ike config: 999.999.999.999...%any with prio 1048
Aug 29 12:27:55	charon		15[IKE] <1> 111.111.111.111 is initiating an IKE_SA
Aug 29 12:27:55	charon		15[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Aug 29 12:27:55	charon		15[CFG] <1> selecting proposal:
Aug 29 12:27:55	charon		15[CFG] <1> proposal matches
Aug 29 12:27:55	charon		15[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 29 12:27:55	charon		15[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 29 12:27:55	charon		15[CFG] <1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 29 12:27:55	charon		15[IKE] <1> remote host is behind NAT
Aug 29 12:27:55	charon		15[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 29 12:27:55	charon		15[NET] <1> sending packet: from 999.999.999.999[500] to 111.111.111.111[798] (456 bytes)
Aug 29 12:27:56	charon		09[NET] <1> received packet: from 111.111.111.111[55227] to 999.999.999.999[4500] (288 bytes)
Aug 29 12:27:56	charon		09[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 29 12:27:56	charon		09[CFG] <1> looking for peer configs matching 999.999.999.999[999.999.999.999]...111.111.111.111[OXO]
Aug 29 12:27:56	charon		09[CFG] <1> no matching peer config found
Aug 29 12:27:56	charon		09[IKE] <1> processing INTERNAL_IP4_ADDRESS attribute
Aug 29 12:27:56	charon		09[IKE] <1> processing INTERNAL_IP4_DNS attribute
Aug 29 12:27:56	charon		09[IKE] <1> peer supports MOBIKE
Aug 29 12:27:56	charon		09[ENC] <1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 29 12:27:56	charon		09[NET] <1> sending packet: from 999.999.999.999[4500] to 111.111.111.111[55227] (80 bytes)
Aug 29 12:27:56	charon		09[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING

I have no ides why i get the message "no matching peer config found". maybe someone of you is familiar with both systems and can give me a hint where to find my error…