VPN for Alcatel pbx
-
Hi
we provide service for Alcatel PBX. For remote service Alcatel developed a new system where you can trigger the pbx to open a ipsec vpn to our site. The only thing i can configure is in the screenshot:
For the ipsec endpoint on our side Alcatel provides only a reference guide for Fortigate. The peer should look like the following:
config system interface edit "wan1" set vdom "root" set ip 10.0.0.2 255.255.255.0 set allowaccess ping set type physical next edit "internal" set vdom "root" set ip 172.26.190.2 255.255.255.0 set allowaccess ping https ssh set type physical next edit "oxovpn" set vdom "root" set ip 0.0.0.0 255.255.255.255 set allowaccess ping set type tunnel set interface "wan1" next end config user group edit "oxovpnusers" set member "user1" next end config user local edit "user1" set type password set passwd user1_password next end config router static edit 1 set device "wan1" set gateway 10.0.0.1 next end config vpn ipsec phase1-interface edit "oxovpn" set type dynamic set interface "wan1" set keylife 14400 set xauthtype auto set mode aggressive set mode-cfg enable set proposal aes256-sha256 set localid "30.0.0.1" set dhgrp 14 set authusrgrp "oxovpnusers" set ipv4-start-ip 10.215.0.1 set ipv4-end-ip 10.215.0.255 set ipv4-netmask 255.255.255.0 set psksecret presharedkey set keepalive 30 next end config vpn ipsec phase2-interface edit "oxovpnp2" set keepalive enable set phase1name "oxovpn" set proposal aes256-sha256 set keylifeseconds 12000 set dhgrp 14 next end config firewall vip edit "oxo2forti" set extip 30.0.0.1 set extintf "oxovpn" set mappedip 10.0.0.2 next end config firewall ippool edit "natr" set endip 30.0.0.1 set startip 30.0.0.1 set arp-reply disable next end config firewall address edit “oxovpn_range” set type iprange set start-ip 10.215.0.1 set end-ip 10.215.0.255 next edit “ws_range” set associated-interface “internal” set subnet 172.26.190.0 255.255.255.0 set allow-routing enable next end config firewall policy edit 1 set srcintf "internal" set dstintf "oxovpn" set srcaddr "ws_range" set dstaddr "oxovpn_range" set action accept set schedule "always" set service "HTTPS" set nat enable set ippool enable set poolname "natr" next edit 2 set srcintf "oxovpn" set dstintf "wan1" set srcaddr "oxovpn_range" set dstaddr "oxo2forti" set action accept set schedule "always" set service "ALL_ICMP" next end
I want to do this with pfsense but failed pretty hard. my ipsec.conf looks like this
999.999.999.999 is our public ip
111.111.111.111 is the dynamic ip, where the pbx is locatedconn con2 fragmentation = yes keyexchange = ike reauth = yes forceencaps = yes mobike = yes rekey = no installpolicy = yes type = tunnel dpdaction = none auto = add left = 999.999.999.999 right = %any leftid = "pfsense" ikelifetime = 14400s lifetime = 12000s rightsourceip = 10.1.254.10/24 ike = aes256-sha256-modp2048! esp = aes256-sha256-modp2048! leftauth = psk rightauth = psk aggressive = yes leftsubnet = 10.1.254.0/24
If i trigger the vpn connection i have the following log:
Aug 29 12:27:55 charon 15[NET] <1> received packet: from 111.111.111.111[798] to 999.999.999.999[500] (448 bytes) Aug 29 12:27:55 charon 15[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Aug 29 12:27:55 charon 15[CFG] <1> looking for an ike config for 999.999.999.999...111.111.111.111 Aug 29 12:27:55 charon 15[CFG] <1> candidate: 999.999.999.999...%any, prio 1048 Aug 29 12:27:55 charon 15[CFG] <1> found matching ike config: 999.999.999.999...%any with prio 1048 Aug 29 12:27:55 charon 15[IKE] <1> 111.111.111.111 is initiating an IKE_SA Aug 29 12:27:55 charon 15[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING Aug 29 12:27:55 charon 15[CFG] <1> selecting proposal: Aug 29 12:27:55 charon 15[CFG] <1> proposal matches Aug 29 12:27:55 charon 15[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Aug 29 12:27:55 charon 15[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Aug 29 12:27:55 charon 15[CFG] <1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Aug 29 12:27:55 charon 15[IKE] <1> remote host is behind NAT Aug 29 12:27:55 charon 15[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] Aug 29 12:27:55 charon 15[NET] <1> sending packet: from 999.999.999.999[500] to 111.111.111.111[798] (456 bytes) Aug 29 12:27:56 charon 09[NET] <1> received packet: from 111.111.111.111[55227] to 999.999.999.999[4500] (288 bytes) Aug 29 12:27:56 charon 09[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Aug 29 12:27:56 charon 09[CFG] <1> looking for peer configs matching 999.999.999.999[999.999.999.999]...111.111.111.111[OXO] Aug 29 12:27:56 charon 09[CFG] <1> no matching peer config found Aug 29 12:27:56 charon 09[IKE] <1> processing INTERNAL_IP4_ADDRESS attribute Aug 29 12:27:56 charon 09[IKE] <1> processing INTERNAL_IP4_DNS attribute Aug 29 12:27:56 charon 09[IKE] <1> peer supports MOBIKE Aug 29 12:27:56 charon 09[ENC] <1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Aug 29 12:27:56 charon 09[NET] <1> sending packet: from 999.999.999.999[4500] to 111.111.111.111[55227] (80 bytes) Aug 29 12:27:56 charon 09[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
I have no ides why i get the message "no matching peer config found". maybe someone of you is familiar with both systems and can give me a hint where to find my error…