VPN for Alcatel pbx



  • Hi

    we provide service for Alcatel PBX. For remote service Alcatel developed a new system where you can trigger the pbx to open a ipsec vpn to our site. The only thing i can configure is in the screenshot:

    http://imgur.com/3YotO65

    For the ipsec endpoint on our side Alcatel provides only a reference guide for Fortigate. The peer should look like the following:

    config system interface
    	edit "wan1"
    		set vdom "root"
    		set ip 10.0.0.2 255.255.255.0
    		set allowaccess ping
    		set type physical
    	next
    	edit "internal" set vdom "root"
    		set ip 172.26.190.2 255.255.255.0
    		set allowaccess ping https ssh
    		set type physical
    	next
    	edit "oxovpn"
    		set vdom "root"
    		set ip 0.0.0.0 255.255.255.255
    		set allowaccess ping
    		set type tunnel
    		set interface "wan1"
    	next
    end
    config user group
    	edit "oxovpnusers"
    		set member "user1"
    	next
    end
    config user local
    	edit "user1"
    		set type password
    		set passwd user1_password
    	next
    end
    config router static edit 1
    		set device "wan1"
    		set gateway 10.0.0.1
    	next
    end
    config vpn ipsec phase1-interface
    	edit "oxovpn"
    		set type dynamic
    		set interface "wan1"
    		set keylife 14400
    		set xauthtype auto
    		set mode aggressive
    		set mode-cfg enable
    		set proposal aes256-sha256
    		set localid "30.0.0.1"
    		set dhgrp 14
    		set authusrgrp "oxovpnusers"
    		set ipv4-start-ip 10.215.0.1
    		set ipv4-end-ip 10.215.0.255
    		set ipv4-netmask 255.255.255.0
    		set psksecret presharedkey
    		set keepalive 30
    	next
    end
    config vpn ipsec phase2-interface edit "oxovpnp2"
    		set keepalive enable
    		set phase1name "oxovpn"
    		set proposal aes256-sha256
    		set keylifeseconds 12000
    		set dhgrp 14
    	next
    end
    config firewall vip
    	edit "oxo2forti"
    		set extip 30.0.0.1
    		set extintf "oxovpn"
    		set mappedip 10.0.0.2
    	next
    end
    config firewall ippool
    	edit "natr"
    		set endip 30.0.0.1
    		set startip 30.0.0.1
    		set arp-reply disable
    	next
    end
    config firewall address
    	edit “oxovpn_range”
    		set type iprange
    		set start-ip 10.215.0.1
    		set end-ip 10.215.0.255
    	next
    	edit “ws_range”
    		set associated-interface “internal”
    		set subnet 172.26.190.0 255.255.255.0
    		set allow-routing enable
    	next
    end
    config firewall policy
    	edit 1
    		set srcintf "internal"
    		set dstintf "oxovpn"
    		set srcaddr "ws_range"
    		set dstaddr "oxovpn_range"
    		set action accept
    		set schedule "always"
    		set service "HTTPS"
    		set nat enable
    		set ippool enable
    		set poolname "natr"
    	next
    	edit 2
    		set srcintf "oxovpn"
    		set dstintf "wan1"
    		set srcaddr "oxovpn_range"
    		set dstaddr "oxo2forti"
    		set action accept
    		set schedule "always"
    		set service "ALL_ICMP"
    		next
    end
    

    I want to do this with pfsense but failed pretty hard. my ipsec.conf looks like this

    999.999.999.999 is our public ip
    111.111.111.111 is the dynamic ip, where the pbx is located

    
    conn con2
    	fragmentation = yes
    	keyexchange = ike
    	reauth = yes
    	forceencaps = yes
    	mobike = yes
    
    	rekey = no
    	installpolicy = yes
    	type = tunnel
    	dpdaction = none
    	auto = add
    	left = 999.999.999.999
    	right = %any
    	leftid = "pfsense"
    	ikelifetime = 14400s
    	lifetime = 12000s
    	rightsourceip = 10.1.254.10/24
    	ike = aes256-sha256-modp2048!
    	esp = aes256-sha256-modp2048!
    	leftauth = psk
    	rightauth = psk
    	aggressive = yes
    	leftsubnet = 10.1.254.0/24
    
    

    If i trigger the vpn connection i have the following log:

    
    Aug 29 12:27:55	charon		15[NET] <1> received packet: from 111.111.111.111[798] to 999.999.999.999[500] (448 bytes)
    Aug 29 12:27:55	charon		15[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
    Aug 29 12:27:55	charon		15[CFG] <1> looking for an ike config for 999.999.999.999...111.111.111.111
    Aug 29 12:27:55	charon		15[CFG] <1> candidate: 999.999.999.999...%any, prio 1048
    Aug 29 12:27:55	charon		15[CFG] <1> found matching ike config: 999.999.999.999...%any with prio 1048
    Aug 29 12:27:55	charon		15[IKE] <1> 111.111.111.111 is initiating an IKE_SA
    Aug 29 12:27:55	charon		15[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
    Aug 29 12:27:55	charon		15[CFG] <1> selecting proposal:
    Aug 29 12:27:55	charon		15[CFG] <1> proposal matches
    Aug 29 12:27:55	charon		15[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Aug 29 12:27:55	charon		15[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Aug 29 12:27:55	charon		15[CFG] <1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Aug 29 12:27:55	charon		15[IKE] <1> remote host is behind NAT
    Aug 29 12:27:55	charon		15[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
    Aug 29 12:27:55	charon		15[NET] <1> sending packet: from 999.999.999.999[500] to 111.111.111.111[798] (456 bytes)
    Aug 29 12:27:56	charon		09[NET] <1> received packet: from 111.111.111.111[55227] to 999.999.999.999[4500] (288 bytes)
    Aug 29 12:27:56	charon		09[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
    Aug 29 12:27:56	charon		09[CFG] <1> looking for peer configs matching 999.999.999.999[999.999.999.999]...111.111.111.111[OXO]
    Aug 29 12:27:56	charon		09[CFG] <1> no matching peer config found
    Aug 29 12:27:56	charon		09[IKE] <1> processing INTERNAL_IP4_ADDRESS attribute
    Aug 29 12:27:56	charon		09[IKE] <1> processing INTERNAL_IP4_DNS attribute
    Aug 29 12:27:56	charon		09[IKE] <1> peer supports MOBIKE
    Aug 29 12:27:56	charon		09[ENC] <1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Aug 29 12:27:56	charon		09[NET] <1> sending packet: from 999.999.999.999[4500] to 111.111.111.111[55227] (80 bytes)
    Aug 29 12:27:56	charon		09[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
    
    

    I have no ides why i get the message "no matching peer config found". maybe someone of you is familiar with both systems and can give me a hint where to find my error…