IPSec issues - pfSense <=> SonicWall



  • Hi All.

    I am currently configuring a pfSense box (1.2.2) to replace a number of different appliances across our office network.

    I am trying to get an IPSec VPN working between my pfSense box and a SonicWall TZ170 Running the standard OS.

    Setup:

    Phase one Main Mode / Group 2 / 3DES / SHA1

    SonicWall:
    Phase two ESP / 3DES / SHA1 (PFS Off)

    pfSense:
    Phase two ESP / 3DES / Blowfish / SHA1 (PFS Off)

    NOTE: I read in the how-to that I was supposed to have Blowfish and 3DES on if I was using 3DES - but I have tried it on and off.

    This is what I am seeing in pfSense (i have reverse log order on, ive also masked the IPs)

    Jan 23 14:30:27 racoon: ERROR: phase1 negotiation failed.
    Jan 23 14:30:27 racoon: ERROR: failed to process packet.
    Jan 23 14:30:27 racoon: ERROR: phase1 negotiation failed due to send error. f41cb02a8dec9a92:13e3ffba3d08723f
    Jan 23 14:30:27 racoon: ERROR: sendfromto failed
    Jan 23 14:30:27 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Jan 23 14:30:27 racoon: INFO: begin Identity Protection mode.
    Jan 23 14:30:27 racoon: [VPN to BANGKOK]: INFO: respond new phase 1 negotiation: 203.152.xxx.xxx[500]<=>203.147.xx.x[500]

    On the SonicWall end all I see is:

    37 01/22/2009 17:19:43.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
    38 01/22/2009 17:19:31.944 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
    39 01/22/2009 17:19:27.048 IKE Initiator: Start Main Mode negotiation (Phase 1) 203.147.xx.x, 500 203.152.xxx.xxx, 500     
    40 01/22/2009 17:19:25.944 IKE negotiation aborted due to timeout 203.147.xx.x 203.152.xxx.xxx     
    42 01/22/2009 17:18:53.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
    43 01/22/2009 17:18:35.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
    44 01/22/2009 17:18:25.944 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
    45 01/22/2009 17:18:21.032 IKE Initiator: Start Main Mode negotiation (Phase 1) 203.147.xx.x, 500 203.xxx.xxx.xxx, 500     
    46 01/22/2009 17:18:11.944 IKE negotiation aborted due to timeout 203.147.xx.x 203.152.xxx.xxx       
    49 01/22/2009 17:17:37.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
    50 01/22/2009 17:17:21.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500

    I've tried differnet combinations of proposals, deleting and remaking, all sorts.  From what I can guess, its having issues with communication between points however both sites are pingable by eachother?

    Any ideas?

    Thanks
    Gareth



  • Any further informations? Static to Static ? or dynamic sides? which identifier e.g.?

    Regards
    Heiko



  • Sorry, it's static to static addresses (sorta standard corporate site-to-site VPN)

    It's worth noting that i get further trying a VPN from the pfSense to an IPCop box (although I cant get phase two of the authentication going, but im sure thats just me.)



  • You have a mismatch of some sort on phase 1.



  • I had to open port 500 on the pfsense box. At least open it to connections coming from the IP of the sonicwall.

    I'm sure you already have checked but make sure again all your phase 1 settings are the same on both sides.


Locked