Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec issues - pfSense <=> SonicWall

    Scheduled Pinned Locked Moved IPsec
    5 Posts 4 Posters 10.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Auxientius
      last edited by

      Hi All.

      I am currently configuring a pfSense box (1.2.2) to replace a number of different appliances across our office network.

      I am trying to get an IPSec VPN working between my pfSense box and a SonicWall TZ170 Running the standard OS.

      Setup:

      Phase one Main Mode / Group 2 / 3DES / SHA1

      SonicWall:
      Phase two ESP / 3DES / SHA1 (PFS Off)

      pfSense:
      Phase two ESP / 3DES / Blowfish / SHA1 (PFS Off)

      NOTE: I read in the how-to that I was supposed to have Blowfish and 3DES on if I was using 3DES - but I have tried it on and off.

      This is what I am seeing in pfSense (i have reverse log order on, ive also masked the IPs)

      Jan 23 14:30:27 racoon: ERROR: phase1 negotiation failed.
      Jan 23 14:30:27 racoon: ERROR: failed to process packet.
      Jan 23 14:30:27 racoon: ERROR: phase1 negotiation failed due to send error. f41cb02a8dec9a92:13e3ffba3d08723f
      Jan 23 14:30:27 racoon: ERROR: sendfromto failed
      Jan 23 14:30:27 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Jan 23 14:30:27 racoon: INFO: begin Identity Protection mode.
      Jan 23 14:30:27 racoon: [VPN to BANGKOK]: INFO: respond new phase 1 negotiation: 203.152.xxx.xxx[500]<=>203.147.xx.x[500]

      On the SonicWall end all I see is:

      37 01/22/2009 17:19:43.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
      38 01/22/2009 17:19:31.944 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
      39 01/22/2009 17:19:27.048 IKE Initiator: Start Main Mode negotiation (Phase 1) 203.147.xx.x, 500 203.152.xxx.xxx, 500     
      40 01/22/2009 17:19:25.944 IKE negotiation aborted due to timeout 203.147.xx.x 203.152.xxx.xxx     
      42 01/22/2009 17:18:53.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
      43 01/22/2009 17:18:35.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
      44 01/22/2009 17:18:25.944 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
      45 01/22/2009 17:18:21.032 IKE Initiator: Start Main Mode negotiation (Phase 1) 203.147.xx.x, 500 203.xxx.xxx.xxx, 500     
      46 01/22/2009 17:18:11.944 IKE negotiation aborted due to timeout 203.147.xx.x 203.152.xxx.xxx       
      49 01/22/2009 17:17:37.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500     
      50 01/22/2009 17:17:21.000 IKE Initiator: No response - remote party timeout 203.147.xx.x, 500 203.152.xxx.xxx, 500

      I've tried differnet combinations of proposals, deleting and remaking, all sorts.  From what I can guess, its having issues with communication between points however both sites are pingable by eachother?

      Any ideas?

      Thanks
      Gareth

      1 Reply Last reply Reply Quote 0
      • H
        heiko
        last edited by

        Any further informations? Static to Static ? or dynamic sides? which identifier e.g.?

        Regards
        Heiko

        1 Reply Last reply Reply Quote 0
        • A
          Auxientius
          last edited by

          Sorry, it's static to static addresses (sorta standard corporate site-to-site VPN)

          It's worth noting that i get further trying a VPN from the pfSense to an IPCop box (although I cant get phase two of the authentication going, but im sure thats just me.)

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            You have a mismatch of some sort on phase 1.

            1 Reply Last reply Reply Quote 0
            • F
              focalguy
              last edited by

              I had to open port 500 on the pfsense box. At least open it to connections coming from the IP of the sonicwall.

              I'm sure you already have checked but make sure again all your phase 1 settings are the same on both sides.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.