IPSec connection fails

  • Hello
    I am trying to open an IPSec tunnel between a Sophos XG Firewall and pfSense 2.4.4. I already tried a connection with IKEv2 which did not work. So I switched to IKEv1 to get finally this damn tunnel up. To bring up a tunnel should be totaly easy, if you control both sides firewall. It is not!
    Here a part of my config:
    AES256 - SHA 2 512 - DH14 2048 (used in Phase1 and in Phase 2)
    Authentication IP adresses and PSK
    Dial in direction: Sophos XG initiates connection to pfSense.

    Here the error log:
    "found 1 matching config, but none allows pre-shared key authentication using Main Mode"

    Bullshit! It is main mode!!! Why this log throws out a totally wrong information? Sophos XG is on main mode and pfSense is in Main mode. I switched on pfSense to agressive mode just for a test. Same result. There is only one configuration for a IPSec VPN tunnel, so it is impossilbe to find the wrong configuration.
    Any ideas?

  • @jens9
    Hello, it's my P1 config here works fine:
    alt text
    alt text

    Hope will useful, bye.

  • Hello Babiz

    I hope you didn't compromize yourself by posting your PSK here 😉
    Are you using also a Sophos XG on the oposite?

    To configure this was so frustrating, that I finally gave up. I did not want to try out all encryption mode possibilities to find a working solution. It should work with any encryption mode. Finally I tried OPNsense, which is a fork of pfSense. Since this works on my first try with the same configuration on my Sophos XG, I guess this is a case for the developers to check out what is wrong here in the IPSec section.
    Maybe the frontend UI does not configure right the backend here. I have no other explanation for the strange behaviour.

    I will try out your configuration after my holidays, which begin soon. For now the tunnels are up and do it's job.

    Best Regards

  • Nice to see @jens9 you "solved" your issue, dont'worry about my psk, I regenerate it periodically 🚪

    MY vpn in truth is pfSense to pfSense, and so is very interesting about your ipsec configuration discovery, you have check this kind of behavior, and top of all, opnSense might to be working fine , better than pfSense do. Lool!

    Hope in meantime some developers like @jimp looks at this stranger thing about dealing with ipsec internals.
    Best regards.

Log in to reply