IPsec Site-To-Site pfSense <-> Securepoint



  • Hi,

    we have a problem with a IPsec IKEv2 Site-To-Site tunnel between pfSense and Securepoint.
    pfSense WAN: public static IPv4 net, directly routed from ISP, Securepoint WAN: VDSL with VDSL modem (Allnet VDSL modem, no router), public static IPv4.

    It is only possible to establish a connection from the Securepoint Firewall and not from pfSense. When connection is established, everything is working fine but the connection drops once per day randomly and must be reestablished from the Securepoint Firewall.

    Connection Settings

    Phase1:
    City A Public IP:                 X.X.X.X
    City B Pulbic IP:                X.X.X.X
    Authentication Method:              Mutual PSK
    My identifier:                      My IP address
    Peer identifier:                    Peer IP address
    PSK:                                XXX
    Encryption Algorithm:               AES 128bits, SHA256, DH Group 14 (2048 bit)
    Lifetime:                           86400s
    Dead Peer Detection:                enabled
    
    Phase2:
    Local Network:                      192.168.2.0/24
    Remote Network:                     192.168.46.0/24
    Protocol:                           ESP
    Encryption Algorithm:               AES 128 bits
    Hash Algorithms:                    SHA256, SHA384
    PFS key group:                      14 (2048 bit)
    Lifetime:                           3600s
    
    

    Connection settings are the same on both firewalls. Securepoint Support says everything is configured correctly.

    When I'm trying to establish the connection from pfSense I get the following logs:

    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> IKE_SA con5000[86410] state change: CONNECTING => DESTROYING
    May 17 12:54:33 	charon 		07[CFG] <con5000|86410> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> received NO_PROPOSAL_CHOSEN notify error
    May 17 12:54:33 	charon 		07[ENC] <con5000|86410> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
    May 17 12:54:33 	charon 		07[NET] <con5000|86410> received packet: from X.X.X.X[500] to X.X.X.X[500] (36 bytes)
    May 17 12:54:33 	charon 		07[NET] <con5000|86410> sending packet: from X.X.X.X[500] to X.X.X.X[500] (464 bytes)
    May 17 12:54:33 	charon 		07[ENC] <con5000|86410> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    May 17 12:54:33 	charon 		07[CFG] <con5000|86410> sending supported signature hash algorithms: sha256 sha384 sha512 identity
    May 17 12:54:33 	charon 		07[CFG] <con5000|86410> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> IKE_SA con5000[86410] state change: CREATED => CONNECTING
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> initiating IKE_SA con5000[86410] to X.X.X.X
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_AUTH_LIFETIME task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating CHILD_CREATE task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_CONFIG task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_CERT_POST task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_AUTH task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_CERT_PRE task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_NATD task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_INIT task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_VENDOR task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating new tasks
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing CHILD_CREATE task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_AUTH_LIFETIME task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_CONFIG task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_CERT_POST task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_AUTH task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_CERT_PRE task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_NATD task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_INIT task
    May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_VENDOR task 
    

    Do you have any hints on what we can do to debug the connection any further?
    Thanks in advance!


  • LAYER 8 Netgate

    @posto587 said in IPsec Site-To-Site pfSense <-> Securepoint:

    May 17 12:54:33 charon 07[IKE] <con5000|86410> received NO_PROPOSAL_CHOSEN notify error
    May 17 12:54:33 charon 07[CFG] <con5000|86410> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

    The other side is rejecting the tunnel transform proposal

    You are asking for:
    AES_CBC_128
    SHA256
    PFS Group 14

    They will have to tell you why they are rejecting that.


Log in to reply