IPsec Site-To-Site pfSense <-> Securepoint
-
Hi,
we have a problem with a IPsec IKEv2 Site-To-Site tunnel between pfSense and Securepoint.
pfSense WAN: public static IPv4 net, directly routed from ISP, Securepoint WAN: VDSL with VDSL modem (Allnet VDSL modem, no router), public static IPv4.It is only possible to establish a connection from the Securepoint Firewall and not from pfSense. When connection is established, everything is working fine but the connection drops once per day randomly and must be reestablished from the Securepoint Firewall.
Connection Settings
Phase1: City A Public IP: X.X.X.X City B Pulbic IP: X.X.X.X Authentication Method: Mutual PSK My identifier: My IP address Peer identifier: Peer IP address PSK: XXX Encryption Algorithm: AES 128bits, SHA256, DH Group 14 (2048 bit) Lifetime: 86400s Dead Peer Detection: enabled Phase2: Local Network: 192.168.2.0/24 Remote Network: 192.168.46.0/24 Protocol: ESP Encryption Algorithm: AES 128 bits Hash Algorithms: SHA256, SHA384 PFS key group: 14 (2048 bit) Lifetime: 3600s
Connection settings are the same on both firewalls. Securepoint Support says everything is configured correctly.
When I'm trying to establish the connection from pfSense I get the following logs:
May 17 12:54:33 charon 07[IKE] <con5000|86410> IKE_SA con5000[86410] state change: CONNECTING => DESTROYING May 17 12:54:33 charon 07[CFG] <con5000|86410> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 May 17 12:54:33 charon 07[IKE] <con5000|86410> received NO_PROPOSAL_CHOSEN notify error May 17 12:54:33 charon 07[ENC] <con5000|86410> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] May 17 12:54:33 charon 07[NET] <con5000|86410> received packet: from X.X.X.X[500] to X.X.X.X[500] (36 bytes) May 17 12:54:33 charon 07[NET] <con5000|86410> sending packet: from X.X.X.X[500] to X.X.X.X[500] (464 bytes) May 17 12:54:33 charon 07[ENC] <con5000|86410> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] May 17 12:54:33 charon 07[CFG] <con5000|86410> sending supported signature hash algorithms: sha256 sha384 sha512 identity May 17 12:54:33 charon 07[CFG] <con5000|86410> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 May 17 12:54:33 charon 07[IKE] <con5000|86410> IKE_SA con5000[86410] state change: CREATED => CONNECTING May 17 12:54:33 charon 07[IKE] <con5000|86410> initiating IKE_SA con5000[86410] to X.X.X.X May 17 12:54:33 charon 07[IKE] <con5000|86410> activating IKE_AUTH_LIFETIME task May 17 12:54:33 charon 07[IKE] <con5000|86410> activating CHILD_CREATE task May 17 12:54:33 charon 07[IKE] <con5000|86410> activating IKE_CONFIG task May 17 12:54:33 charon 07[IKE] <con5000|86410> activating IKE_CERT_POST task May 17 12:54:33 charon 07[IKE] <con5000|86410> activating IKE_AUTH task May 17 12:54:33 charon 07[IKE] <con5000|86410> activating IKE_CERT_PRE task May 17 12:54:33 charon 07[IKE] <con5000|86410> activating IKE_NATD task May 17 12:54:33 charon 07[IKE] <con5000|86410> activating IKE_INIT task May 17 12:54:33 charon 07[IKE] <con5000|86410> activating IKE_VENDOR task May 17 12:54:33 charon 07[IKE] <con5000|86410> activating new tasks May 17 12:54:33 charon 07[IKE] <con5000|86410> queueing CHILD_CREATE task May 17 12:54:33 charon 07[IKE] <con5000|86410> queueing IKE_AUTH_LIFETIME task May 17 12:54:33 charon 07[IKE] <con5000|86410> queueing IKE_CONFIG task May 17 12:54:33 charon 07[IKE] <con5000|86410> queueing IKE_CERT_POST task May 17 12:54:33 charon 07[IKE] <con5000|86410> queueing IKE_AUTH task May 17 12:54:33 charon 07[IKE] <con5000|86410> queueing IKE_CERT_PRE task May 17 12:54:33 charon 07[IKE] <con5000|86410> queueing IKE_NATD task May 17 12:54:33 charon 07[IKE] <con5000|86410> queueing IKE_INIT task May 17 12:54:33 charon 07[IKE] <con5000|86410> queueing IKE_VENDOR task
Do you have any hints on what we can do to debug the connection any further?
Thanks in advance! -
@posto587 said in IPsec Site-To-Site pfSense <-> Securepoint:
May 17 12:54:33 charon 07[IKE] <con5000|86410> received NO_PROPOSAL_CHOSEN notify error
May 17 12:54:33 charon 07[CFG] <con5000|86410> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048The other side is rejecting the tunnel transform proposal
You are asking for:
AES_CBC_128
SHA256
PFS Group 14They will have to tell you why they are rejecting that.