Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Site-To-Site pfSense <-> Securepoint

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 583 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      posto587
      last edited by

      Hi,

      we have a problem with a IPsec IKEv2 Site-To-Site tunnel between pfSense and Securepoint.
      pfSense WAN: public static IPv4 net, directly routed from ISP, Securepoint WAN: VDSL with VDSL modem (Allnet VDSL modem, no router), public static IPv4.

      It is only possible to establish a connection from the Securepoint Firewall and not from pfSense. When connection is established, everything is working fine but the connection drops once per day randomly and must be reestablished from the Securepoint Firewall.

      Connection Settings

      Phase1:
City A Public IP:                 X.X.X.X
City B Pulbic IP:                X.X.X.X
Authentication Method:              Mutual PSK
My identifier:                      My IP address
Peer identifier:                    Peer IP address
PSK:                                XXX
Encryption Algorithm:               AES 128bits, SHA256, DH Group 14 (2048 bit)
Lifetime:                           86400s
Dead Peer Detection:                enabled

Phase2:
Local Network:                      192.168.2.0/24
Remote Network:                     192.168.46.0/24
Protocol:                           ESP
Encryption Algorithm:               AES 128 bits
Hash Algorithms:                    SHA256, SHA384
PFS key group:                      14 (2048 bit)
Lifetime:                           3600s

      Connection settings are the same on both firewalls. Securepoint Support says everything is configured correctly.

      When I'm trying to establish the connection from pfSense I get the following logs:

      May 17 12:54:33 	charon 		07[IKE] <con5000|86410> IKE_SA con5000[86410] state change: CONNECTING => DESTROYING
May 17 12:54:33 	charon 		07[CFG] <con5000|86410> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> received NO_PROPOSAL_CHOSEN notify error
May 17 12:54:33 	charon 		07[ENC] <con5000|86410> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
May 17 12:54:33 	charon 		07[NET] <con5000|86410> received packet: from X.X.X.X[500] to X.X.X.X[500] (36 bytes)
May 17 12:54:33 	charon 		07[NET] <con5000|86410> sending packet: from X.X.X.X[500] to X.X.X.X[500] (464 bytes)
May 17 12:54:33 	charon 		07[ENC] <con5000|86410> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 17 12:54:33 	charon 		07[CFG] <con5000|86410> sending supported signature hash algorithms: sha256 sha384 sha512 identity
May 17 12:54:33 	charon 		07[CFG] <con5000|86410> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> IKE_SA con5000[86410] state change: CREATED => CONNECTING
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> initiating IKE_SA con5000[86410] to X.X.X.X
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_AUTH_LIFETIME task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating CHILD_CREATE task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_CONFIG task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_CERT_POST task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_AUTH task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_CERT_PRE task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_NATD task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_INIT task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating IKE_VENDOR task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> activating new tasks
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing CHILD_CREATE task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_AUTH_LIFETIME task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_CONFIG task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_CERT_POST task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_AUTH task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_CERT_PRE task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_NATD task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_INIT task
May 17 12:54:33 	charon 		07[IKE] <con5000|86410> queueing IKE_VENDOR task

      Do you have any hints on what we can do to debug the connection any further?
      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @posto587 said in IPsec Site-To-Site pfSense <-> Securepoint:

        May 17 12:54:33 charon 07[IKE] <con5000|86410> received NO_PROPOSAL_CHOSEN notify error
        May 17 12:54:33 charon 07[CFG] <con5000|86410> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

        The other side is rejecting the tunnel transform proposal

        You are asking for:
        AES_CBC_128
        SHA256
        PFS Group 14

        They will have to tell you why they are rejecting that.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.