Setting up IPsec VPN pfsense to dsr dlink-1000 router
-
@Konstanti hi thank you but still it didnt work wait ill try to get the file that you wanna see.
-
i don't think you need to enable nat traversal on phase 1
-
@kiokoman hi yes i just left it on but i dont think thats the problem,, here's the file that you're asking I just improvised so forgive me haha.
-
remote ip is 202.175.233.250
why do you have 125.5.78.227 on pfsense log? -
@kiokoman sorry the first part was my first config and right now I changed it. to make it simple.
-
are port udp 500 and 4500 open on 125.5.78.227 ?
228 is filtered but 227 result closed to me -
@kiokoman let me try hang on. I'm also confused about this dlink router.
-
Yeah from the first IPsec log it appears .227 is not receiving the traffic / allowing it in.
-
@kiokoman Hi sir I think I just need to open port 500 because I dont do NAT traversal and this port 4500 is for NAT traversal right?
-
@kiokoman right now I'm getting this logs from pfsense
09[NET] <10> received packet: from 125.5.78.227[500] to 125.5.78.228[500] (508 bytes)
Jul 29 10:08:23 charon 09[ENC] <10> parsed IKE_SA_INIT request 0 [ SA KE No V ]
Jul 29 10:08:23 charon 09[CFG] <10> looking for an IKEv2 config for 125.5.78.228...125.5.78.227
Jul 29 10:08:23 charon 09[CFG] <10> candidate: 125.5.78.228...125.5.78.227, prio 3100
Jul 29 10:08:23 charon 09[CFG] <10> found matching ike config: 125.5.78.228...125.5.78.227 with prio 3100
Jul 29 10:08:23 charon 09[ENC] <10> received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57:01:00
Jul 29 10:08:23 charon 09[IKE] <10> 125.5.78.227 is initiating an IKE_SA
Jul 29 10:08:23 charon 09[IKE] <10> IKE_SA (unnamed)[10] state change: CREATED => CONNECTING
Jul 29 10:08:23 charon 09[CFG] <10> selecting proposal:
Jul 29 10:08:23 charon 09[CFG] <10> proposal matches
Jul 29 10:08:23 charon 09[CFG] <10> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
Jul 29 10:08:23 charon 09[CFG] <10> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
Jul 29 10:08:23 charon 09[CFG] <10> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
Jul 29 10:08:23 charon 09[ENC] <10> generating IKE_SA_INIT response 0 [ SA KE No N(MULT_AUTH) ]
Jul 29 10:08:23 charon 09[NET] <10> sending packet: from 125.5.78.228[500] to 125.5.78.227[500] (512 bytes) -
-
no, you opened port from 1 to 500 for outgoing and from 1 to 4500 for incoming
i don't known the dlink but you probably need 2 rules
udp
Outgoing
start port 500
to 500Incoming
start port 500
to 500another rules with
udp
outgoing
start port 4500
to 4500
incoming
start port 4500
to 4500check if you have the latest firmware for the dlink
-
@kiokoman I already done that but it didnt help that's why i go crazy wait hang on lemme change it. and for the firmware its already up to date sadly :(
-
2.13 ?
https://tsd.dlink.com.tw/downloads2008.asp -
nope.
-
@kiokoman oh no it appears that I can upgrade the firmware up to 3.14
-
ok but i think the rules are on the wrong interface, it shoul be WAN not LAN
-
@kiokoman yes I agree on that but my only options are LAN and DMZ. damn this DSR is really a pain in the ass.
-
-
i've read the manual and saw some video on youtube, it seems that there is no need to open the port
https://eu.dlink.com/uk/en/support/faq/routers/wireless-routers/dsr-series/uk_dsr_how_to_setup_vpn_ipsec_between_dsr_series
https://www.youtube.com/watch?v=fppUQfmtNt8what i would suggest at this point is to upgrade the firmware, completely reset /hard reset the router and start over