Stonegate anyone ?

  • If anybody has a IPSec (site-to-site) tunnel to a Stonesoft/Stonegate firewall running with pfsense 1.2.x (embedded, alix), I'd appreciate hearing from them. I've tried for  a couple of days to get this running, but to no avail. On the pfsense side, I always get the following in the log:

    2009-08-10 13:36:31: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP a.b.c.d[0]->e.f.g.h[0]

    On the stonegate side, the error log says:

    Local (unknown) (e.f.g.h) Remote (unknown) (a.b.c.d) Reason No proposal chosen (SA Payload). IKE Cookies [xxxxx]-[yyyyy]

    FWIW, aggressive mode didn't work at all, the Stonegate would log that the authentication failed. Changing to Main mode lets me get at least this far. I've tried changing the proposals on both ends, and even limiting both ends to a single encryption/hash/lifetime proposal, but I pretty much always get the same errors.

    Here's my racoon.conf

    # This file is automatically generated. Do not edit
    listen {
            adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    path pre_shared_key "/var/etc/psk.txt";
    path certificate  "/var/etc";
    remote e.f.g.h {
            exchange_mode main;
            my_identifier address "a.b.c.d";
            peers_identifier address e.f.g.h;
            initial_contact on;
            ike_frag on;
            support_proxy on;
            proposal_check obey;
            proposal {
                    encryption_algorithm blowfish;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 3600 secs;
            lifetime time 3600 secs;
    sainfo address h.i.j.0/24 any address k.l.m.0/24 any {
            encryption_algorithm blowfish;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
            pfs_group 2;
            lifetime time 1800 secs;

    There's a line in the wiki which notes that Stonegate is compatible, but no configuration…...

    I'd really like to get this working, so I can finally migrate off my old firewall (OpenBSD based, has served well for many years, but its power hungry and heat generating)

    Thanks in advance.

Log in to reply