Site-to-site VPN pfSense to Sonicwall PRO 2040



  • Hi,

    I've spent the better part of today trying to configure a site-to-site VPN between pfSense/IPSEC and a Sonicwall PRO 2040 using a preshared key over the internet.  Both firewalls have static WAN IP's.  I've searched and read through as much of the available documentation as I'm able to absorb, including some of the pfSense and m0n0wall docs, but I have been unable to achieve success with the information that I've found.  My goal is to replace a Sonicwall TELE3, through which I have had a working VPN using manual keys, with pfSense.

    In the pfSense web GUI, I see these 4 messages repeated in the IPSEC system log ("aa.aa.aa.aa and 192.168.1.1 represent the WAN and LAN addresss respectively of my local pfSense box.  10.1.1.1 represents the LAN address of the remote Sonicwall):

    
    Sep 28 22:45:30 	racoon: [Self]: INFO: aa.aa.aa.aa[500] used as isakmp port (fd=9)
    Sep 28 22:45:30 	racoon: [Self]: INFO: 192.168.1.1[500] used as isakmp port (fd=8)
    Sep 28 22:45:30 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
    Sep 28 22:45:30 	racoon: INFO: unsupported PF_KEY message REGISTER
    
    

    I've seen several posts here and elsewhere that refer to the message "unsupported PF_KEY message REGISTER".  In several of those posts, the issues were resolved.  However, none of the solutions have helped me to get my VPN running.

    When I run racoon in debug mode, I get the following:

    
    Foreground mode.
    2009-09-28 23:28:16: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
    2009-09-28 23:28:16: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    2009-09-28 23:28:16: INFO: Reading configuration from "/var/etc/racoon.conf"
    2009-09-28 23:28:16: DEBUG: call pfkey_send_register for AH
    2009-09-28 23:28:16: DEBUG: call pfkey_send_register for ESP
    2009-09-28 23:28:16: DEBUG: call pfkey_send_register for IPCOMP
    2009-09-28 23:28:16: INFO: Resize address pool from 0 to 255
    2009-09-28 23:28:16: DEBUG: reading config file /var/etc/racoon.conf
    2009-09-28 23:28:16: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
    2009-09-28 23:28:16: DEBUG: getsainfo params: loc='192.168.1.0/24', rmt='10.1.1.0/24', peer='NULL', id=0
    2009-09-28 23:28:16: DEBUG: getsainfo pass #2
    2009-09-28 23:28:16: DEBUG: my interface: aa.aa.aa.aa (fxp0)
    2009-09-28 23:28:16: DEBUG: my interface: 192.168.1.1 (rl0)
    2009-09-28 23:28:16: DEBUG: my interface: 127.0.0.1 (lo0)
    2009-09-28 23:28:16: DEBUG: configuring default isakmp port.
    2009-09-28 23:28:16: DEBUG: 3 addrs are configured successfully
    2009-09-28 23:28:16: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
    2009-09-28 23:28:16: INFO: 192.168.1.1[500] used as isakmp port (fd=7)
    2009-09-28 23:28:16: INFO: aa.aa.aa.aa[500] used as isakmp port (fd=8)
    2009-09-28 23:28:16: DEBUG: pk_recv: retry[0] recv() 
    2009-09-28 23:28:16: DEBUG: get pfkey X_SPDDUMP message
    2009-09-28 23:28:16: DEBUG: pk_recv: retry[0] recv() 
    2009-09-28 23:28:16: DEBUG: get pfkey X_SPDDUMP message
    2009-09-28 23:28:16: DEBUG: sub:0xbfbfe684: 10.1.1.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    2009-09-28 23:28:16: DEBUG: db :0x2853d078: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
    2009-09-28 23:28:16: DEBUG: pk_recv: retry[0] recv() 
    2009-09-28 23:28:16: DEBUG: get pfkey X_SPDDUMP message
    2009-09-28 23:28:16: DEBUG: sub:0xbfbfe684: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
    2009-09-28 23:28:16: DEBUG: db :0x2853d078: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
    2009-09-28 23:28:16: DEBUG: sub:0xbfbfe684: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
    2009-09-28 23:28:16: DEBUG: db :0x2853d1a8: 10.1.1.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    2009-09-28 23:28:16: DEBUG: pk_recv: retry[0] recv() 
    2009-09-28 23:28:16: DEBUG: get pfkey X_SPDDUMP message
    2009-09-28 23:28:16: DEBUG: sub:0xbfbfe684: 192.168.1.0/24[0] 10.1.1.0/24[0] proto=any dir=out
    2009-09-28 23:28:16: DEBUG: db :0x2853d078: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
    2009-09-28 23:28:16: DEBUG: sub:0xbfbfe684: 192.168.1.0/24[0] 10.1.1.0/24[0] proto=any dir=out
    2009-09-28 23:28:16: DEBUG: db :0x2853d1a8: 10.1.1.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    2009-09-28 23:28:16: DEBUG: sub:0xbfbfe684: 192.168.1.0/24[0] 10.1.1.0/24[0] proto=any dir=out
    2009-09-28 23:28:16: DEBUG: db :0x2853d2d8: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
    2009-09-28 23:29:51: INFO: caught signal 2
    2009-09-28 23:29:51: DEBUG: pk_recv: retry[0] recv() 
    2009-09-28 23:29:51: DEBUG: get pfkey FLUSH message
    2009-09-28 23:29:52: DEBUG: call pfkey_send_dump
    2009-09-28 23:29:52: DEBUG: pk_recv: retry[0] recv() 
    2009-09-28 23:29:52: INFO: racoon shutdown
    
    

    I have gone over the settings on both firewalls many, many times, trying to make sure that they are identical.  I'm new to dealing with networking issues at this level of detail, so it's likely that I've missed a setting somewhere.  Hopefully the above logs will provide some clues to someone with experience.

    Thanks for taking the time to look at this.

    –Dave

    Also, I don't see any sign of attempted connections in the Sonicwall log.  I've set up Sonicwall-to-Sonicwall VPN's before, so I would expect to see some activity in the logs even if, for example, authentication fails.

    In the following line from the racoon debug session, shouldn't "peer" show the remote gateway address?

    
    2009-09-28 23:28:16: DEBUG: getsainfo params: loc='192.168.1.0/24', rmt='10.1.1.0/24', peer='NULL', id=0
    
    


  • I have a pfSense box connected to my SonicWALL 3060 PRO. Try this copy my settings. Obviouslly substitute the fields I've changed.

    All the "Random Shared Secret" fields should also be the same, obviouslly.

    pfSense Config



    SonicWALL Config





  • thats a bad config. you are using PFS GP2 on the pfbox but in the sonicwall you dont have it checked it use it. check that box on the sonicwall and it will come alive

    Kyle


Log in to reply