Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    help to solve ipsec problem

    Scheduled Pinned Locked Moved IPsec
    7 Posts 3 Posters 496 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Giorgio Dutto
      last edited by

      hie86cc41b-edf1-4dd7-aab3-cac021624a10-immagine.png to all and thanks in advance....

      this is my situation:
      a: pfsense ipsec
      b: drytek

      log pfsense:

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @Giorgio Dutto
        last edited by

        @Giorgio-Dutto
        what is sticking out to me is this

        52a33e75-b0db-49f9-9126-f7cebd3ed3dd-image.png

        This is a site2site IPsec VPN?
        Can you provide the config for each site?

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        G 1 Reply Last reply Reply Quote 0
        • G
          Giorgio Dutto @michmoor
          last edited by

          @michmoor

          pfsense

          63432a59-ed40-4d9b-a6e8-a3e6ca2b3c1e-immagine.png
          8b26fc4d-a693-4b0e-8230-0fdbb79c6275-immagine.png
          6329d9d2-e0a4-4088-8290-07d523fdb9e9-immagine.png
          1c8e12dc-f897-4859-8603-3d9ba9924e58-immagine.png

          draytek

          40bba17c-97a1-4980-aa51-0bf9ab5a36bc-immagine.png

          1d9f64df-9c78-49c5-b5c7-54d18881224d-immagine.png

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @Giorgio Dutto
            last edited by michmoor

            @Giorgio-Dutto

            A few things stick out.

            1. The drytek is sitting behind a NAT device. So in pfsense when you select Peer Identifier make sure you put in the real Source IP of the gateway. For example 192.168.1.2 (whatever it is pre-nat)
            2. pfSense is using pfs group14 for phase2. Although i see the drytek configuration selected to use PFS which key value is it using? Does it default to group14?
            3. Phase2 lifetimes appear to be mismatched. pfsense is set to 86400s while the drytek is set for 600s

            In the pfsense GUI, do you see p1 established? P2 is the one that is failing? Not sure where in the process things break down.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            G 1 Reply Last reply Reply Quote 0
            • G
              Giorgio Dutto @michmoor
              last edited by

              @michmoor
              Great!!!

              it was exactly the "Peer Identifier"
              now the only thing I can't do is see all the subnets of the remote site....

              9873cfa2-693d-4109-bbea-f1b97b2bf734-image.png

              I added the second subnet but I don't see it.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @Giorgio Dutto
                last edited by

                @Giorgio-Dutto
                Note that a /24 network address ends with ".0". As well the network settings in the phase 2 of both sites have to match.
                So you need to correct this on the Drytek.

                G 1 Reply Last reply Reply Quote 0
                • G
                  Giorgio Dutto @viragomann
                  last edited by

                  @viragomann
                  Ops!
                  Thanks will correct

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.