IPSec VPN from pfSense to WatchGuard

jlepthien

Hi there,

I have a really unstable IPSec tunnel. The configuration on both sides really is identical and I do not know what else to do. On my pfSense Box with a dynamic IP  racoonctl show-sa esp tells me that the tunnel is up. When pinging through the tunnel it takes about 30 pings until the other site responds. The tunnel is being showed up on both ends but if I stop the ping, a few minutes after that I need to do my ping -t again in order for traffic to flow through. I am running pfSense 1.2.3 and the WatchGuard has got 10.2.7. The only special thing on the VPN is, that of course I have to use aggressive mode…

Any hints?

jlepthien

Just found this: http://forum.pfsense.org/index.php/topic,17850.0.html

Will try using md5 now and report back…

jlepthien

Doesn't seem to work for me….

The last logs are:

Dec 22 15:19:22 racoon: [XXXX]: INFO: ISAKMP-SA deleted 82.82.X.X[500]-213.178.X.X[500] spix
Dec 22 15:19:21 racoon: INFO: DPD: remote (ISAKMP-SA spi=x:x) seems to be dead.

Should I deactivate DPD?

jimp

Have you tried checking "Prefer old IPsec SAs" under Advanced options?

I just replaced a whole set of fireboxes for a customer and they dropped in pfSense boxes into their VPN mesh and it worked fine, I just had to set that option to make the VPN tunnels stable.

If that doesn't help I can look at what the other tunnel options were and tell you what worked for us.

jlepthien

Hi there,

I will try that. Hmmm. But curious. The tunnel was stable before I upgraded to 1.2.3-release. Was using 1.2.3-RC3…

jlepthien

From what I can see it works better now. I will reply to you tomorrow again, to see if it still works. But why on earth that option? What is so special about these boxes that you need this?

jimp

Not sure why, but they seem to generate new SAs all the time unnecessarily when the old ones work fine.

jlepthien

Same problem today. But the weird thing is, that if I ping from behind the pfSense Box, the traffic starts to flow immediatelly. From behind the WatchGuard it takes some time…
What other settings did you use? Thanks jimp...

jimp

Here is what I had. Most of the settings were just tailored to match what the previous vendor had used on the fireboxes at the time.

DPD: 60 Sec

Phase 1
Mode: Main
My Identifier: IP Address
Encryption: 3DES
Hash: SHA1
DH Group: 1
Lifetime: 86400
Auth: PSK

Phase 2
Protocol: ESP
Encryption: 3DES (others unchecked)
Hash: SHA1 (MD5 unchecked)
PFS: off
Lifetime: 86400

Automatically ping host: LAN IP of remote firewall

jlepthien

Hi jimp,

I have the tunnel up and running now with the beta1 of 2.0. Even with my settings the tunnel seems to be really stable now.
Has the ipsec changed so much in 2.0?

My settings are:

Phase 1:

ESP-AES128-SHA1
Lifetime 28800
PSK
DH5

Phase 2:
ESP-AES128-SHA1
Lifetime 2600
PFS
DH5

DPD 10s / 5 retries

jimp

Yes, it changed quite a bit.

The 2.0 beta has a completely different version of ipsec-tools (0.8 instead of 0.7.x) and also has NAT-T support. The GUI was also rewritten.

jlepthien

After going back to 1.2.3 it is working fine as well. I did not check the 'prefer old sa' box.

DPD: 60 Sec

Phase 1
Mode: Main
My Identifier: Domain (user@domain)
Encryption: 3DES
Hash: SHA1
DH Group: 5
Lifetime: 28800
Auth: PSK

Phase 2
Protocol: ESP
Encryption: AES128 (others unchecked)
Hash: SHA1 (MD5 unchecked)
PFS: on/DH5
Lifetime: 28800

Perhaps someone else could use this info…

Also I disabled NAT-T on the WG, but this is also handled out so I guess it was not the problem.