Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with tunnel between Sonicwall tz170 <> Pfsense

    IPsec
    3
    3
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      egarcia
      last edited by

      I'm trying to replace actual TZ170 with pfSense appliance.
      Actually I have a IPSec tunnel between offices using two TZ170 firewalls.
      I have configured the tunnel on pfSense copying the configuration of actual TZ170.
      All seems to work ok but finally appears an error and I can`t ping the machines on the other side of the tunnel.
      Here is the log:
      Jun 17 18:35:02 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
      Jun 17 18:35:02 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
      Jun 17 18:35:02 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
      Jun 17 18:35:02 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
      Jun 17 18:35:02 racoon: [Self]: INFO: a.a.a.a[500] used as isakmp port (fd=14)
      Jun 17 18:35:02 racoon: [Self]: INFO: 192.1.1.8[500] used as isakmp port (fd=15)
      Jun 17 18:35:02 racoon: INFO: unsupported PF_KEY message REGISTER
      Jun 17 18:35:02 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
      Jun 17 18:35:02 racoon: [Self]: INFO: a.a.a.a[500] used as isakmp port (fd=14)
      Jun 17 18:35:02 racoon: [Self]: INFO: 192.1.1.8[500] used as isakmp port (fd=15)
      Jun 17 18:35:40 racoon: [Tunel VPN con oficinas en Madrid]: INFO: IPsec-SA request for b.b.b.b queued due to no phase1 found.
      Jun 17 18:35:40 racoon: [Tunel VPN con oficinas en Madrid]: INFO: initiate new phase 1 negotiation: a.a.a.a[500]<=>b.b.b.b[500]
      Jun 17 18:35:40 racoon: INFO: begin Identity Protection mode.
      Jun 17 18:35:41 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Jun 17 18:35:41 racoon: [Tunel VPN con oficinas en Madrid]: INFO: ISAKMP-SA established a.a.a.a[500]-b.b.b.b[500] spi:ca0e64f8479c291d:ad2b4ec594140855
      Jun 17 18:35:42 racoon: [Tunel VPN con oficinas en Madrid]: INFO: initiate new phase 2 negotiation: a.a.a.a[500]<=>b.b.b.b[500]
      Jun 17 18:35:42 racoon: [Tunel VPN con oficinas en Madrid]: INFO: IPsec-SA established: ESP b.b.b.b[0]->a.a.a.a[0] spi=96389617(0x5bec9f1)
      Jun 17 18:35:42 racoon: [Tunel VPN con oficinas en Madrid]: INFO: IPsec-SA established: ESP a.a.a.a[0]->b.b.b.b[0] spi=1168655515(0x45a8449b)
      Jun 17 18:35:53 racoon: ERROR: unknown Informational exchange received.

      I have a firewall rule on IPSEC adaptor that let's pass from everywhere, from every port, with all protocols to anywhere.
      I have checked firewall rules log to see if firewall is blocking packets but no block appear in list.
      ¿What can be wrong?

      1 Reply Last reply Reply Quote 0
      • P
        PodexPerfectusSum
        last edited by

        where do you have your VPN policy bound on the sonicwall?

        1 Reply Last reply Reply Quote 0
        • S
          scheidell
          last edited by

          @egarcia:

          I'm trying to replace actual TZ170 with pfSense appliance.
          Actually I have a IPSec tunnel between offices using two TZ170 firewalls.

          I did something similar, and it was actually the easyest ipsec I ever setup.
          (but, funny thing, and I'll post later on this) as soon as I ENABLE IPSEC on the pfsense, the access from the LAN to the BRIDGED DMZ stops, completely.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.