Problem with tunnel between Sonicwall tz170 <> Pfsense



  • I'm trying to replace actual TZ170 with pfSense appliance.
    Actually I have a IPSec tunnel between offices using two TZ170 firewalls.
    I have configured the tunnel on pfSense copying the configuration of actual TZ170.
    All seems to work ok but finally appears an error and I can`t ping the machines on the other side of the tunnel.
    Here is the log:
    Jun 17 18:35:02 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
    Jun 17 18:35:02 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Jun 17 18:35:02 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Jun 17 18:35:02 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    Jun 17 18:35:02 racoon: [Self]: INFO: a.a.a.a[500] used as isakmp port (fd=14)
    Jun 17 18:35:02 racoon: [Self]: INFO: 192.1.1.8[500] used as isakmp port (fd=15)
    Jun 17 18:35:02 racoon: INFO: unsupported PF_KEY message REGISTER
    Jun 17 18:35:02 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    Jun 17 18:35:02 racoon: [Self]: INFO: a.a.a.a[500] used as isakmp port (fd=14)
    Jun 17 18:35:02 racoon: [Self]: INFO: 192.1.1.8[500] used as isakmp port (fd=15)
    Jun 17 18:35:40 racoon: [Tunel VPN con oficinas en Madrid]: INFO: IPsec-SA request for b.b.b.b queued due to no phase1 found.
    Jun 17 18:35:40 racoon: [Tunel VPN con oficinas en Madrid]: INFO: initiate new phase 1 negotiation: a.a.a.a[500]<=>b.b.b.b[500]
    Jun 17 18:35:40 racoon: INFO: begin Identity Protection mode.
    Jun 17 18:35:41 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jun 17 18:35:41 racoon: [Tunel VPN con oficinas en Madrid]: INFO: ISAKMP-SA established a.a.a.a[500]-b.b.b.b[500] spi:ca0e64f8479c291d:ad2b4ec594140855
    Jun 17 18:35:42 racoon: [Tunel VPN con oficinas en Madrid]: INFO: initiate new phase 2 negotiation: a.a.a.a[500]<=>b.b.b.b[500]
    Jun 17 18:35:42 racoon: [Tunel VPN con oficinas en Madrid]: INFO: IPsec-SA established: ESP b.b.b.b[0]->a.a.a.a[0] spi=96389617(0x5bec9f1)
    Jun 17 18:35:42 racoon: [Tunel VPN con oficinas en Madrid]: INFO: IPsec-SA established: ESP a.a.a.a[0]->b.b.b.b[0] spi=1168655515(0x45a8449b)
    Jun 17 18:35:53 racoon: ERROR: unknown Informational exchange received.

    I have a firewall rule on IPSEC adaptor that let's pass from everywhere, from every port, with all protocols to anywhere.
    I have checked firewall rules log to see if firewall is blocking packets but no block appear in list.
    ¿What can be wrong?



  • where do you have your VPN policy bound on the sonicwall?



  • @egarcia:

    I'm trying to replace actual TZ170 with pfSense appliance.
    Actually I have a IPSec tunnel between offices using two TZ170 firewalls.

    I did something similar, and it was actually the easyest ipsec I ever setup.
    (but, funny thing, and I'll post later on this) as soon as I ENABLE IPSEC on the pfsense, the access from the LAN to the BRIDGED DMZ stops, completely.


Log in to reply