Pfsense - zyxel usg100 vpn crashes both firewalls!



  • Hi, i am pfsense newbie and non-linux minded  ??? but long time networker.

    I am trying to make a site-to-site ipsec tunnel work between pfsense 1.2-RC4
    built on Sat Jan 5 23:19:27 UTC 2008 (ARCA appliance box)  and Zyxel usg 100 fw 2.20 aqq.4.

    I manage to get the tunnel up and running and can ping between both sites, but the minute i try to make a connection eg. rdp or http to remote both firewalls halts and reboots and connection is lost. Tunnel is rebuild upon bootup.

    I am monitoring with syslog but none of my logs gives me any hints of what happens.

    Any hints or suggestions are welcome.

    Below pfsense ipsec config which so far proves to be most "stable":

    • <ipsec><preferredoldsa>- <tunnel><disabled>  (disabled on purpose!)
        <interface>wan</interface>
    • <local-subnet><address>214.x.x.x/24</address></local-subnet>
        <remote-subnet>192.168.130.0/24</remote-subnet>
        <remote-gateway>8x.x.x.x</remote-gateway>
    • <p1><mode>aggressive</mode>
    • <myident><fqdn>dr.dk</fqdn></myident>
        <encryption-algorithm>3des</encryption-algorithm>
        <hash-algorithm>sha1</hash-algorithm>
        <dhgroup>2</dhgroup>
        <lifetime>28800</lifetime>
        <pre-shared-key>%Ftesting</pre-shared-key>
        <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
    • <p2><protocol>esp</protocol>
        <encryption-algorithm-option>3des</encryption-algorithm-option>
        <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
        <pfsgroup>2</pfsgroup>
        <lifetime>86400</lifetime></p2>
        <descr>Vejle</descr>
        <pinghost>192.168.130.1</pinghost>
       </disabled></tunnel>
        <enable></enable></preferredoldsa></ipsec>


  • Hi,

    test tunnel with newer release or v2.0 if possible.

    Found similar thread http://forum.pfsense.org/index.php?topic=19000.0 with 1.2.2

    Changing algorithm doesnt change anything?

    Get both firewalls too hot ? :D

    EDIT:

    1. what about this?

    <pfsgroup>2</pfsgroup>
     <lifetime>86400</lifetime>

    p2 lifetime is larger than in p1?

    -> change p2 lifetime to 3600 on both firewalls
    -> try to disable Perfect Foward Secrecy (pfsgroup) in p2 for better compatibility on both ends

    2. use MAIN mode for Site to Site on both ends
    3. uncheck "prefer older sa" option
    4. try not to use pinghost directive
    5. use DPD 60s on both ends

    cya



  • I have dropped trying to connect the USG-100 and Pfsense firewall. The Pfense handles PPTP vpn's and i am not villing to give this feature up.

    I was advised not to try v2.0 from the provider of the pfsense appliance due to reported stabitlity issues.

    I tried various setteings as per your suggestions, before my initial post.

    I ended up buying 2 smb cisco routers for the vpn tunnel instead.

    Will look in to posts covering 1 GB WAN IPSEC where i will implement pfsense to pfsense vpn to keep it simpel and cost effective.


Log in to reply