Help required for Juniper SSG 140 - Cannot establish IPSEC tunnel to PF Sense



  • Hi, a newbie here…

    I am trying to configure a VPN tunnel between a Juniper SSG140 and Pfsense 2.0.1

    At present I am not having much luck...

    I have created a tunnel to a ZyXEL firewall from the juniper - so all is working there..
    Have also created a Pfsense to Pfsense tunnel - so I know this is working...

    The best results that I have had is that Phase 2 is establishing... but nothing thereafter...

    Does anyone have a crib sheet or any information that they can forward me regarding a working configuration??

    Many thanks.



  • Have you added firewall rules to allow traffic over IPsec the tunnel ?



  • Hello, yes the firewall rules are there… and as mentioned, a tunnel will build to another PFSense install and a ZyXEL firewall...

    My problem is at the moment that neither logs reveal much sadly...

    Is there a white paper / configuration guide...?



  • Hi, further information shows the following on the Juniper..

    IKE 84.45.109.82 phase 1:The symmetric crypto key has been generated successfully.

    Pfsense gives me..

    Sep 3 15:33:05 racoon: INFO: unsupported PF_KEY message REGISTER
    Sep 3 15:33:05 racoon: DEBUG: got pfkey REGISTER message
    Sep 3 15:33:05 racoon: DEBUG: pk_recv: retry[0] recv()
    Sep 3 15:33:05 racoon: [HQ Phase 1]: [87.82.201.9] DEBUG: configuration "87.82.201.9[500]" selected.
    Sep 3 15:33:05 racoon: [HQ Phase 1]: [87.82.201.9] DEBUG: getrmconf_by_ph1: remote 87.82.201.9[500], identity 87.82.201.9.
    Sep 3 15:33:05 racoon: DEBUG: getsainfo params: loc='10.253.0.0/24' rmt='10.254.0.0/24' peer='NULL' client='NULL' id=1
    Sep 3 15:33:05 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
    Sep 3 15:33:05 racoon: DEBUG: reading config file /var/etc/racoon.conf
    Sep 3 15:33:05 racoon: DEBUG: pk_recv: retry[2] recv()
    Sep 3 15:33:05 racoon: DEBUG: pk_recv: retry[1] recv()
    Sep 3 15:33:05 racoon: DEBUG: pk_recv: retry[0] recv()

    Any suggestions?



  • Well, obviously ensure you're using same P1 / P2 config at both ends of the tunnel.

    There can be a number of issues, since IPsec is a complex protocol (there even have been some incompatibilities between vendor implementations in the past, although this almost certainly isn't the issue in your case). pfSense is using ipsec-tools (racoon), which is very widely deployed.

    For diagnostics you'd need to check/provide the contents of racoon.conf and spf.conf in /var/etc/ and/or debug-level logs (System -> Advanced -> Misc -> start racoon in debug mode)



  • Hello - files attached.

    racoon.txt
    spd.txt



  • Good morning - I have tried configuring a tunnel against another firewall (ZyXEL) with which I am more familiar - and although I see the initial send/receive main mode request - I then see an IKE Packet re-transmit… its as if the phases are in a continuous loop.

    We are actually hosting PFSense in the cloud with a static public IP for your reference...  The key is to get the tunnel working between the Juniper SSG 140 and PFSense.

    I have attached screens from the config on the Juniper...  & The PFSense screens and the current logs...

    Again, thanks for anyone's help on this - I am new to both these products...

    Generally, my understanding is that apart from the standard phase 1 / phase 2 algorithm settings, there are additional local / remote ID checks.. (previously I have used IP, DNS or Email as an option).

    Within PFSense, the only fields that I can see relating to this - are the LocalID field in the gateway and the MyIdentity field in the PSK area.. but I am not too sure if these are relevant.

    Once again, thank you for your excellent report...






  • Two further images






  • Last image..




  • In the P1's My/Peer Identifier fields, put "My IP address" & "Peer IP address" respectively.

    PS: Also keep in mind that DES and 3DES are different ciphers.


Locked