Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec between PFSense 2.0 and Watchguard XTM

    IPsec
    2
    5
    3084
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gbrown100 last edited by

      Hi,

      Am trying to get an IPSec tunnel between my PFSense box and a clients Watchguard XTM running. Have configured as 3DES/MD5 but no matter what we try they never seem to connect. All I can get out of the debug logs is below. My Subnet is 192.168.25.0/24, his 192.168.100.0/24. Googling and searching this forum hasn't revealed an answer for me.

      254.89 is my LAN and 192.168.254.0/24 is my lan subnet, should not be anything in the VPN config for them. The subnet I want to VPN from is on a VLAN and has a dedicated public IP for it to NAT out on.

      Thanks

      Graham

      Nov 12 15:10:11 racoon: INFO: racoon process 43902 shutdown
      Nov 12 15:10:16 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
      Nov 12 15:10:16 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
      Nov 12 15:10:16 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
      Nov 12 15:10:16 racoon: DEBUG: call pfkey_send_register for AH
      Nov 12 15:10:16 racoon: DEBUG: call pfkey_send_register for ESP
      Nov 12 15:10:16 racoon: DEBUG: call pfkey_send_register for IPCOMP
      Nov 12 15:10:16 racoon: DEBUG: reading config file /var/etc/racoon.conf
      Nov 12 15:10:16 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
      Nov 12 15:10:16 racoon: DEBUG: getsainfo params: loc='192.168.25.0/24' rmt='192.168.100.0/24' peer='NULL' client='NULL' id=1
      Nov 12 15:10:16 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548508: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey REGISTER message
      Nov 12 15:10:16 racoon: INFO: unsupported PF_KEY message REGISTER
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548508: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548648: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in

      1 Reply Last reply Reply Quote 0
      • G
        gbrown100 last edited by

        I now have the following, this after I changed both my ID and the remote by fixing the IP address:

        Still getting a yellow cross though. Could this be because we are trying to use DPD?

        Nov 12 16:05:56 racoon: DEBUG: pk_recv: retry[0] recv()
        Nov 12 16:05:56 racoon: DEBUG: got pfkey ACQUIRE message
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable outbound SP found: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out.
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe758: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe758: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable inbound SP found: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in.
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: new acquire 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
        Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: [31.3.72.130] DEBUG: configuration "31.3.72.130[500]" selected.
        Nov 12 16:05:56 racoon: DEBUG: getsainfo params: loc='192.168.25.0/24' rmt='192.168.100.0/24' peer='NULL' client='NULL' id=1
        Nov 12 16:05:56 racoon: DEBUG: evaluating sainfo: loc='192.168.25.0/24', rmt='192.168.100.0/24', peer='ANY', id=1
        Nov 12 16:05:56 racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
        Nov 12 16:05:56 racoon: DEBUG: cmpid target: '192.168.25.0/24'
        Nov 12 16:05:56 racoon: DEBUG: cmpid source: '192.168.25.0/24'
        Nov 12 16:05:56 racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
        Nov 12 16:05:56 racoon: DEBUG: cmpid target: '192.168.100.0/24'
        Nov 12 16:05:56 racoon: DEBUG: cmpid source: '192.168.100.0/24'
        Nov 12 16:05:56 racoon: DEBUG: selected sainfo: loc='192.168.25.0/24', rmt='192.168.100.0/24', peer='ANY', id=1
        Nov 12 16:05:56 racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=16422:16421)
        Nov 12 16:05:56 racoon: DEBUG: (trns_id=AES encklen=256 authtype=hmac-sha)
        Nov 12 16:05:56 racoon: DEBUG: (trns_id=AES encklen=256 authtype=hmac-md5)
        Nov 12 16:05:56 racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
        Nov 12 16:05:56 racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5)
        Nov 12 16:05:56 racoon: DEBUG: in post_acquire
        Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: [31.3.72.130] DEBUG: configuration "31.3.72.130[500]" selected.
        Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: INFO: IPsec-SA request for 31.3.72.130 queued due to no phase1 found.
        Nov 12 16:05:56 racoon: DEBUG: ===
        Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: INFO: initiate new phase 1 negotiation: 82.68.240.234[500]<=>31.3.72.130[500]
        Nov 12 16:05:56 racoon: INFO: begin Identity Protection mode.
        Nov 12 16:05:56 racoon: DEBUG: new cookie: 1da15dbe0895e098
        Nov 12 16:05:56 racoon: DEBUG: add payload of len 48, next type 13
        Nov 12 16:05:56 racoon: DEBUG: add payload of len 20, next type 13
        Nov 12 16:05:56 racoon: DEBUG: add payload of len 16, next type 0
        Nov 12 16:05:56 racoon: ERROR: phase1 negotiation failed due to send error. 1da15dbe0895e098:0000000000000000
        Nov 12 16:05:56 racoon: ERROR: failed to begin ipsec sa negotication.

        1 Reply Last reply Reply Quote 0
        • G
          gbrown100 last edited by

          DPD made no difference, does anyone have any idea how I can get this working? I can;t see any mistakes int eh config, in the raw files nothing!

          I've previously had IPSEC with Draytek boxes working no problem, trouble here is not having access to the other end.

          Graham

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Search around the forum others have had similar issues with Watchguard boxes and I think it was due to a broken/unsupported cryto accelerator card, and once they pull it out, it's fine.

            1 Reply Last reply Reply Quote 0
            • G
              gbrown100 last edited by

              Thanks Jimp,

              Unfortunately I don't have a crypto / accelerator card in the PFSense machine. It's a Dual Core HP XW4600 workstation with a DLINK DFE570TX card for the WAN / LAN.

              I have tried just about every configuration I can think of, have remotely controlled the Watchguard and checked, the settings are identical in every way. I can never get passed that last message.

              I have successfully set up an IPSEC VPN tunnel between this box and a couple of Draytek Vigor boxes, just can't get the Watchguard Firebox to talk.

              If there is someone out there in the UK that has done this I would be more than happy to pay them to sort this out. I just need to get it up and running else face having to split my network out with a router in front of PFSense and have the client drop their own Watchguard box into the mix.

              Thanks

              Graham

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy