IPSec between PFSense 2.0 and Watchguard XTM



  • Hi,

    Am trying to get an IPSec tunnel between my PFSense box and a clients Watchguard XTM running. Have configured as 3DES/MD5 but no matter what we try they never seem to connect. All I can get out of the debug logs is below. My Subnet is 192.168.25.0/24, his 192.168.100.0/24. Googling and searching this forum hasn't revealed an answer for me.

    254.89 is my LAN and 192.168.254.0/24 is my lan subnet, should not be anything in the VPN config for them. The subnet I want to VPN from is on a VLAN and has a dedicated public IP for it to NAT out on.

    Thanks

    Graham

    Nov 12 15:10:11 racoon: INFO: racoon process 43902 shutdown
    Nov 12 15:10:16 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
    Nov 12 15:10:16 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
    Nov 12 15:10:16 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Nov 12 15:10:16 racoon: DEBUG: call pfkey_send_register for AH
    Nov 12 15:10:16 racoon: DEBUG: call pfkey_send_register for ESP
    Nov 12 15:10:16 racoon: DEBUG: call pfkey_send_register for IPCOMP
    Nov 12 15:10:16 racoon: DEBUG: reading config file /var/etc/racoon.conf
    Nov 12 15:10:16 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
    Nov 12 15:10:16 racoon: DEBUG: getsainfo params: loc='192.168.25.0/24' rmt='192.168.100.0/24' peer='NULL' client='NULL' id=1
    Nov 12 15:10:16 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
    Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
    Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
    Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548508: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Nov 12 15:10:16 racoon: DEBUG: got pfkey REGISTER message
    Nov 12 15:10:16 racoon: INFO: unsupported PF_KEY message REGISTER
    Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548508: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
    Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548648: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
    Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in



  • I now have the following, this after I changed both my ID and the remote by fixing the IP address:

    Still getting a yellow cross though. Could this be because we are trying to use DPD?

    Nov 12 16:05:56 racoon: DEBUG: pk_recv: retry[0] recv()
    Nov 12 16:05:56 racoon: DEBUG: got pfkey ACQUIRE message
    Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable outbound SP found: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out.
    Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe758: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
    Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe758: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable inbound SP found: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in.
    Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: new acquire 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: [31.3.72.130] DEBUG: configuration "31.3.72.130[500]" selected.
    Nov 12 16:05:56 racoon: DEBUG: getsainfo params: loc='192.168.25.0/24' rmt='192.168.100.0/24' peer='NULL' client='NULL' id=1
    Nov 12 16:05:56 racoon: DEBUG: evaluating sainfo: loc='192.168.25.0/24', rmt='192.168.100.0/24', peer='ANY', id=1
    Nov 12 16:05:56 racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
    Nov 12 16:05:56 racoon: DEBUG: cmpid target: '192.168.25.0/24'
    Nov 12 16:05:56 racoon: DEBUG: cmpid source: '192.168.25.0/24'
    Nov 12 16:05:56 racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
    Nov 12 16:05:56 racoon: DEBUG: cmpid target: '192.168.100.0/24'
    Nov 12 16:05:56 racoon: DEBUG: cmpid source: '192.168.100.0/24'
    Nov 12 16:05:56 racoon: DEBUG: selected sainfo: loc='192.168.25.0/24', rmt='192.168.100.0/24', peer='ANY', id=1
    Nov 12 16:05:56 racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=16422:16421)
    Nov 12 16:05:56 racoon: DEBUG: (trns_id=AES encklen=256 authtype=hmac-sha)
    Nov 12 16:05:56 racoon: DEBUG: (trns_id=AES encklen=256 authtype=hmac-md5)
    Nov 12 16:05:56 racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
    Nov 12 16:05:56 racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5)
    Nov 12 16:05:56 racoon: DEBUG: in post_acquire
    Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: [31.3.72.130] DEBUG: configuration "31.3.72.130[500]" selected.
    Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: INFO: IPsec-SA request for 31.3.72.130 queued due to no phase1 found.
    Nov 12 16:05:56 racoon: DEBUG: ===
    Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: INFO: initiate new phase 1 negotiation: 82.68.240.234[500]<=>31.3.72.130[500]
    Nov 12 16:05:56 racoon: INFO: begin Identity Protection mode.
    Nov 12 16:05:56 racoon: DEBUG: new cookie: 1da15dbe0895e098
    Nov 12 16:05:56 racoon: DEBUG: add payload of len 48, next type 13
    Nov 12 16:05:56 racoon: DEBUG: add payload of len 20, next type 13
    Nov 12 16:05:56 racoon: DEBUG: add payload of len 16, next type 0
    Nov 12 16:05:56 racoon: ERROR: phase1 negotiation failed due to send error. 1da15dbe0895e098:0000000000000000
    Nov 12 16:05:56 racoon: ERROR: failed to begin ipsec sa negotication.



  • DPD made no difference, does anyone have any idea how I can get this working? I can;t see any mistakes int eh config, in the raw files nothing!

    I've previously had IPSEC with Draytek boxes working no problem, trouble here is not having access to the other end.

    Graham


  • Rebel Alliance Developer Netgate

    Search around the forum others have had similar issues with Watchguard boxes and I think it was due to a broken/unsupported cryto accelerator card, and once they pull it out, it's fine.



  • Thanks Jimp,

    Unfortunately I don't have a crypto / accelerator card in the PFSense machine. It's a Dual Core HP XW4600 workstation with a DLINK DFE570TX card for the WAN / LAN.

    I have tried just about every configuration I can think of, have remotely controlled the Watchguard and checked, the settings are identical in every way. I can never get passed that last message.

    I have successfully set up an IPSEC VPN tunnel between this box and a couple of Draytek Vigor boxes, just can't get the Watchguard Firebox to talk.

    If there is someone out there in the UK that has done this I would be more than happy to pay them to sort this out. I just need to get it up and running else face having to split my network out with a router in front of PFSense and have the client drop their own Watchguard box into the mix.

    Thanks

    Graham


Locked