Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec between PFSense 2.0 and Watchguard XTM

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gbrown100
      last edited by

      Hi,

      Am trying to get an IPSec tunnel between my PFSense box and a clients Watchguard XTM running. Have configured as 3DES/MD5 but no matter what we try they never seem to connect. All I can get out of the debug logs is below. My Subnet is 192.168.25.0/24, his 192.168.100.0/24. Googling and searching this forum hasn't revealed an answer for me.

      254.89 is my LAN and 192.168.254.0/24 is my lan subnet, should not be anything in the VPN config for them. The subnet I want to VPN from is on a VLAN and has a dedicated public IP for it to NAT out on.

      Thanks

      Graham

      Nov 12 15:10:11 racoon: INFO: racoon process 43902 shutdown
      Nov 12 15:10:16 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
      Nov 12 15:10:16 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
      Nov 12 15:10:16 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
      Nov 12 15:10:16 racoon: DEBUG: call pfkey_send_register for AH
      Nov 12 15:10:16 racoon: DEBUG: call pfkey_send_register for ESP
      Nov 12 15:10:16 racoon: DEBUG: call pfkey_send_register for IPCOMP
      Nov 12 15:10:16 racoon: DEBUG: reading config file /var/etc/racoon.conf
      Nov 12 15:10:16 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
      Nov 12 15:10:16 racoon: DEBUG: getsainfo params: loc='192.168.25.0/24' rmt='192.168.100.0/24' peer='NULL' client='NULL' id=1
      Nov 12 15:10:16 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDDUMP message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548508: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey REGISTER message
      Nov 12 15:10:16 racoon: INFO: unsupported PF_KEY message REGISTER
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548508: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.254.89/32[0] 192.168.254.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548648: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Nov 12 15:10:16 racoon: DEBUG: pk_recv: retry[0] recv()
      Nov 12 15:10:16 racoon: DEBUG: got pfkey X_SPDADD message
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe754: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
      Nov 12 15:10:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in

      1 Reply Last reply Reply Quote 0
      • G
        gbrown100
        last edited by

        I now have the following, this after I changed both my ID and the remote by fixing the IP address:

        Still getting a yellow cross though. Could this be because we are trying to use DPD?

        Nov 12 16:05:56 racoon: DEBUG: pk_recv: retry[0] recv()
        Nov 12 16:05:56 racoon: DEBUG: got pfkey ACQUIRE message
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable outbound SP found: 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out.
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe758: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548148: 192.168.254.0/24[0] 192.168.254.89/32[0] proto=any dir=in
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe758: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28548288: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: suitable inbound SP found: 192.168.100.0/24[0] 192.168.25.0/24[0] proto=any dir=in.
        Nov 12 16:05:56 racoon: [Unknown Gateway/Dynamic]: DEBUG: new acquire 192.168.25.0/24[0] 192.168.100.0/24[0] proto=any dir=out
        Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: [31.3.72.130] DEBUG: configuration "31.3.72.130[500]" selected.
        Nov 12 16:05:56 racoon: DEBUG: getsainfo params: loc='192.168.25.0/24' rmt='192.168.100.0/24' peer='NULL' client='NULL' id=1
        Nov 12 16:05:56 racoon: DEBUG: evaluating sainfo: loc='192.168.25.0/24', rmt='192.168.100.0/24', peer='ANY', id=1
        Nov 12 16:05:56 racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
        Nov 12 16:05:56 racoon: DEBUG: cmpid target: '192.168.25.0/24'
        Nov 12 16:05:56 racoon: DEBUG: cmpid source: '192.168.25.0/24'
        Nov 12 16:05:56 racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
        Nov 12 16:05:56 racoon: DEBUG: cmpid target: '192.168.100.0/24'
        Nov 12 16:05:56 racoon: DEBUG: cmpid source: '192.168.100.0/24'
        Nov 12 16:05:56 racoon: DEBUG: selected sainfo: loc='192.168.25.0/24', rmt='192.168.100.0/24', peer='ANY', id=1
        Nov 12 16:05:56 racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=16422:16421)
        Nov 12 16:05:56 racoon: DEBUG: (trns_id=AES encklen=256 authtype=hmac-sha)
        Nov 12 16:05:56 racoon: DEBUG: (trns_id=AES encklen=256 authtype=hmac-md5)
        Nov 12 16:05:56 racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
        Nov 12 16:05:56 racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5)
        Nov 12 16:05:56 racoon: DEBUG: in post_acquire
        Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: [31.3.72.130] DEBUG: configuration "31.3.72.130[500]" selected.
        Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: INFO: IPsec-SA request for 31.3.72.130 queued due to no phase1 found.
        Nov 12 16:05:56 racoon: DEBUG: ===
        Nov 12 16:05:56 racoon: [Agnitio IPSEC VPN]: INFO: initiate new phase 1 negotiation: 82.68.240.234[500]<=>31.3.72.130[500]
        Nov 12 16:05:56 racoon: INFO: begin Identity Protection mode.
        Nov 12 16:05:56 racoon: DEBUG: new cookie: 1da15dbe0895e098
        Nov 12 16:05:56 racoon: DEBUG: add payload of len 48, next type 13
        Nov 12 16:05:56 racoon: DEBUG: add payload of len 20, next type 13
        Nov 12 16:05:56 racoon: DEBUG: add payload of len 16, next type 0
        Nov 12 16:05:56 racoon: ERROR: phase1 negotiation failed due to send error. 1da15dbe0895e098:0000000000000000
        Nov 12 16:05:56 racoon: ERROR: failed to begin ipsec sa negotication.

        1 Reply Last reply Reply Quote 0
        • G
          gbrown100
          last edited by

          DPD made no difference, does anyone have any idea how I can get this working? I can;t see any mistakes int eh config, in the raw files nothing!

          I've previously had IPSEC with Draytek boxes working no problem, trouble here is not having access to the other end.

          Graham

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Search around the forum others have had similar issues with Watchguard boxes and I think it was due to a broken/unsupported cryto accelerator card, and once they pull it out, it's fine.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • G
              gbrown100
              last edited by

              Thanks Jimp,

              Unfortunately I don't have a crypto / accelerator card in the PFSense machine. It's a Dual Core HP XW4600 workstation with a DLINK DFE570TX card for the WAN / LAN.

              I have tried just about every configuration I can think of, have remotely controlled the Watchguard and checked, the settings are identical in every way. I can never get passed that last message.

              I have successfully set up an IPSEC VPN tunnel between this box and a couple of Draytek Vigor boxes, just can't get the Watchguard Firebox to talk.

              If there is someone out there in the UK that has done this I would be more than happy to pay them to sort this out. I just need to get it up and running else face having to split my network out with a router in front of PFSense and have the client drop their own Watchguard box into the mix.

              Thanks

              Graham

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.