Connecting a GreenGate VPN 2000 to a pFsense Firewall



  • Hi Folks,

    I've got a side-2-side VPN to my company working based on the two products mentioned in the Header.
    The only problem is when my IP in the HomeOffice changes the VPN crashes and never comes back.

    The funny thing is when I manualy change the Interface of the IPSEC tunnel to Lan and change it back to WAN, it works again.

    What could this be?

    The GreenGate is a linux based System too. It uses freeswan as VPN engine.

    Best regards
    Bjoern



  • how do you have this setup? ipsec on dynamic endpoints is actually not really supported though you can make it work if at least one end has a static IP.



  • Hi hoba,

    the GreenGate got in deed a static IP. The Problem seems that after a change of the public IP Adress of the pFsense Box the Nating ist not done correctly. In the IPSec Tunnel settings i defined the WAN Interface as the local Endpoint of the Tunnel. When i define the LAN interface as local Endpoint i get a failiture in phase 2. The GreenGate declares the Tunnel as established but the pfSense only shows a yellow button in the status -> ipsec section.

    The Settings of the tunnel are main mode - dh2 Group - identifier of the pfsense Domain Name - identifier of the GreenGate IP Address. As Encrytion i use Rjindale in Phase 1 and 2. The Authentication is set to ESP the hash to sha1 in both phases.

    The log of The GreenGate say someting about malformed Packets in phase I and stops in an early phase I.

    I've just got no access to the web frontend because i'm currently on the road but i can post the settings later on.

    Best regards
    Bjoern

    Any suggestions what is going wrong here



  • First: IPSEC has nothing to with NAT. The Tunnel endpoint has to be on the WAN interface of the pfSense, not the lan. When using dynamic IPs you should use mode aggressave instead of main and setup some identifiers (my IP adress won't work). To autoestablish the tunnel after the IP has changed automatically again add a keepalive IP at the pfSense.



  • I ment NAT-T. This is a thing wich ist normally only interessting for Client behind a nating router but that is not the point.

    I also tried aggressiv mode but the other side (GreenGate VPN) does not support the aggressiv mode.

    The IP keepalive settings are filled with an IP Address out of the remote network. That works, but i get a lot of errors in the LOG:

    –-
    Apr 26 08:59:43 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.211.238[500].
    Apr 26 08:59:34 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238
    Apr 26 08:59:33 racoon: INFO: received Vendor ID: DPD
    Apr 26 08:59:33 racoon: INFO: begin Identity Protection mode.
    Apr 26 08:59:33 racoon: [ITXTRA]: INFO: initiate new phase 1 negotiation: 80.135.97.34[500]<=>217.5.211.238[500]
    Apr 26 08:59:33 racoon: [ITXTRA]: INFO: IPsec-SA request for 217.5.211.238 queued due to no phase1 found.
    Apr 26 08:59:33 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238
    Apr 26 08:59:10 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238
    Apr 26 08:59:09 racoon: ERROR: phase1 negotiation failed due to time up. e63213fe82189065:86f78315af7fd679
    Apr 26 08:59:09 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Apr 26 08:59:09 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238
    Apr 26 08:58:48 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.211.238[500].
    Apr 26 08:58:45 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238
    Apr 26 08:58:44 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Apr 26 08:58:44 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238
    Apr 26 08:58:28 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.211.238[500].
    Apr 26 08:58:20 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238
    Apr 26 08:58:19 racoon: INFO: received Vendor ID: DPD
    Apr 26 08:58:19 racoon: INFO: begin Identity Protection mode.
    Apr 26 08:58:19 racoon: [ITXTRA]: INFO: initiate new phase 1 negotiation: 80.135.97.34[500]<=>217.5.211.238[500]
    Apr 26 08:58:19 racoon: [ITXTRA]: INFO: IPsec-SA request for 217.5.211.238 queued due to no phase1 found.
    Apr 26 08:58:19 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.97.34-217.5.211.238
    Apr 26 08:57:57 racoon: [ITXTRA]: INFO: phase2 sa deleted 80.135.97.34-217.5.211.238
    Apr 26 08:57:57 racoon: ERROR: phase1 negotiation failed due to time up. 8c6ed753b3823d42:86f78315af7fd679
    Apr 26 08:57:56 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Apr 26 08:57:56 racoon: [ITXTRA]: INFO: phase2 sa expired 80.135.x.x-217.5.x.x
    Apr 26 08:57:36 racoon: [ITXTRA]: NOTIFY: the packet is retransmitted by 217.5.x.x[500].
    Apr 26 08:57:33 racoon: [Self]: INFO: 192.168.13.126[500] used as isakmp port (fd=23)
    Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a388%vr0[500] used as isakmp port (fd=22)
    Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a389%vr1[500] used as isakmp port (fd=21)
    Apr 26 08:57:33 racoon: [Self]: INFO: 10.0.0.254[500] used as isakmp port (fd=20)
    Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a38a%vr2[500] used as isakmp port (fd=19)
    Apr 26 08:57:33 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=18)
    Apr 26 08:57:33 racoon: INFO: ::1[500] used as isakmp port (fd=17)
    Apr 26 08:57:33 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=16)
    Apr 26 08:57:33 racoon: INFO: fe80::20d:b9ff:fe12:a388%ng0[500] used as isakmp port (fd=15)
    Apr 26 08:57:33 racoon: [Self]: INFO: 80.135.x.x[500] used as isakmp port (fd=14)
    –-

    the remote log:

    @80.135.x.x:57306 #612939: probable authentication (preshared secret) failure: malformed payload in packet Apr 26 07:01:50 authpriv.warn Pluto[299]: "94:85"
    @80.135.x.x:57306 #612939: next payload type of ISAKMP Identification Payload has an unknown value: 215 Apr 26 07:01:50 authpriv.warn Pluto[299]: "94:85"
    @80.135.x.x:57306 #612939: probable authentication (preshared secret) failure: malformed payload in packet Apr 26 07:01:55 authpriv.warn Pluto[299]: "94:85"
    @80.135.x.x:57306 #612929: max number of retransmissions (2) reached STATE_MAIN_R2 Apr 26 07:02:00 authpriv.warn Pluto[299]: "94:85"
    @80.135.x.x:57306 #612939: next payload type of ISAKMP Identification Payload has an unknown value: 215 Apr 26 07:02:00 authpriv.warn Pluto[299]: "94:85"
    @80.135.x.x:57306 #612939: probable authentication (preshared secret) failure: malformed payload in packet

    –-

    As alternativ a little script on the pFsense box would work very well, that would check the WAN ip in a regulary interval an if the IP changes the script only has to change on of my interface to LAN save, apply the settings and switch it directly back to wan save it and apply it.

    These are the steps i do right know and it works.


Locked