VPN into POS Host



  • I am trying to use PFsense to replace our sonicwall routers in our retail locations. I have everythin working except for our VPN needed to run the Point of Sale.

    A major hurdle I am running into is that the company that hosts the POS database uses a unique identifier for the local Identifier. For instance the ID may be "Basic - Corp" The PFsense only give me the option to use an IP or a Domain Name. Is there anyway I can override this and use this unique identifier?

    Thanks for any help in advance.



  • This identifier breaks ipsec specifications and usually is not allowed. I would fix it at the other end. Not sure if it would work if you manually edit the tunnel in the config.xml as rthe gui won't allow creation of such an identifier.



  • Unfortunately I do not host the other side and I doubt they will be willing to change the Identifier. I will look into the config file and give it a shot. Thanks for the advice.



  • Ok I had them create a new policy and use the IP as the IKE ID.

    Errors to follow….

    Log:
    Apr 24 23:45:34 racoon: INFO: delete phase 2 handler.
    Apr 24 23:45:34 racoon: [IQVPND041053]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 66.45.111.154[0]->10.0.2.15[0]
    Apr 24 23:45:31 racoon: ERROR: phase1 negotiation failed due to time up. da944a6326191f68:0000000000000000
    Apr 24 23:45:21 racoon: ERROR: delete phase1 handle.
    Apr 24 23:45:11 racoon: ERROR: delete phase1 handle.
    Apr 24 23:45:04 racoon: [IQVPND041053]: INFO: phase2 sa deleted 10.0.2.15-66.45.111.154
    Apr 24 23:45:03 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Apr 24 23:45:03 racoon: [IQVPND041053]: INFO: phase2 sa expired 10.0.2.15-66.45.111.154
    Apr 24 23:45:01 last message repeated 2 times
    Apr 24 23:44:41 racoon: ERROR: delete phase1 handle.
    Apr 24 23:44:41 racoon: INFO: begin Aggressive mode.
    Apr 24 23:44:41 racoon: [IQVPND041053]: INFO: initiate new phase 1 negotiation: 10.0.2.15[500]<=>66.45.111.154[500]

    Any Ideas?  I hate not being able to mess with the otherside….



  • OK I have the tunnel up. (didn't need aggressive), just need to be able to ping now ;(



  • Are you allowing ICMP at Firewall, Rules (IPSEC tab)?



  • Not sure how you test this but make sure that you test the connectivity from behind the pfSense. The pfSense itself can't make use of the tunnel unless you add some fake static route.


Locked