Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why I can't connet if I use main mode~!!!!

    Scheduled Pinned Locked Moved IPsec
    8 Posts 4 Posters 13.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      waiven
      last edited by

      Why I can't connet if I use main mode~!!!!
      Thank You Very Much!!!!

      Log file:
      racoon: INFO: begin Identity Protection mode.
      Feb 1 02:52:20 racoon: [pfsense_xmn]: INFO: respond new phase 1 negotiation: xxx.xxx.xx.xx[500]<=>xxx.xxx.xxx.xxx[500]
      Feb 1 02:39:10 racoon: ERROR: phase1 negotiation failed due to time up. c4a04a025296c190:9ff4672d9e4528fc
      Feb 1 02:39:10 racoon: ERROR: invalid ID payload.
      Feb 1 02:39:10 racoon: ERROR: Expecting IP address type in main mode, but User_FQDN.
      Feb 1 02:39:10 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
      Feb 1 02:19:38 racoon: ERROR: invalid ID payload.
      Feb 1 02:19:38 racoon: ERROR: Expecting IP address type in main mode, but User_FQDN.
      Feb 1 02:19:38 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1

      1 Reply Last reply Reply Quote 0
      • H
        heiko
        last edited by

        can you give us more information about your setup

        1 Reply Last reply Reply Quote 0
        • W
          waiven
          last edited by

          I use diffferent firewall, one is pfsense, one is ZyXEL,

          ZyXEL Config:
          Encryption Algorithm: 3DES
          Authentication Algorithm: MD5
          SA Life Time (Seconds): 28800
          Key Group: DH2
          Pre-Shared Key: it is the key
          Enable Replay Detection: Yes
          Enable Multiple Proposals: Yes

          pfsense Config:
          Encryption algorithm: 3DES
          Hash algorithm: MD5
          DH key group: 2
          Authentication method: Pre-shared Key
          Pre-Shared Key: it is the key
          Protocol: ESP
          Encryption algorithms: 3DES
          Hash algorithms: MD5
          PFS key group: 2

          ps: if Aggressive, use same config, is ok~~~

          1 Reply Last reply Reply Quote 0
          • D
            dusan
            last edited by

            Your log indicates mismatch identifier types. Can you to tell us about id type setup on both zyxel and pfsense sides?

            1 Reply Last reply Reply Quote 0
            • W
              waiven
              last edited by

              both use "User FQDN" "abc@gmail.com" (the email address is ture)

              1 Reply Last reply Reply Quote 0
              • W
                Wasca
                last edited by

                I had issues with this also. I ended up using MY IP Address and it all worked

                Good luck

                1 Reply Last reply Reply Quote 0
                • D
                  dusan
                  last edited by

                  True. Or you may wish to obtain a certificate of that FQDN and use certificate instead of PSK authentication.

                  IKE main mode with PSK allow id type = IP address only.

                  1 Reply Last reply Reply Quote 0
                  • W
                    waiven
                    last edited by

                    O…....thx!!!! when i use my IP address, is ok!!!!!!!
                    thank you very much

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.