Zyxel usg20w (roadwarrior) to pfsense - no matching CHILD_SA config found



  • This is slowly driving me crazy:

    Dynamic site - a zyxel usg 20w.
    This firewall needs to be able to initiate a ipsec connection from a dynamic ip and probably behind a NAT.

    If I give it a static public IP I have no problems getting the VPN to come up.

    Static site - pfSense
    Home sweet home.

    –--------------------------------------------

    Phase 1 seems to come up without issues. But during P2 i see the error: "no matching CHILD_SA config found" in pfSense and "Recv:[HASH][NOTIFY:INVALID_ID_INFORMATION]" on the zyxel.

    For the life of me I can't see what I'm doing wrong!

    These are (What I believe to be) the relevant configs:

    pfSense:

    - <phase2><ikeid>1</ikeid>
    <uniqid>55acf44129c6d</uniqid>
    <mode>tunnel</mode>
    <reqid>1</reqid>
    
    - <localid><type>lan</type></localid> 
    
    - <remoteid><type>mobile</type></remoteid> 
    <protocol>esp</protocol>
    
    - <encryption-algorithm-option><name>aes</name>
    
    <keylen>128</keylen></encryption-algorithm-option> 
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>5</pfsgroup>
    <lifetime>3600</lifetime></phase2> 
    
    

    zyxel:

    crypto map connection
     ipsec-isakmp gateway
     transform-set esp-aes128-sha
     local-policy LAN1_SUBNET
     remote-policy remote
     set security-association lifetime seconds 3600
     set pfs group5
     policy-enforcement
    
    

    Suggestions?



  • If I give it a static public IP I have no problems getting the VPN to come up.

    Then set up an static public IP and go for it.

    Suggestions?

    DynDNS, NoIP, …..