Zyxel usg20w (roadwarrior) to pfsense - no matching CHILD_SA config found
-
This is slowly driving me crazy:
Dynamic site - a zyxel usg 20w.
This firewall needs to be able to initiate a ipsec connection from a dynamic ip and probably behind a NAT.If I give it a static public IP I have no problems getting the VPN to come up.
Static site - pfSense
Home sweet home.–--------------------------------------------
Phase 1 seems to come up without issues. But during P2 i see the error: "no matching CHILD_SA config found" in pfSense and "Recv:[HASH][NOTIFY:INVALID_ID_INFORMATION]" on the zyxel.
For the life of me I can't see what I'm doing wrong!
These are (What I believe to be) the relevant configs:
pfSense:
- <phase2><ikeid>1</ikeid> <uniqid>55acf44129c6d</uniqid> <mode>tunnel</mode> <reqid>1</reqid> - <localid><type>lan</type></localid> - <remoteid><type>mobile</type></remoteid> <protocol>esp</protocol> - <encryption-algorithm-option><name>aes</name> <keylen>128</keylen></encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <pfsgroup>5</pfsgroup> <lifetime>3600</lifetime></phase2>
zyxel:
crypto map connection ipsec-isakmp gateway transform-set esp-aes128-sha local-policy LAN1_SUBNET remote-policy remote set security-association lifetime seconds 3600 set pfs group5 policy-enforcement
Suggestions?
-
If I give it a static public IP I have no problems getting the VPN to come up.
Then set up an static public IP and go for it.
Suggestions?
DynDNS, NoIP, …..