RE: [pfSense Support] pfsense to netgear ipsec vpn
Try to use aggressive mode on both ends. Also try to setup different identifiers (like combination of UFQDN and passkeyphrase. It looks to me that there is a problem with the identifier. Is one of the ends behind another NAT? Also what version are you running? Holger -Original Message- From: cmaurand [mailto:[EMAIL PROTECTED] Sent: Monday, September 18, 2006 5:28 PM To: support@pfsense.com Subject: [pfSense Support] pfsense to netgear ipsec vpn Hello, I'm a relative newbie to ipsec on pfsense. I'm trying to establish an ipsec vpn connection to a netgear FVS124G. I already have a connection going to a sonicwall and that runs fine. The configuration on the pfsense is remote ip address PSK = the key and they match Interface = WAN (and its my primary address) Local Subnet = LAN Subnet remote subnet = 192.168.1.0/24 remote gateway = remote ip address Description = Charlotte Corporate Phase 1 Negotiation mode = main My identifier = My IP address Encryption algorithm = 3DES Hash algorithm = SHA1 DH Key group = 2 (1024 bit) lifetime = 86400 Autentication Method = Pre-Shared Key Pre-Shared Key = my psk Phase 2 (SA/Key Exchange) Protocol = ESP Encryption Algorithms = 3DES Hash Algoritm = SHA1 PFS key group = 2 (1024 bit) Lifetime = 28800 On the Netgear IKE Policy General name = pwmtest Direction/Type = Both Directions Exchange Mode = Main Mode Local Select Local Gateway = Wan1 (69.whatever) Local Identity type WAN IP Address Remote Remote Host Configuration Record = None Remote Identity Type = WAN IP IKE SA Parameters Encryption Algorithm = 3DES Authentication Algorithm = SHA1 Authentication Method = Pre-shared Key my key Diffie-Hellman (DH) Group = Group 2 (1024 bit) SA Life Time = 28800 On the Netgear VPN Policy General Policy Name = pwmtest IKE Policy = pwmtest Remote VPN Endpoint Type = IP Address Remote VPN Endpoint IP Address = my ip address Traffic Selector Local IP = Subnet address Start IP address = 192.168.1.0 Finish IP Address = N/A Subnet Mask = 255.255.255.0 Remote IP = Subnet address Start IP Address = 10.0.0.0 Finnish IP Address = n/a Subnet Mask = 255.255.252.0 AH Conguration = unchecked ESP Configuration Enable Encryption = checked = 3DES Enable Authentication = checked = SHA-1 From the pfsense I get: (some lines wrapped) racoon: INFO: respond new phase 1 negotiation: local wan ip[500]=remote wan ip[500] racoon: ERROR: not acceptable Identity Protection mode racoon: ERROR: not acceptable Identity Protection mode Thanks in advance -- Curtis Maurand Senior Network Systems Engineer BlueTarp Financial, Inc. 443 Congress St. 6th Floor Portland, ME 04101 207.797.5900 x233 (office) 207.797.3833(fax) mailto:[EMAIL PROTECTED] http://www.bluetarp.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense to netgear ipsec vpn [solved]
This email will look best in a monospaced font. changed to aggressive mode on both ends. Pfsense is version 2.3 Changed the netgear identifiers to pwmtest for the ike policy and pwm-office for the vpn policy. I deleted the vpn policy and re-created it. So here are final settings. Netgear: VPN - Auto Policy General Policy Name pwm-office IKE policy pwmtest Remote VPN Endpoint Address Type: IP Address Address Data: ip address of pfsense firewall SA Life Time86400 (Seconds) 0 (Kbytes) IPSec PFS [checked] PFS Key Group: Group 2 (1024 Bit) Traffic Selector Local IPSubnet address Start IP address: 192.168.1.0 Finish IP address: n/a Subnet Mask: 255.255.255.0 Remote IP Subnet address Start IP address: 10.0.0.0 Finish IP address: n/a Subnet Mask 255.255.252.0 AH Configuration Enable Authentication [not checked] Authentication Algorithm: SHA-1 ESP Configuration Enable Encryption [checked] Encryption Algorithm: 3DES Enable Authentication [checked] Authentication Algorithm: SHA-1 IKE Policy Configuration General Policy Name pwmtest Direction/Type Both Directions Exchange Mode: Aggressive Local Select Local Gateway: Wan1 (this particular unit has two wann ports with failover.) Local Identity Type:WAN IP Address Remote Identity Data: blank (This info doesn't get entered here.) IKE SA Parameters Encryption Algorithm: 3DES Authentication Algorithm: SHA1 Authentication Method:Pre-Shared Key your preshared key goes here RSA Signature (requires Certificate) [unchecked] Diffie-Hellman Group Group 2 (1024 bit) SA Life Time: 28800 On the pfsense box: VPN:IPsec:Edit tunnel Mode: Tunnel Disabled: [unchecked] Interface:WAN Local Subnet: LAN subnet Remote Subnet:192.168.1.0/24 Remote GatewayWAN Address of the netgear router Description however you want to describe yours' Phase 1 Proposed (Authentication) Negotiation mode aggressive My identifier:IP Address my WAN ipaddress Encryption algorithm: 3DES Hash Algorithm: SHA1 DH Key Group: 2 Lifetime 28800 Authentication Method:Pre-shared key Pre-Shared Key: pre shared key goes here. Certificate blank Key blank Peer certificate blank Phase2 proposal (SA/Key Exchange) Protocol: ESP Encryption algorithms:3DES Hash algorithms: SHA1 PFS key group:2 Lifetime: 86400 I hope this helps anyone having trouble. Thanks for your help Holger. Curtis Holger Bauer wrote: Try to use aggressive mode on both ends. Also try to setup different identifiers (like combination of UFQDN and passkeyphrase. It looks to me that there is a problem with the identifier. Is one of the ends behind another NAT? Also what version are you running? Holger -Original Message- From: cmaurand [mailto:[EMAIL PROTECTED] Sent: Monday, September 18, 2006 5:28 PM To: support@pfsense.com Subject: [pfSense Support] pfsense to netgear ipsec vpn Hello, I'm a relative newbie to ipsec on pfsense. I'm trying to establish an ipsec vpn connection to a netgear FVS124G. I already have a connection going to a sonicwall and that runs fine. The configuration on the pfsense is remote ip address PSK = the key and they match Interface = WAN (and its my primary address) Local Subnet = LAN Subnet remote subnet = 192.168.1.0/24 remote gateway = remote ip address Description = Charlotte Corporate Phase 1 Negotiation mode = main My identifier = My IP address Encryption algorithm = 3DES Hash algorithm = SHA1 DH Key group = 2 (1024 bit) lifetime = 86400 Autentication Method = Pre-Shared Key Pre-Shared Key = my psk Phase 2 (SA/Key Exchange) Protocol = ESP Encryption Algorithms = 3DES Hash Algoritm = SHA1 PFS key group = 2 (1024 bit) Lifetime = 28800 On the Netgear IKE Policy General name = pwmtest Direction/Type = Both Directions Exchange Mode = Main Mode Local Select Local Gateway = Wan1 (69.whatever) Local Identity type WAN IP Address Remote Remote Host Configuration Record = None Remote Identity Type = WAN IP IKE SA Parameters Encryption Algorithm = 3DES Authentication Algorithm = SHA1 Authentication Method = Pre-shared Key my key Diffie-Hellman (DH) Group = Group 2 (1024 bit) SA Life Time = 28800 On the Netgear VPN Policy