DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor 3900 to pfSense Site to site IPSec

  • pobster123
  • Topic Author
  • Offline
  • New Member
  • New Member
More
20 Sep 2017 15:56 #89646 by pobster123
Vigor 3900 to pfSense Site to site IPSec was created by pobster123
I have tried both main mode and aggressive. I am able to get a connection using main mode from the pfsense side but not on the vigor 3900 and doesnt route traffic.
Logs for pfSense:
12[CFG] <201> looking for pre-shared key peer configs matching 146.90.x.x...87.242.x.x[87.242.x.x]
12[IKE] <201> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
12[ENC] <201> generating INFORMATIONAL_V1 request 718054413 [ N(AUTH_FAILED) ]
12[NET] <201> sending packet: from 146.90.x.x[500] to 87.242.x.x[500] (56 bytes)
08[NET] <202> received packet: from 87.242.x.x[500] to 146.90.x.x[500] (344 bytes)
08[ENC] <202> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]

Log from Draytek :
<141>Sep 20 15:16:48 Vigor: [IPsec] PB_Test #0 execute _updown unroute-client:
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": add eroute 192.x.x.x/24:0 --0-> 10.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": eroute_connection add eroute 10.x.x.x/24:0 --0-> 192.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": eroute_connection add eroute 0.0.0.0/0:0 --0-> 192.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:50 Vigor: [IPsec] PB_Test #0 execute _updown prepare-client:
<141>Sep 20 15:16:50 Vigor: [IPsec] PB_Test #0 execute _updown route-client:
<141>Sep 20 15:16:50 Vigor: pluto[13166]: "PB_Test" #22785: initiating Aggressive Mode #22785, connection "PB_Test"
<141>Sep 20 15:16:50 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:16:50 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message
<141>Sep 20 15:17:00 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:17:00 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message
<141>Sep 20 15:17:19 Vigor: pluto[13166]: "PB_Test" #22785: deleting state (STATE_AGGR_I1)
<141>Sep 20 15:17:19 Vigor: pluto[13166]: "PB_Test" #22785: deleting state #22785
<141>Sep 20 15:17:19 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:17:19 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message

We have setup on draytek Phase 1 Proposal: 3DES G1, Phase 1 Authentication: SHA1, Phase 2 Proposal: 3DES with auth, Phase 2 Authentication: All
Its the same on pfSense Phase 1 Encryption Algorithm: 3DES, Hash Alogrithm: SHA 1, DH Group 1 (768), Phase 2 Encryption Algorithm: 3DES, Hash Alogrithm: MD5 & SHA 1 , DH Group 1 (768)

Please Log in or Create an account to join the conversation.

  • pobster123
  • Topic Author
  • Offline
  • New Member
  • New Member
More
20 Sep 2017 15:58 #89647 by pobster123
Replied by pobster123 on topic Re: Vigor 3900 to pfSense Site to site IPSec
Any help will be really appreciated, if you need any more information please let me know.

I have followed lots of posts and vlogs found searching the error but non have solved my issue.

Please Log in or Create an account to join the conversation.

  • pobster123
  • Topic Author
  • Offline
  • New Member
  • New Member
More
21 Sep 2017 15:22 #89650 by pobster123
Replied by pobster123 on topic Re: Vigor 3900 to pfSense Site to site IPSec
Just wanted to give an update, I have managed to solve my issues connecting to pfSense firewall.

I would recommend initially creating the Ipsec connection with the following settings:
On the pfSense:

Phase 1: Encryption alogorithm: 3DES, Hash Algorithm, MD5, DH Group 1 (768 bit)
Phase 2: Encryption alogorithm: 3DES, Hash Algorithm, SHA1, PFS key group off

On the Draytek under Proposal tab:
IKE Phase 1 Proposal [Dial Out]: 3DES G1
IKE Phase 1 Authentication: MD5
IKE Phase 2 Proposal: 3DES with auth
IKE Phase 2 Authentication: SHA1
Accepted Propsal: acceptall

I would stress that this is initial setup as once I got the connection working and routing traffic I have started ramping up the encryption and will keep going as long it running stable.

Hope this saves someone the hours of frustration I have had.

Please Log in or Create an account to join the conversation.

More
25 Sep 2017 23:15 #89685 by ollietait
Replied by ollietait on topic Re: Vigor 3900 to pfSense Site to site IPSec
Hi Pobster123
I'm troubleshooting a similar issue (Draytek 3900 to Cisco) - IPSEC AES256 G2, PFS, SHA. it was all working fine for months, then upgraded from FW 1.2.2 to 1.3.1 on the Draytek 3900 and now can't get any traffic through the VPN. I've tried recreating the VPN but it remains the same.

The connection appears to come up, but doesn't pass any traffic.

which FW version are you running on the Draytek?
Ollie

Please Log in or Create an account to join the conversation.

More
29 Sep 2017 11:01 #89714 by brucer214
Replied by brucer214 on topic Re: Vigor 3900 to pfSense Site to site IPSec

ollietait wrote: Hi Pobster123
I'm troubleshooting a similar issue (Draytek 3900 to Cisco) - IPSEC AES256 G2, PFS, SHA. it was all working fine for months, then upgraded from FW 1.2.2 to 1.3.1 on the Draytek 3900 and now can't get any traffic through the VPN. I've tried recreating the VPN but it remains the same.

The connection appears to come up, but doesn't pass any traffic.

which FW version are you running on the Draytek?
Ollie



Hi Ollie,

I'm just doing something similar on a 3900 (1.3.1). It would pass traffic one way, but I could not bring the tunnel up from the Cisco side until I set up a keep alive.
My settings are the same as yours but no PFS.

My main problem is stability of the 3900, it has locked up 3 times in 4 days. Have you had anything similar?

Bruce

Please Log in or Create an account to join the conversation.

More
30 Nov 2017 11:06 #90103 by ollietait
Replied by ollietait on topic Re: Vigor 3900 to pfSense Site to site IPSec
Hi BruceR214
sorry bit late on response I don't often look on here. no, not seen any 3900 lock up (I have seen them stop passing RDP traffic over VPN (other traffic flows over VPN still), seen them dump all config on a straight forward reboot, seen them loose ability to sustain an IPSec VPN so have to re-enter the config after firmware upg, they have an odd issue with "logmein application" where you have to add all the logmein remote server to a rule to force all traffic to them through one of you IP aliases rather than primary external IP (something to do with the SSL encryption i believe))

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami