DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Vigor 3900 to pfSense Site to site IPSec
- pobster123
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
20 Sep 2017 15:56 #89646
by pobster123
Vigor 3900 to pfSense Site to site IPSec was created by pobster123
I have tried both main mode and aggressive. I am able to get a connection using main mode from the pfsense side but not on the vigor 3900 and doesnt route traffic.
Logs for pfSense:
12[CFG] <201> looking for pre-shared key peer configs matching 146.90.x.x...87.242.x.x[87.242.x.x]
12[IKE] <201> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
12[ENC] <201> generating INFORMATIONAL_V1 request 718054413 [ N(AUTH_FAILED) ]
12[NET] <201> sending packet: from 146.90.x.x[500] to 87.242.x.x[500] (56 bytes)
08[NET] <202> received packet: from 87.242.x.x[500] to 146.90.x.x[500] (344 bytes)
08[ENC] <202> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Log from Draytek :
<141>Sep 20 15:16:48 Vigor: [IPsec] PB_Test #0 execute _updown unroute-client:
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": add eroute 192.x.x.x/24:0 --0-> 10.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": eroute_connection add eroute 10.x.x.x/24:0 --0-> 192.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": eroute_connection add eroute 0.0.0.0/0:0 --0-> 192.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:50 Vigor: [IPsec] PB_Test #0 execute _updown prepare-client:
<141>Sep 20 15:16:50 Vigor: [IPsec] PB_Test #0 execute _updown route-client:
<141>Sep 20 15:16:50 Vigor: pluto[13166]: "PB_Test" #22785: initiating Aggressive Mode #22785, connection "PB_Test"
<141>Sep 20 15:16:50 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:16:50 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message
<141>Sep 20 15:17:00 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:17:00 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message
<141>Sep 20 15:17:19 Vigor: pluto[13166]: "PB_Test" #22785: deleting state (STATE_AGGR_I1)
<141>Sep 20 15:17:19 Vigor: pluto[13166]: "PB_Test" #22785: deleting state #22785
<141>Sep 20 15:17:19 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:17:19 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message
We have setup on draytek Phase 1 Proposal: 3DES G1, Phase 1 Authentication: SHA1, Phase 2 Proposal: 3DES with auth, Phase 2 Authentication: All
Its the same on pfSense Phase 1 Encryption Algorithm: 3DES, Hash Alogrithm: SHA 1, DH Group 1 (768), Phase 2 Encryption Algorithm: 3DES, Hash Alogrithm: MD5 & SHA 1 , DH Group 1 (768)
Logs for pfSense:
12[CFG] <201> looking for pre-shared key peer configs matching 146.90.x.x...87.242.x.x[87.242.x.x]
12[IKE] <201> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
12[ENC] <201> generating INFORMATIONAL_V1 request 718054413 [ N(AUTH_FAILED) ]
12[NET] <201> sending packet: from 146.90.x.x[500] to 87.242.x.x[500] (56 bytes)
08[NET] <202> received packet: from 87.242.x.x[500] to 146.90.x.x[500] (344 bytes)
08[ENC] <202> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Log from Draytek :
<141>Sep 20 15:16:48 Vigor: [IPsec] PB_Test #0 execute _updown unroute-client:
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": add eroute 192.x.x.x/24:0 --0-> 10.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": eroute_connection add eroute 10.x.x.x/24:0 --0-> 192.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": eroute_connection add eroute 0.0.0.0/0:0 --0-> 192.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:50 Vigor: [IPsec] PB_Test #0 execute _updown prepare-client:
<141>Sep 20 15:16:50 Vigor: [IPsec] PB_Test #0 execute _updown route-client:
<141>Sep 20 15:16:50 Vigor: pluto[13166]: "PB_Test" #22785: initiating Aggressive Mode #22785, connection "PB_Test"
<141>Sep 20 15:16:50 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:16:50 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message
<141>Sep 20 15:17:00 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:17:00 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message
<141>Sep 20 15:17:19 Vigor: pluto[13166]: "PB_Test" #22785: deleting state (STATE_AGGR_I1)
<141>Sep 20 15:17:19 Vigor: pluto[13166]: "PB_Test" #22785: deleting state #22785
<141>Sep 20 15:17:19 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:17:19 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message
We have setup on draytek Phase 1 Proposal: 3DES G1, Phase 1 Authentication: SHA1, Phase 2 Proposal: 3DES with auth, Phase 2 Authentication: All
Its the same on pfSense Phase 1 Encryption Algorithm: 3DES, Hash Alogrithm: SHA 1, DH Group 1 (768), Phase 2 Encryption Algorithm: 3DES, Hash Alogrithm: MD5 & SHA 1 , DH Group 1 (768)
Please Log in or Create an account to join the conversation.
- pobster123
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
20 Sep 2017 15:58 #89647
by pobster123
Replied by pobster123 on topic Re: Vigor 3900 to pfSense Site to site IPSec
Any help will be really appreciated, if you need any more information please let me know.
I have followed lots of posts and vlogs found searching the error but non have solved my issue.
I have followed lots of posts and vlogs found searching the error but non have solved my issue.
Please Log in or Create an account to join the conversation.
- pobster123
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
21 Sep 2017 15:22 #89650
by pobster123
Replied by pobster123 on topic Re: Vigor 3900 to pfSense Site to site IPSec
Just wanted to give an update, I have managed to solve my issues connecting to pfSense firewall.
I would recommend initially creating the Ipsec connection with the following settings:
On the pfSense:
Phase 1: Encryption alogorithm: 3DES, Hash Algorithm, MD5, DH Group 1 (768 bit)
Phase 2: Encryption alogorithm: 3DES, Hash Algorithm, SHA1, PFS key group off
On the Draytek under Proposal tab:
IKE Phase 1 Proposal [Dial Out]: 3DES G1
IKE Phase 1 Authentication: MD5
IKE Phase 2 Proposal: 3DES with auth
IKE Phase 2 Authentication: SHA1
Accepted Propsal: acceptall
I would stress that this is initial setup as once I got the connection working and routing traffic I have started ramping up the encryption and will keep going as long it running stable.
Hope this saves someone the hours of frustration I have had.
I would recommend initially creating the Ipsec connection with the following settings:
On the pfSense:
Phase 1: Encryption alogorithm: 3DES, Hash Algorithm, MD5, DH Group 1 (768 bit)
Phase 2: Encryption alogorithm: 3DES, Hash Algorithm, SHA1, PFS key group off
On the Draytek under Proposal tab:
IKE Phase 1 Proposal [Dial Out]: 3DES G1
IKE Phase 1 Authentication: MD5
IKE Phase 2 Proposal: 3DES with auth
IKE Phase 2 Authentication: SHA1
Accepted Propsal: acceptall
I would stress that this is initial setup as once I got the connection working and routing traffic I have started ramping up the encryption and will keep going as long it running stable.
Hope this saves someone the hours of frustration I have had.
Please Log in or Create an account to join the conversation.
- ollietait
- Offline
- Junior Member
Less
More
- Posts: 20
- Thank you received: 0
25 Sep 2017 23:15 #89685
by ollietait
Replied by ollietait on topic Re: Vigor 3900 to pfSense Site to site IPSec
Hi Pobster123
I'm troubleshooting a similar issue (Draytek 3900 to Cisco) - IPSEC AES256 G2, PFS, SHA. it was all working fine for months, then upgraded from FW 1.2.2 to 1.3.1 on the Draytek 3900 and now can't get any traffic through the VPN. I've tried recreating the VPN but it remains the same.
The connection appears to come up, but doesn't pass any traffic.
which FW version are you running on the Draytek?
Ollie
I'm troubleshooting a similar issue (Draytek 3900 to Cisco) - IPSEC AES256 G2, PFS, SHA. it was all working fine for months, then upgraded from FW 1.2.2 to 1.3.1 on the Draytek 3900 and now can't get any traffic through the VPN. I've tried recreating the VPN but it remains the same.
The connection appears to come up, but doesn't pass any traffic.
which FW version are you running on the Draytek?
Ollie
Please Log in or Create an account to join the conversation.
- brucer214
- Offline
- Banned
Less
More
- Posts: 1
- Thank you received: 0
29 Sep 2017 11:01 #89714
by brucer214
Hi Ollie,
I'm just doing something similar on a 3900 (1.3.1). It would pass traffic one way, but I could not bring the tunnel up from the Cisco side until I set up a keep alive.
My settings are the same as yours but no PFS.
My main problem is stability of the 3900, it has locked up 3 times in 4 days. Have you had anything similar?
Bruce
Replied by brucer214 on topic Re: Vigor 3900 to pfSense Site to site IPSec
Hi Pobster123ollietait wrote:
I'm troubleshooting a similar issue (Draytek 3900 to Cisco) - IPSEC AES256 G2, PFS, SHA. it was all working fine for months, then upgraded from FW 1.2.2 to 1.3.1 on the Draytek 3900 and now can't get any traffic through the VPN. I've tried recreating the VPN but it remains the same.
The connection appears to come up, but doesn't pass any traffic.
which FW version are you running on the Draytek?
Ollie
Hi Ollie,
I'm just doing something similar on a 3900 (1.3.1). It would pass traffic one way, but I could not bring the tunnel up from the Cisco side until I set up a keep alive.
My settings are the same as yours but no PFS.
My main problem is stability of the 3900, it has locked up 3 times in 4 days. Have you had anything similar?
Bruce
Please Log in or Create an account to join the conversation.
- ollietait
- Offline
- Junior Member
Less
More
- Posts: 20
- Thank you received: 0
30 Nov 2017 11:06 #90103
by ollietait
Replied by ollietait on topic Re: Vigor 3900 to pfSense Site to site IPSec
Hi BruceR214
sorry bit late on response I don't often look on here. no, not seen any 3900 lock up (I have seen them stop passing RDP traffic over VPN (other traffic flows over VPN still), seen them dump all config on a straight forward reboot, seen them loose ability to sustain an IPSec VPN so have to re-enter the config after firmware upg, they have an odd issue with "logmein application" where you have to add all the logmein remote server to a rule to force all traffic to them through one of you IP aliases rather than primary external IP (something to do with the SSL encryption i believe))
sorry bit late on response I don't often look on here. no, not seen any 3900 lock up (I have seen them stop passing RDP traffic over VPN (other traffic flows over VPN still), seen them dump all config on a straight forward reboot, seen them loose ability to sustain an IPSec VPN so have to re-enter the config after firmware upg, they have an odd issue with "logmein application" where you have to add all the logmein remote server to a rule to force all traffic to them through one of you IP aliases rather than primary external IP (something to do with the SSL encryption i believe))
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek