pfSense Support Subscription

Author Topic: Can't establish VPN tunnel between PFSense & Sonicwall, fixed my post with pics.  (Read 179 times)

0 Members and 1 Guest are viewing this topic.

Offline pfrickroll

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Hi
I need help in understanding what am I doing wrong here. I am still learning all this stuff.
I am trying to build a VPN tunnel from PFSense SG-2220 (2.3.4) to Sonicwall TZ400 (SonicOS Enhanced 6.2.3.1-19n). I successfully was able to do VPN tunnel from Sonicwall to Sonicwall except couple of things but thatís beside the point. 

PFsense SG-2220 is connected to Comcast modem CG3000CDR which is in the passive bridge mode or whatever you call it and has static IP. Then I have laptop for testing connected to PFSense which has to use companyís proprietary medical software through VPN.
Sonicwall TZ400 is connected Comcast CMG modem (canít tell the model right now), and modem is in bridge mode as well. Behind Sonicwall are switches and Windows Server.

Here is what I did and checking logs all I see is that packets are sent and nothing else happens, VPN doesnít work at all.
The option ďSet this option to disable this phase1 without removing it from the listĒ is always checked, I uncheck it every time but when I get back to settings it is checked again. Why is that? (PFsense1 pic.)
The IKE authentication in red is different from Sonicwall, so I am confused is what exactly I have to choose here, I tried to play around a little but no luck. (PFsense 2 pic.)
As I stated above options for IKE authentication are a bit different from PFSense, so I think here is my main problem.

If I will be able to connect PFSense with Sonicwall then I will be able to set up our doctors to use our proprietary software to access data from our Head Quarters through VPN. I tested to make sure it works when I set up TP-Link router with Cisco router. However; thereís one thing, I need to know is what I had to do after VPN is established, so that computers/servers can see each other on network? As I mentioned I am new to networking but I marked with yellow  (Laptop pic.) what I mean and where they have to see each other. The sonicwall to sonicwall VPN, I can ping both ways, can access server/computer using \\x.x.x.x but they donít see each other on the network. In command prompt I donít see virtual IPs for VPNÖ

Thanks and sorry for English mistakes.



« Last Edit: May 19, 2017, 01:18:35 pm by pfrickroll »

Offline pfrickroll

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Can't connect VPN, PFSense with Sonicwall. Please help
« Reply #1 on: May 19, 2017, 12:02:36 pm »
Ok, i fixed the pictures
« Last Edit: May 19, 2017, 01:12:59 pm by pfrickroll »

Offline pfrickroll

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Anyone at all?

Offline pfrickroll

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
I am still with no luck

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1827
  • Karma: +84/-0
    • View Profile
I am still with no luck
Perhaps something to do with your username...
Here are a few observations, recommendations-
1) Don't use 3DES, the Sonic will support AES
2) Use main mode on the pfSense side, not aggressive
3) Don't put the public IP in the ping host on the phase2. This should be a private IP reachable via the tunnel.
4) You should be able to leave the identifiers at 'my ip address' and 'peer ip address'
5) Two Comcast lines? They are not at the same location are they?
6) If the tunnel is disabled, it will never work. Find out why this is happening first. Start your config from scratch if necessary.

Offline pfrickroll

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
I am still with no luck
Perhaps something to do with your username...
Here are a few observations, recommendations-
1) Don't use 3DES, the Sonic will support AES
2) Use main mode on the pfSense side, not aggressive
3) Don't put the public IP in the ping host on the phase2. This should be a private IP reachable via the tunnel.
4) You should be able to leave the identifiers at 'my ip address' and 'peer ip address'
5) Two Comcast lines? They are not at the same location are they?
6) If the tunnel is disabled, it will never work. Find out why this is happening first. Start your config from scratch if necessary.

Thank you for your reply. I doubt my name scares people away :)
I changed everything you mentioned in 1-4.
The two lines are Comcast and they are not in the same location. Two separate offices in different cities.
I rebuilt the config from scratch and still nothing. Here you can see, when I click edit phase 1 the check mark is always on "Set this option to disable this phase1 without removing it from the list". The both phases are enabled but only phase 1 has this check mark on. I try to unmark it, save and apply change, then I go back to edit and that mark is checked again.
And of course I changed config settings on SonicWALL to match pfSense.

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1827
  • Karma: +84/-0
    • View Profile
I doubt my name scares people away :)

Maybe not scared away...

Something is up with your phase1 settings- It doesn't start disabled, and I've never seen it disable itself.
Post all of your phase1 settings, there must be something it doesn't like. Are you getting any IPSec errors in the log when you try to enable it?

Offline pfrickroll

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
I doubt my name scares people away :)

Maybe not scared away...

Something is up with your phase1 settings- It doesn't start disabled, and I've never seen it disable itself.
Post all of your phase1 settings, there must be something it doesn't like. Are you getting any IPSec errors in the log when you try to enable it?

Here are my phase 1 settings and IPsec Logs. I first cleared the logs and then disabled IPsec. Then I clicked to edit it, unmarked that disable feature in phase 1, then enabled Ipsec log and this is what info came up in log for IPsec. Now, I even myself noticed both firewalls talked to each other but something went wrong and it beyond my experience, I just began learning of encryption.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7665
  • Karma: +904/-223
    • View Profile
Still pretty tough to tell looking at only one side.

You should probably post a new set of screen shots from both sides showing the current state of things as a pair.

The sonicwall doesn't like something and is returning "INVALID_SYNTAX" in the Phase 1 negotiation. Concentrate on Phase 1/IKE for now since you are not even getting to phase 2. The reason the sonicwall is returning that might be in the sonicwall logs.

Set the following to Diag in VPN > IPsec, Advanced, Logging: IKE SA, IKE CHILD SA, and Configuration Backend. Set everything else to Control.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1827
  • Karma: +84/-0
    • View Profile
Yeah, most of the stuff in the logs is normal until you get to the last shot.
Try setting Key Exchange to V1 instead of Auto.
The syntax error is unusual, I think this is what is disabling the phase1. Try deleting the phase2 and unchecking the disabled box on the phase1. Then verify the service remains running. If that's good, add the phase2 back in.

Offline pfrickroll

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Set the following to Diag in VPN > IPsec, Advanced, Logging: IKE SA, IKE CHILD SA, and Configuration Backend. Set everything else to Control.

I dont see such option here, everything is set to control by default, as you see in the picture
2nd pictures is Sonicwall logs for that particular time.

Offline pfrickroll

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Set the following to Diag in VPN > IPsec, Advanced, Logging: IKE SA, IKE CHILD SA, and Configuration Backend. Set everything else to Control.

Ah sorry, my bad English kicked in. Going to change now to Diag those configs.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7665
  • Karma: +904/-223
    • View Profile
Those sonicwall logs don't really say much. I assume they are descending later to earlier in time?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Offline pfrickroll

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Those sonicwall logs don't really say much. I assume they are descending later to earlier in time?

No, that is the only info in logs for VPN between these pfSense and Sonicwall. Nothing before or after.

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1827
  • Karma: +84/-0
    • View Profile
Looks like pfSense proposed a v2 exchange and the Sonic was set for v1.
Change the auto setting to v1 and try again.