Netgate SG-1000 microFirewall

Author Topic: VPN for Alcatel pbx  (Read 90 times)

0 Members and 1 Guest are viewing this topic.

Offline alexeik

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
VPN for Alcatel pbx
« on: September 13, 2017, 06:55:16 am »
Hi


we provide service for Alcatel PBX. For remote service Alcatel developed a new system where you can trigger the pbx to open a ipsec vpn to our site. The only thing i can configure is in the screenshot:

http://imgur.com/3YotO65

For the ipsec endpoint on our side Alcatel provides only a reference guide for Fortigate. The peer should look like the following:

Code: [Select]
config system interface
edit "wan1"
set vdom "root"
set ip 10.0.0.2 255.255.255.0
set allowaccess ping
set type physical
next
edit "internal" set vdom "root"
set ip 172.26.190.2 255.255.255.0
set allowaccess ping https ssh
set type physical
next
edit "oxovpn"
set vdom "root"
set ip 0.0.0.0 255.255.255.255
set allowaccess ping
set type tunnel
set interface "wan1"
next
end
config user group
edit "oxovpnusers"
set member "user1"
next
end
config user local
edit "user1"
set type password
set passwd user1_password
next
end
config router static edit 1
set device "wan1"
set gateway 10.0.0.1
next
end
config vpn ipsec phase1-interface
edit "oxovpn"
set type dynamic
set interface "wan1"
set keylife 14400
set xauthtype auto
set mode aggressive
set mode-cfg enable
set proposal aes256-sha256
set localid "30.0.0.1"
set dhgrp 14
set authusrgrp "oxovpnusers"
set ipv4-start-ip 10.215.0.1
set ipv4-end-ip 10.215.0.255
set ipv4-netmask 255.255.255.0
set psksecret presharedkey
set keepalive 30
next
end
config vpn ipsec phase2-interface edit "oxovpnp2"
set keepalive enable
set phase1name "oxovpn"
set proposal aes256-sha256
set keylifeseconds 12000
set dhgrp 14
next
end
config firewall vip
edit "oxo2forti"
set extip 30.0.0.1
set extintf "oxovpn"
set mappedip 10.0.0.2
next
end
config firewall ippool
edit "natr"
set endip 30.0.0.1
set startip 30.0.0.1
set arp-reply disable
next
end
config firewall address
edit “oxovpn_range”
set type iprange
set start-ip 10.215.0.1
set end-ip 10.215.0.255
next
edit “ws_range”
set associated-interface “internal”
set subnet 172.26.190.0 255.255.255.0
set allow-routing enable
next
end
config firewall policy
edit 1
set srcintf "internal"
set dstintf "oxovpn"
set srcaddr "ws_range"
set dstaddr "oxovpn_range"
set action accept
set schedule "always"
set service "HTTPS"
set nat enable
set ippool enable
set poolname "natr"
next
edit 2
set srcintf "oxovpn"
set dstintf "wan1"
set srcaddr "oxovpn_range"
set dstaddr "oxo2forti"
set action accept
set schedule "always"
set service "ALL_ICMP"
next
end

I want to do this with pfsense but failed pretty hard. my ipsec.conf looks like this

999.999.999.999 is our public ip
111.111.111.111 is the dynamic ip, where the pbx is located

Code: [Select]
conn con2
fragmentation = yes
keyexchange = ike
reauth = yes
forceencaps = yes
mobike = yes

rekey = no
installpolicy = yes
type = tunnel
dpdaction = none
auto = add
left = 999.999.999.999
right = %any
leftid = "pfsense"
ikelifetime = 14400s
lifetime = 12000s
rightsourceip = 10.1.254.10/24
ike = aes256-sha256-modp2048!
esp = aes256-sha256-modp2048!
leftauth = psk
rightauth = psk
aggressive = yes
leftsubnet = 10.1.254.0/24

If i trigger the vpn connection i have the following log:

Code: [Select]
Aug 29 12:27:55 charon 15[NET] <1> received packet: from 111.111.111.111[798] to 999.999.999.999[500] (448 bytes)
Aug 29 12:27:55 charon 15[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Aug 29 12:27:55 charon 15[CFG] <1> looking for an ike config for 999.999.999.999...111.111.111.111
Aug 29 12:27:55 charon 15[CFG] <1> candidate: 999.999.999.999...%any, prio 1048
Aug 29 12:27:55 charon 15[CFG] <1> found matching ike config: 999.999.999.999...%any with prio 1048
Aug 29 12:27:55 charon 15[IKE] <1> 111.111.111.111 is initiating an IKE_SA
Aug 29 12:27:55 charon 15[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Aug 29 12:27:55 charon 15[CFG] <1> selecting proposal:
Aug 29 12:27:55 charon 15[CFG] <1> proposal matches
Aug 29 12:27:55 charon 15[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 29 12:27:55 charon 15[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 29 12:27:55 charon 15[CFG] <1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 29 12:27:55 charon 15[IKE] <1> remote host is behind NAT
Aug 29 12:27:55 charon 15[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 29 12:27:55 charon 15[NET] <1> sending packet: from 999.999.999.999[500] to 111.111.111.111[798] (456 bytes)
Aug 29 12:27:56 charon 09[NET] <1> received packet: from 111.111.111.111[55227] to 999.999.999.999[4500] (288 bytes)
Aug 29 12:27:56 charon 09[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Aug 29 12:27:56 charon 09[CFG] <1> looking for peer configs matching 999.999.999.999[999.999.999.999]...111.111.111.111[OXO]
Aug 29 12:27:56 charon 09[CFG] <1> no matching peer config found
Aug 29 12:27:56 charon 09[IKE] <1> processing INTERNAL_IP4_ADDRESS attribute
Aug 29 12:27:56 charon 09[IKE] <1> processing INTERNAL_IP4_DNS attribute
Aug 29 12:27:56 charon 09[IKE] <1> peer supports MOBIKE
Aug 29 12:27:56 charon 09[ENC] <1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 29 12:27:56 charon 09[NET] <1> sending packet: from 999.999.999.999[4500] to 111.111.111.111[55227] (80 bytes)
Aug 29 12:27:56 charon 09[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
I have no ides why i get the message "no matching peer config found". maybe someone of you is familiar with both systems and can give me a hint where to find my error...