Netgate SG-1000 microFirewall

Author Topic: Identifier issue  (Read 193 times)

0 Members and 1 Guest are viewing this topic.

Offline rc_martin

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Identifier issue
« on: November 28, 2017, 06:23:10 am »
Dear community,

My task is to connect different locations of the company Iím working in via VPN. Such connections already exist, but the current router should be replaced by a pfSense.

Here's the problem:
I cannot establish an IPsec connection if the remote station has not entered an identifier (My Identifier/Peer Identifier) in phase 1. The current router from Lancom doesnít seem to use this option, as it holds all tunnels without these options being registered. There is only "No identity" selected. Such an option is not given in the configuration of the pfSense.
For testing purposes, I have attached the pfSense to another WAN and tried to connect to the Lancom router that I can access. The IPsec tunnel only established as soon as I entered the same identifier on both sides (WAN-IP on both sides). Therefore, I assume that the configurations are correct except for the identifiers.
Is it possible to establish a connection without an identifier with the Lancom router? Unfortunately, I can't walk to all major customers and ask them to do so. Especially since I don't even know if this is 100% the cause.

Here are the pfSense logs:

11[IKE] <27> IKE_SA (unnamed)[27] state change: CONNECTING => DESTROYING
14[CFG] vici client 57 connected
08[CFG] vici client 57 registered for: list-sa
14[CFG] vici client 57 requests: list-sas
08[CFG] vici client 57 disconnected
14[CFG] received stroke: terminate 'con10000'
14[CFG] no IKE_SA named 'con10000' found
08[CFG] received stroke: initiate 'con10000'
14[IKE] <con10000|28> queueing ISAKMP_VENDOR task
14[IKE] <con10000|28> queueing ISAKMP_CERT_PRE task
14[IKE] <con10000|28> queueing MAIN_MODE task
14[IKE] <con10000|28> queueing ISAKMP_CERT_POST task
14[IKE] <con10000|28> queueing ISAKMP_NATD task
14[IKE] <con10000|28> queueing QUICK_MODE task
14[IKE] <con10000|28> activating new tasks
14[IKE] <con10000|28> activating ISAKMP_VENDOR task
14[IKE] <con10000|28> activating ISAKMP_CERT_PRE task
14[IKE] <con10000|28> activating MAIN_MODE task
14[IKE] <con10000|28> activating ISAKMP_CERT_POST task
14[IKE] <con10000|28> activating ISAKMP_NATD task
14[IKE] <con10000|28> sending XAuth vendor ID
14[IKE] <con10000|28> sending DPD vendor ID
14[IKE] <con10000|28> sending FRAGMENTATION vendor ID
14[IKE] <con10000|28> sending NAT-T (RFC 3947) vendor ID
14[IKE] <con10000|28> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
14[IKE] <con10000|28> initiating Main Mode IKE_SA con10000[28] to
14[IKE] <con10000|28> IKE_SA con10000[28] state change: CREATED => CONNECTING
14[CFG] <con10000|28> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
14[ENC] <con10000|28> generating ID_PROT request 0 [ SA V V V V V ]
14[NET] <con10000|28> sending packet: from[500] to[500] (180 bytes)
05[CFG] vici client 58 connected
05[CFG] vici client 58 registered for: list-sa
12[CFG] vici client 58 requests: list-sas
05[CFG] vici client 58 disconnected
05[IKE] <con10000|28> sending retransmit 1 of request message ID 0, seq 1
05[NET] <con10000|28> sending packet: from[500] to[500] (180 bytes)
12[CFG] vici client 59 connected
12[CFG] vici client 59 registered for: list-sa
07[CFG] vici client 59 requests: list-sas
12[CFG] vici client 59 disconnected
12[IKE] <con10000|28> sending retransmit 2 of request message ID 0, seq 1
12[NET] <con10000|28> sending packet: from[500] to[500] (180 bytes)
07[CFG] vici client 60 connected
12[CFG] vici client 60 registered for: list-sa
07[CFG] vici client 60 requests: list-sas
07[CFG] vici client 60 disconnected
15[CFG] vici client 61 connected
15[CFG] vici client 61 registered for: list-sa
07[CFG] vici client 61 requests: list-sas
09[CFG] vici client 61 disconnected

And here the Lancom logs:

Info           Disconnected from peer companyVDSL: 017 006
Fehler   VPN: Error for peer companyVDSL: IFC-I-Connection-timeout-IKE-IPSEC