It's a bit antique selection of ciphers. Problem is in DH group. try enabling same DH also in pfsense.
-- Eero 2017-02-03 13:17 GMT+02:00 Roland Giesler <[email protected]>: > On Tue, Jan 24, 2017 at 8:16 PM, Eero Volotinen <[email protected]> > wrote: > >> What hardware is other side running? Why you are trying to use 3des? >> > > The other side is Sonicwall. I'm using 3DES because it's enabled by > default and seeming a simple place to start. > > However, regardless of what I select (by ticking the boxes - net very > difficult), that is then not offered. So if I select 3DES, it is not > offered. If I select SHA256 it's not offered, and so on. > > Roland > > > >> >> Eero >> >> 2017-01-17 16:36 GMT+02:00 Roland Giesler <[email protected]>: >> >>> We've battled all afternoon to establish an IPSec site-to-site >>> connection. >>> Here's what happens: >>> >>> TimeProcessPIDMessage >>> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from >>> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes) >>> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request >>> 2809641300 [ N(NO_PROP) ] >>> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found >>> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals: >>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, >>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAM >>> ELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HM >>> AC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/ >>> AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_ >>> 384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_ >>> HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_ >>> BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_ >>> 2048/MODP_2048_256/MODP_1024, >>> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_ >>> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_19 >>> 2/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC >>> _SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_ >>> HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_ >>> 512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 >>> Jan 17 15:58:53 charon 05[CFG] <197> received proposals: >>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 >>> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a >>> Aggressive Mode IKE_SA >>> >>> The strange thing is that I have set 3DES and SHA1 to in my setup, yet it >>> is not being offered. I have also test quite a few other like AES 265 >>> and >>> SHA2, but they are also not offered. The other side (SonicWall) is >>> offering what we set mutually. >>> >>> Is this a bug? If now, how to I force pfSense to behave and start using >>> the settings I set. >>> >>> IPSec IKE V2 with pre-shared key. >>> >>> I'm running 2.3.2_1 >>> >>> Anyone that has seen this? >>> >>> regards >>> >>> >>> Roland Giesler >>> _______________________________________________ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >>> >> >> > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
