On Fri, Feb 3, 2017 at 1:19 PM, Eero Volotinen <eero.voloti...@iki.fi> wrote:
> It's a bit antique selection of ciphers. > It is indeed. We were experimenting for a long time with many others and got similar result (no matches). So I opted to check what pfSense offers and set Sonicwall to ask for that, but Sonicwall can't do MODP_3072, which is the only combination of what pfSense offers and what Sonicwall supports. We gave up in the end and opted to use SSH tunnels to work through, rather than set up a VPN. In the end we may have to set up OpenVPN, which mobile clients rather that site-to-site... :-( Not what we had in mind. Roland > > Problem is in DH group. try enabling same DH also in pfsense. > > -- > Eero > > 2017-02-03 13:17 GMT+02:00 Roland Giesler <roland@greentree.systems>: > >> On Tue, Jan 24, 2017 at 8:16 PM, Eero Volotinen <eero.voloti...@iki.fi> >> wrote: >> >>> What hardware is other side running? Why you are trying to use 3des? >>> >> >> The other side is Sonicwall. I'm using 3DES because it's enabled by >> default and seeming a simple place to start. >> >> However, regardless of what I select (by ticking the boxes - net very >> difficult), that is then not offered. So if I select 3DES, it is not >> offered. If I select SHA256 it's not offered, and so on. >> >> Roland >> >> >> >>> >>> Eero >>> >>> 2017-01-17 16:36 GMT+02:00 Roland Giesler <rol...@thegreentree.za.net>: >>> >>>> We've battled all afternoon to establish an IPSec site-to-site >>>> connection. >>>> Here's what happens: >>>> >>>> TimeProcessPIDMessage >>>> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from >>>> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes) >>>> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request >>>> 2809641300 [ N(NO_PROP) ] >>>> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found >>>> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals: >>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, >>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAM >>>> ELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HM >>>> AC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/A >>>> ES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/P >>>> RF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD >>>> 5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_ >>>> BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_ >>>> 2048_256/MODP_1024, >>>> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_ >>>> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_19 >>>> 2/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC >>>> _SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_H >>>> MAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_5 >>>> 12_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 >>>> Jan 17 15:58:53 charon 05[CFG] <197> received proposals: >>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 >>>> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a >>>> Aggressive Mode IKE_SA >>>> >>>> The strange thing is that I have set 3DES and SHA1 to in my setup, yet >>>> it >>>> is not being offered. I have also test quite a few other like AES 265 >>>> and >>>> SHA2, but they are also not offered. The other side (SonicWall) is >>>> offering what we set mutually. >>>> >>>> Is this a bug? If now, how to I force pfSense to behave and start using >>>> the settings I set. >>>> >>>> IPSec IKE V2 with pre-shared key. >>>> >>>> I'm running 2.3.2_1 >>>> >>>> Anyone that has seen this? >>>> >>>> regards >>>> >>>> >>>> Roland Giesler >>>> _______________________________________________ >>>> pfSense mailing list >>>> https://lists.pfsense.org/mailman/listinfo/list >>>> Support the project with Gold! https://pfsense.org/gold >>>> >>> >>> >> > <https://mailtrack.io/trace/link/2b8864f31199d0082f474438ad99b04c615adf78?url=https%3A%2F%2Fmailtrack.io%2F&signature=1032642e759d6d34>Sent with Mailtrack <https://mailtrack.io/install?source=signature&lang=en&referral=rol...@thegreentree.za.net&idSignature=22> _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
