how about disabling pfs? Eero
2017-02-03 13:25 GMT+02:00 Roland Giesler <roland@greentree.systems>: > On Fri, Feb 3, 2017 at 1:19 PM, Eero Volotinen <eero.voloti...@iki.fi> > wrote: > >> It's a bit antique selection of ciphers. >> > > It is indeed. We were experimenting for a long time with many others and > got similar result (no matches). So I opted to check what pfSense offers > and set Sonicwall to ask for that, but Sonicwall can't do MODP_3072, > which is the only combination of what pfSense offers and what Sonicwall > supports. > > We gave up in the end and opted to use SSH tunnels to work through, rather > than set up a VPN. In the end we may have to set up OpenVPN, which mobile > clients rather that site-to-site... :-( Not what we had in mind. > > Roland > > >> >> Problem is in DH group. try enabling same DH also in pfsense. >> >> -- >> Eero >> >> 2017-02-03 13:17 GMT+02:00 Roland Giesler <roland@greentree.systems>: >> >>> On Tue, Jan 24, 2017 at 8:16 PM, Eero Volotinen <eero.voloti...@iki.fi> >>> wrote: >>> >>>> What hardware is other side running? Why you are trying to use 3des? >>>> >>> >>> The other side is Sonicwall. I'm using 3DES because it's enabled by >>> default and seeming a simple place to start. >>> >>> However, regardless of what I select (by ticking the boxes - net very >>> difficult), that is then not offered. So if I select 3DES, it is not >>> offered. If I select SHA256 it's not offered, and so on. >>> >>> Roland >>> >>> >>> >>>> >>>> Eero >>>> >>>> 2017-01-17 16:36 GMT+02:00 Roland Giesler <rol...@thegreentree.za.net>: >>>> >>>>> We've battled all afternoon to establish an IPSec site-to-site >>>>> connection. >>>>> Here's what happens: >>>>> >>>>> TimeProcessPIDMessage >>>>> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from >>>>> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes) >>>>> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 >>>>> request >>>>> 2809641300 [ N(NO_PROP) ] >>>>> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found >>>>> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals: >>>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, >>>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAM >>>>> ELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HM >>>>> AC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/A >>>>> ES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/P >>>>> RF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD >>>>> 5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_B >>>>> P/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_20 >>>>> 48_256/MODP_1024, >>>>> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_ >>>>> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_19 >>>>> 2/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC >>>>> _SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_H >>>>> MAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_5 >>>>> 12_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 >>>>> Jan 17 15:58:53 charon 05[CFG] <197> received proposals: >>>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 >>>>> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a >>>>> Aggressive Mode IKE_SA >>>>> >>>>> The strange thing is that I have set 3DES and SHA1 to in my setup, yet >>>>> it >>>>> is not being offered. I have also test quite a few other like AES 265 >>>>> and >>>>> SHA2, but they are also not offered. The other side (SonicWall) is >>>>> offering what we set mutually. >>>>> >>>>> Is this a bug? If now, how to I force pfSense to behave and start >>>>> using >>>>> the settings I set. >>>>> >>>>> IPSec IKE V2 with pre-shared key. >>>>> >>>>> I'm running 2.3.2_1 >>>>> >>>>> Anyone that has seen this? >>>>> >>>>> regards >>>>> >>>>> >>>>> Roland Giesler >>>>> _______________________________________________ >>>>> pfSense mailing list >>>>> https://lists.pfsense.org/mailman/listinfo/list >>>>> Support the project with Gold! https://pfsense.org/gold >>>>> >>>> >>>> >>> >> > > > > > <https://mailtrack.io/trace/link/2b8864f31199d0082f474438ad99b04c615adf78?url=https%3A%2F%2Fmailtrack.io%2F&signature=1032642e759d6d34>Sent > with Mailtrack > <https://mailtrack.io/install?source=signature&lang=en&referral=rol...@thegreentree.za.net&idSignature=22> > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
