This email will look best in a monospaced font.
changed to aggressive mode on both ends. Pfsense is version 2.3 Changed
the netgear identifiers to pwmtest for the ike policy and pwm-office for
the vpn policy.
I deleted the vpn policy and re-created it. So here are final settings.
Netgear:
VPN - Auto Policy
General
Policy Name pwm-office
IKE policy pwmtest
Remote VPN Endpoint
Address Type: IP Address
Address Data: <ip address of pfsense firewall>
SA Life Time 86400 (Seconds)
0 (Kbytes)
IPSec PFS [checked] PFS Key Group: Group 2 (1024 Bit)
Traffic Selector
Local IP Subnet address
Start IP address: 192.168.1.0
Finish IP address: n/a
Subnet Mask: 255.255.255.0
Remote IP Subnet address
Start IP address: 10.0.0.0
Finish IP address: n/a
Subnet Mask 255.255.252.0
AH Configuration
Enable Authentication [not checked] Authentication Algorithm: SHA-1
ESP Configuration
Enable Encryption [checked] Encryption Algorithm: 3DES
Enable Authentication [checked] Authentication Algorithm: SHA-1
IKE Policy Configuration
General
Policy Name pwmtest
Direction/Type Both Directions
Exchange Mode: Aggressive
Local
Select Local Gateway: Wan1 (this particular unit has two wann ports with
failover.)
Local Identity Type: WAN IP Address
Remote Identity Data: <blank> (This info doesn't get entered here.)
IKE SA Parameters
Encryption Algorithm: 3DES
Authentication Algorithm: SHA1
Authentication Method: Pre-Shared Key
<your preshared key goes here>
RSA Signature (requires Certificate) [unchecked]
Diffie-Hellman Group Group 2 (1024 bit)
SA Life Time: 28800
On the pfsense box:
VPN:IPsec:Edit tunnel
Mode: Tunnel
Disabled: [unchecked]
Interface: WAN
Local Subnet: LAN subnet
Remote Subnet: 192.168.1.0/24
Remote Gateway <WAN Address of the netgear router>
Description <however you want to describe yours'>
Phase 1 Proposed (Authentication)
Negotiation mode aggressive
My identifier: IP Address <my WAN ipaddress>
Encryption algorithm: 3DES
Hash Algorithm: SHA1
DH Key Group: 2
Lifetime 28800
Authentication Method: Pre-shared key
Pre-Shared Key: <pre shared key goes here.>
Certificate <blank>
Key <blank>
Peer certificate <blank>
Phase2 proposal (SA/Key Exchange)
Protocol: ESP
Encryption algorithms: 3DES
Hash algorithms: SHA1
PFS key group: 2
Lifetime: 86400
I hope this helps anyone having trouble. Thanks for your help Holger.
Curtis
Holger Bauer wrote:
> Try to use aggressive mode on both ends. Also try to setup different
> identifiers (like combination of UFQDN and passkeyphrase. It looks to me that
> there is a problem with the identifier. Is one of the ends behind another
> NAT? Also what version are you running?
>
> Holger
>
>> -----Original Message-----
>> From: cmaurand [mailto:[EMAIL PROTECTED]
>> Sent: Monday, September 18, 2006 5:28 PM
>> To: [email protected]
>> Subject: [pfSense Support] pfsense to netgear ipsec vpn
>>
>>
>> Hello,
>> I'm a relative newbie to ipsec on pfsense. I'm trying to
>> establish an
>> ipsec vpn connection to a netgear FVS124G. I already have a
>> connection
>> going to a sonicwall and that runs fine.
>>
>> The configuration on the pfsense is
>>
>> remote ip address PSK = <the key> and they match
>> Interface = WAN (and its my primary address)
>> Local Subnet = LAN Subnet
>> remote subnet = 192.168.1.0/24
>> remote gateway = <remote ip address>
>> Description = Charlotte Corporate
>>
>> Phase 1
>> Negotiation mode = main
>> My identifier = My IP address
>> Encryption algorithm = 3DES
>> Hash algorithm = SHA1
>> DH Key group = 2 (1024 bit)
>> lifetime = 86400
>> Autentication Method = Pre-Shared Key
>> Pre-Shared Key = <my psk>
>>
>> Phase 2 (SA/Key Exchange)
>> Protocol = ESP
>> Encryption Algorithms = 3DES
>> Hash Algoritm = SHA1
>> PFS key group = 2 (1024 bit)
>> Lifetime = 28800
>>
>> On the Netgear IKE Policy
>> General
>> name = pwmtest
>> Direction/Type = Both Directions
>> Exchange Mode = Main Mode
>> Local
>> Select Local Gateway = Wan1 (69.whatever)
>> Local Identity type WAN IP Address
>>
>> Remote
>> Remote Host Configuration Record = None
>> Remote Identity Type = WAN IP
>>
>> IKE SA Parameters
>> Encryption Algorithm = 3DES
>> Authentication Algorithm = SHA1
>> Authentication Method = Pre-shared Key
>> <my key>
>> Diffie-Hellman (DH) Group = Group 2 (1024 bit)
>> SA Life Time = 28800
>>
>> On the Netgear VPN Policy
>> General
>> Policy Name = pwmtest
>> IKE Policy = pwmtest
>> Remote VPN Endpoint Type = IP Address
>> Remote VPN Endpoint IP Address = <my ip address>
>> Traffic Selector
>> Local IP = Subnet address
>> Start IP address = 192.168.1.0
>>
>> Finish IP Address = N/A
>> Subnet Mask = 255.255.255.0
>> Remote IP = Subnet address
>> Start IP Address = 10.0.0.0
>> Finnish IP Address = n/a
>> Subnet Mask = 255.255.252.0
>>
>> AH Conguration = unchecked
>>
>> ESP Configuration
>> Enable Encryption = checked = 3DES
>> Enable Authentication = checked = SHA-1
>>
>>
>> From the pfsense I get: (some lines wrapped)
>>
>> racoon: INFO: respond new phase 1 negotiation: <local wan
>> ip>[500]<=><remote wan ip>[500]
>> racoon: ERROR: not acceptable Identity Protection mode
>> racoon: ERROR: not acceptable Identity Protection mode
>>
>> Thanks in advance
>>
>> --
>> Curtis Maurand
>> Senior Network & Systems Engineer
>> BlueTarp Financial, Inc.
>> 443 Congress St.
>> 6th Floor
>> Portland, ME 04101
>> 207.797.5900 x233 (office)
>> 207.797.3833 (fax)
>> mailto:[EMAIL PROTECTED]
>> http://www.bluetarp.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Curtis Maurand
Senior Network & Systems Engineer
BlueTarp Financial, Inc.
443 Congress St.
6th Floor
Portland, ME 04101
207.797.5900 x233 (office)
207.797.3833 (fax)
mailto:[EMAIL PROTECTED]
http://www.bluetarp.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
