[prev in list] [next in list] [prev in thread] [next in thread]
List: pfsense-discussion
Subject: Re: [pfSense] IPSec Bug?
From: Eero Volotinen <eero.volotinen () iki ! fi>
Date: 2017-02-03 11:49:08
Message-ID: CABzZrXe05w_9=AQtcRKQ6r4q_M1sVZDgW40EAoN7rRb3v_KnNw () mail ! gmail ! com
[Download RAW message or body]
how about disabling pfs?
Eero
2017-02-03 13:25 GMT+02:00 Roland Giesler <roland@greentree.systems>:
> On Fri, Feb 3, 2017 at 1:19 PM, Eero Volotinen <eero.volotinen@iki.fi>
> wrote:
>
> > It's a bit antique selection of ciphers.
> >
>
> It is indeed. We were experimenting for a long time with many others and
> got similar result (no matches). So I opted to check what pfSense offers
> and set Sonicwall to ask for that, but Sonicwall can't do MODP_3072,
> which is the only combination of what pfSense offers and what Sonicwall
> supports.
>
> We gave up in the end and opted to use SSH tunnels to work through, rather
> than set up a VPN. In the end we may have to set up OpenVPN, which mobile
> clients rather that site-to-site... :-( Not what we had in mind.
>
> Roland
>
>
> >
> > Problem is in DH group. try enabling same DH also in pfsense.
> >
> > --
> > Eero
> >
> > 2017-02-03 13:17 GMT+02:00 Roland Giesler <roland@greentree.systems>:
> >
> > > On Tue, Jan 24, 2017 at 8:16 PM, Eero Volotinen <eero.volotinen@iki.fi>
> > > wrote:
> > >
> > > > What hardware is other side running? Why you are trying to use 3des?
> > > >
> > >
> > > The other side is Sonicwall. I'm using 3DES because it's enabled by
> > > default and seeming a simple place to start.
> > >
> > > However, regardless of what I select (by ticking the boxes - net very
> > > difficult), that is then not offered. So if I select 3DES, it is not
> > > offered. If I select SHA256 it's not offered, and so on.
> > >
> > > Roland
> > >
> > >
> > >
> > > >
> > > > Eero
> > > >
> > > > 2017-01-17 16:36 GMT+02:00 Roland Giesler <roland@thegreentree.za.net>:
> > > >
> > > > > We've battled all afternoon to establish an IPSec site-to-site
> > > > > connection.
> > > > > Here's what happens:
> > > > >
> > > > > TimeProcessPIDMessage
> > > > > Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
> > > > > 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
> > > > > Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1
> > > > > request
> > > > > 2809641300 [ N(NO_PROP) ]
> > > > > Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
> > > > > Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
> > > > > IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
> > > > > IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAM
> > > > > ELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HM
> > > > > AC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/A
> > > > > ES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/P
> > > > > RF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD
> > > > > 5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_B
> > > > > P/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_20
> > > > > 48_256/MODP_1024,
> > > > > IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
> > > > > 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_19
> > > > > 2/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC
> > > > > _SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_MD5/PRF_H
> > > > > MAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_5
> > > > > 12_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
> > > > > Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
> > > > > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> > > > > Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
> > > > > Aggressive Mode IKE_SA
> > > > >
> > > > > The strange thing is that I have set 3DES and SHA1 to in my setup, yet
> > > > > it
> > > > > is not being offered. I have also test quite a few other like AES 265
> > > > > and
> > > > > SHA2, but they are also not offered. The other side (SonicWall) is
> > > > > offering what we set mutually.
> > > > >
> > > > > Is this a bug? If now, how to I force pfSense to behave and start
> > > > > using
> > > > > the settings I set.
> > > > >
> > > > > IPSec IKE V2 with pre-shared key.
> > > > >
> > > > > I'm running 2.3.2_1
> > > > >
> > > > > Anyone that has seen this?
> > > > >
> > > > > regards
> > > > >
> > > > >
> > > > > Roland Giesler
> > > > > _______________________________________________
> > > > > pfSense mailing list
> > > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > > Support the project with Gold! https://pfsense.org/gold
> > > > >
> > > >
> > > >
> > >
> >
>
>
>
>
> <https://mailtrack.io/trace/link/2b8864f31199d0082f474438ad99b04c615adf78?url=https%3A%2F%2Fmailtrack.io%2F&signature=1032642e759d6d34>Sent
> with Mailtrack
> <https://mailtrack.io/install?source=signature&lang=en&referral=roland@thegreentree.za.net&idSignature=22>
>
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic