We have 2 routers/firewalls, 1x pfSense and 1x UBNT Edgerouter X. I tried to setup an IPsec site-to-site connection between these 2 but i cannot get it done. I followed multiple "tutorials"/guides on the internet and at the end i followed all steps in this video https://www.youtube.com/watch?v=qNWjqTdDyHU&t=300s but unfortunately it still doesn't work.
As i'm new to IPsec connections i have no idea how to debug this except for trying to understand the logs and partially i understand them but i have no idea how to solve the "problem" they describe.
Maybe someone can check my settings (see bellow) and help me out with this problem. I think it actually should should work as the settings from pfSense and the Edgerouter are matching (as far as i can check with my knowledge)
pfSense configuration:
I created a allow all rule on my pfSense WAN port (just to be sure that the firewall is not blocking anything during configuration)
then i configured an IPSec connection like this:
<ipsec>
<phase1>
<ikeid>3</ikeid>
<iketype>ikev2</iketype>
<interface>wan</interface>
<remote-gateway>UBNT.public.ip.here</remote-gateway>
<protocol>inet</protocol>
<myid_type>myaddress</myid_type>
<myid_data></myid_data>
<peerid_type>peeraddress</peerid_type>
<peerid_data></peerid_data>
<encryption>
<item>
<encryption-algorithm>
<name>aes</name>
<keylen>128</keylen>
</encryption-algorithm>
<hash-algorithm>sha256</hash-algorithm>
<dhgroup>14</dhgroup>
</item>
</encryption>
<lifetime>28800</lifetime>
<pre-shared-key>Letmein2020</pre-shared-key>
<private-key></private-key>
<certref></certref>
<caref></caref>
<authentication_method>pre_shared_key</authentication_method>
<descr><![CDATA[UBNT IPSec test]]></descr>
<nat_traversal>on</nat_traversal>
<mobike>off</mobike>
<closeaction></closeaction>
<margintime></margintime>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>5</dpd_maxfail>
</phase1>
<phase2>
<ikeid>3</ikeid>
<uniqid>5eeb68156125d</uniqid>
<mode>tunnel</mode>
<reqid>3</reqid>
<localid>
<type>opt4</type>
</localid>
<remoteid>
<type>network</type>
<address>192.168.100.0</address>
<netbits>24</netbits>
</remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option>
<name>aes</name>
<keylen>128</keylen>
</encryption-algorithm-option>
<encryption-algorithm-option>
<name>aes128gcm</name>
<keylen>128</keylen>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha256</hash-algorithm-option>
<pfsgroup>14</pfsgroup>
<lifetime>3600</lifetime>
<pinghost></pinghost>
<descr><![CDATA[IPSEC UBNT test]]></descr>
</phase2>
</ipsec>
Edgerouter x configuration:
I created a Site-to-Site
peer
Then i checked the IPSec settings in the config tree
and added 2 esp-group
(FOO0
) proposals (1 and 2)
i configured the ike-group (FOO0
)
and added also 2 proposals for the ike-group
FOO0
last but not least i checked if the peer is using the correct esp and ike group
Connection and logging
After i configured everything i goed to Status>IPsec>Overview
on pfSense
and clicked on connect which results in the following logging on pfSense (Blue = pfSense public ip, red is a unknown ip so not the Edgerouter public ip). This block continuously repeats in the logs. I understand that there are no acceptable (so matching?) DF
and ENCRYPTION_ALGORITHM
s are found but i don't understand why as i configured them the same on both devices.
I also got this where blue is the pfSense public ip and black the Edgerouter public ip:
On the Edgerouter side i only see this:
UPDATE 1
I connected pfSense and the Edgerouter directly to each other via LAN. I also changed the IP of the destination/peer in both, pfSense and Edgerouter. Now periodically there spawns a connection in the pfSense Status/IPsec/Overview
. It seems that this is an incoming connection of the Edgerouter (the one on the top).
The pfSense logs for this connection:
The logs from the Edgerouter (/var/logs/charon.log
)
Jun 22 08:46:08 07[IKE] <peer-10.128.10.1-tunnel-1|1> initiating IKE_SA peer-10.128.10.1-tunnel-1[1] to 10.128.10.1
Jun 22 08:46:45 04[KNL] creating delete job for CHILD_SA ESP/0x00000000/10.128.10.1
Jun 22 08:46:48 14[KNL] creating acquire job for policy 192.168.100.1/32[udp/56593] === 10.128.10.1/32[udp/domain] with reqid {1}
The second connection in the screenshot is the connection i configured on the pfSense side. When i click connect
this are the logs on pfSense for that connection:
In /var/log/charon.log
are no new lines written related to this connection attempt from pfSense.
None of both connections can be established. I checked my configuration on both devices and they are exactly like described in my question. They are similar on both devices (as far as i can check with my knowledge).
I also added an allow all (protocols, ports, sources and destinations) to the concerning pfSense interface and checked the Automatically open firewall and exclude from NAT
during the Edgerouter configuration so this should be ok (and not the issue) i think?
User contributions licensed under CC BY-SA 3.0