Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » kerio ipsec and pfsense (Kerio with pfsense)
  •  
ZReau

Messages: 45

Karma: 0
Send a private message to this user
I run kerio control 8.0.2

and want to try to create an ipsec tunnel. the tunnel works for 10 seconds than pfsense says can;t get sainfo.
Which credentials are compatible for kerio ipsec

i have configured this on pfsense:
PHASE 1:
Authentication method: mutual psk
Negotiation mode: main
My identifier: ipadress
Peer identifier: peer ipadress
Pre-Shared Key: XXXXX
Policy Generation: default
Proposal Checking: default
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 5 (1536 bit )
Lifetime: 10800
NAT Traversal: disable
Dead Peer Detection: disable

PHASE 2:
Mode: tunnel
Local Network: 1.2.3.4/24
Remote Network: 4.3.2.1/24
Protocol: ESP
Encryption algorithms: 3DES
Hash algorithms: SHA1
PFS key group: off
Lifetime: 3600

Could someone tell me what i did wrong?

Alex,
  •  
ZReau

Messages: 45

Karma: 0
Send a private message to this user
and pfsense logging says:

Apr 8 22:37:36 racoon: DEBUG: IV freed
Apr 8 22:37:36 racoon: NAMEIPSEC ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Apr 8 22:37:36 racoon: ERROR: failed to get sainfo.
Apr 8 22:37:36 racoon: ERROR: failed to get sainfo.
  •  
Lisa Lyons (Kerio)

Messages: 175
Karma: 8
Send a private message to this user
Hi, ZReau

We use IKEv1 cypher suite, so you can see the options that are supported here:

http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Cip herSuites

Sadly, we have not tested the IPSec VPN witn a PFSense server, so I cannot advise too closely on what you may try.

The information contained here may help:

http://kb.kerio.com/product/kerio-control/vpn/configuring-ip sec-vpn-1281.html

Kerio Technical Support
Log Support Incidents here: http://www.kerio.com/support
Also, please use our KB: http://kb.kerio.com
  •  
ZReau

Messages: 45

Karma: 0
Send a private message to this user
Lisa,

I know but i have it working except every 10 seconds they drop the connection, and get this error en after a few times it has his ipsec connection again. I used the options that kerio supports but still it will loose the vpn connections every ten seconds.

I think that pfsense is no1 in opensource firewall based on mono wall and a lot of users use this. If kerio can't support this ipsec for pfsense then build openvpn into kerio so that we can make an vpn from third party software.

Alex,
  •  
rjokl

Messages: 64
Karma: 7
Send a private message to this user
Alex,

I have tested tunnel to pfsense, settings exactly as you posted, everything works stable. Doublecheck your settings (id, routes).

Roman
  •  
ZReau

Messages: 45

Karma: 0
Send a private message to this user
Roman,

Could you please give some screenshots from your pfsense?

i have the same id's on both sites the ipadress

kerio control:

local id = ipaddress
remote id = ipaddress

routing:
192.168.155.0/255.255.255.0

pfsense:

remote gateway = ipaddres
My identifier = my ipaddress
remote peer = peer ipaddres

phase 2 on pfsense:
tunnel LAN 192.168.0.0/23 ESP AES (128 bits) SHA1
PFS key group = off
  •  
rjokl

Messages: 64
Karma: 7
Send a private message to this user
here are my screenshots.

draw your topology e.g. using gliffy.com
  •  
ZReau

Messages: 45

Karma: 0
Send a private message to this user
Could you please explain how ik can see them?

  •  
rjokl

Messages: 64
Karma: 7
Send a private message to this user
rjokl wrote on Wed, 10 April 2013 14:14
here are my screenshots.



they are too big to post here. Try this:
https://samepage.io/72f3728084841d1a9db65c44335a41d27bfa96c2 /share/68c98e56dc853a605ec1cf55a92d6f5207ba0037

  • Attachment: control1.PNG
    (Size: 27.25KB, Downloaded 999 times)
  •  
ZReau

Messages: 45

Karma: 0
Send a private message to this user
Roman,

Actually you set the kerio control on passive mode.
and let pfsense to be the initiator.

the rest is exactly the same as me? whicht version of pfsense is this 2.0.1
  •  
rjokl

Messages: 64
Karma: 7
Send a private message to this user
2.0.2. try to use passive too, just to find if it is the problem or not.
  •  
ZReau

Messages: 45

Karma: 0
Send a private message to this user
hmmm

that is indeed stable. but actually i want the pfsense in passive mode because thats the one with an dynamic ipaddress?

and if the line breaks? will it connect it self again on this way?
  •  
rjokl

Messages: 64
Karma: 7
Send a private message to this user
have no idea, I've seen pfsense first time yesterday Smile

I will try to reconfigure Control to active mode tomorrow.
  •  
ZHoLD

Messages: 1
Karma: 0
Send a private message to this user
Add the optional subnet Pfsense KerioVPN

  • Attachment: ipsec.PNG
    (Size: 47.98KB, Downloaded 1223 times)
  •  
rjokl

Messages: 64
Karma: 7
Send a private message to this user
I've reproduced the issue. It is caused by incorrect subnets setup (phase2) at pfsense side, and pfsense unfortunately closes the connection if Control tries to negotiate for subnet missing on pfsense side. The list of subnets on Control side is generated automatically. It includes all routes to trusted and other interfaces, subnet for VPN clients and subnets defined in other IPsec tunnels.

Example:
Control routing table
default dev ppp101 proto none metric 1 // WAN
10.0.0.0/8 via 192.168.10.1 dev eth2 proto none metric 1 onlink // static route via LAN
88.103.200.66 dev ppp101 proto kernel scope link src 90.178.7.92 // PPPoE
172.26.147.0/24 dev kvnet proto kernel scope link src 172.26.147.1 // VPN subnet
192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.26 // LAN

You have to define phase2 entries on pfsense for 10.0.0.0/8, 172.26.147.0/24 and 192.168.10.0/24.
Previous Topic: IPSec Tunnel to Sonicwall
Next Topic: Problem of subnetmask
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Aug 21 15:59:04 CEST 2017

Total time taken to generate the page: 0.00518 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.