站点到站点VPN

Question

我面临的问题是在pfSense(版本2.0.1)和SonicWall Pro2040增强型(固件版本: SonicOS增强型4.2.1.4-7e)之间建立一个站点到站点VPN。所有的配置都是正确的，但是我在sonicwall中得到了以下错误-

“有效载荷处理失败”

第一阶段和第二阶段通过正确，但问题的“有效载荷处理”，我发现这可能是因为共享密钥不匹配，但我反复检查，没有不匹配共享密钥在两个防火墙。它还显示，在声墙隧道是活跃的

来自pfSense的日志如下-

Answer 1

这是“我的音乐墙”和“pfsense”的背景：

Sonicwall上的普通标签：

Authentication Method: IKE using Pre shared Secret

Name:  pfSense Site-to-Site PN

IPsec Primary Gateway Name or Address: 1.1.1.1 | IP for pfSense

IPsec Secondary Gateway Name or Address: 0.0.0.0

Shared Secret: Shared secret for this connection

Local IKE ID:  2.2.2.2 | Select ‘IP Address’ from the drop down menu and then type WAN IP of Sonicwall



Network tab on Sonicwall:

Local Networks

Choose local network from list: 192.168.21.0 | Create an address object for the network or you can use the built in one ‘LAN Subnets’

Destination Networks

Choose destination network from list: 192.168.65.0 | Create an address object for the remote LAN network



Proposals Tab:

IKE (Phase 1) Proposal

By default pfSense supports ‘Main Mode’ and ‘Aggressive’.

Exchange: Aggressive

DH Group: Group 2

Encryption: 3DES

Authentication: SHA1

Life Time (seconds): 28800

Ipsec (Phase 2) Proposal

Protocol: ESP

Encryption: 3DES

Authentication: SHA1

Enable Perfect Forward Secrecy: Checked

Life Time: 86400



Advanced Tab:

Check ‘Enable Keep Alive’

相应的pfSense设置：

Phase 1:

Authentication method: Mutual PSK

Negotiation Mode: Aggressive

My identifier: 1.1.1.1 (IP Address of pfSense WAN)

Peer identifier: 2.2.2.2 (IP Address of Sonicwall)

Pre Shared Key: Your pre share key

Policy Generation: Default

Proposal Checking: Obey

Encryption Algorithm: 3DES

Hash algorithm: SHA1

DH key group: 2

Lifetime: 28800



Advanced options

Nat Traversal: Enable

Dead Peer Detection: Check Enable DPD



Phase 2:

Mode: Tunnel

Local Network: 192.168.65.0/24

Remote Network: 192.168.21.0/24

Protocol: ESP

Encryption algorithms: 3DES

Hash algorithms: SHA1

PFS key group: 2

Lifetime: 84600

请看我的文章如何配置使用pfsense的sonicwall。