Problem:
- It is possible that the IPFire complains with an "address family inconsistent", when a VPN tunnel trying to connect to a Watchguard device with static public IP address! The log entry looks like this: "packet from xxx.xxx.xxx.xxx:500: initial Aggressive Mode message from xxx.xxx.xxx.xxx but no (wildcard) connection has been configured with policy=PSK"
Solution:
- To solve this problem, go over the webinterface to network -> Edit Hosts and create a pseudo DNS-name for the remote site. For example: firewall.example.com. Register this DNS-name then under services -> IPSec ->"connection" as the "Remote host/IP". After that the tunnel should work! Unless you use 3DES! More on that in the next issue.
Problem:
- In phase II of the tunnel buildup IPFire and the remote site complains over "NO PROPOSAL CHOSEN". This problem is only reproducible with DES and 3DES cipher!
Solution:
- The solution is quiet easy, simply use AES256 in phase II ☺ (naturally on both sides). It is apparently so that StrongSwan uses (the IPSec implementation in IPFire) the version 160 of 3DES, the device from Watch Guard using version 192 of 3DES! Therefore the phase II is not terminated.