I have tried both main mode and aggressive. I am able to get a connection using main mode from the pfsense side but not on the vigor 3900 and doesnt route traffic.
Logs for pfSense:
12[CFG] <201> looking for pre-shared key peer configs matching 146.90.x.x...87.242.x.x[87.242.x.x]
12[IKE] <201> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
12[ENC] <201> generating INFORMATIONAL_V1 request 718054413 [ N(AUTH_FAILED) ]
12[NET] <201> sending packet: from 146.90.x.x[500] to 87.242.x.x[500] (56 bytes)
08[NET] <202> received packet: from 87.242.x.x[500] to 146.90.x.x[500] (344 bytes)
08[ENC] <202> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]

Log from Draytek :
<141>Sep 20 15:16:48 Vigor: [IPsec] PB_Test #0 execute _updown unroute-client:
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": add eroute 192.x.x.x/24:0 --0-> 10.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": eroute_connection add eroute 10.x.x.x/24:0 --0-> 192.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:49 Vigor: pluto[13166]: "PB_Test": eroute_connection add eroute 0.0.0.0/0:0 --0-> 192.x.x.x/24:0 => %trap (raw_eroute) Success
<141>Sep 20 15:16:50 Vigor: [IPsec] PB_Test #0 execute _updown prepare-client:
<141>Sep 20 15:16:50 Vigor: [IPsec] PB_Test #0 execute _updown route-client:
<141>Sep 20 15:16:50 Vigor: pluto[13166]: "PB_Test" #22785: initiating Aggressive Mode #22785, connection "PB_Test"
<141>Sep 20 15:16:50 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:16:50 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message
<141>Sep 20 15:17:00 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:17:00 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message
<141>Sep 20 15:17:19 Vigor: pluto[13166]: "PB_Test" #22785: deleting state (STATE_AGGR_I1)
<141>Sep 20 15:17:19 Vigor: pluto[13166]: "PB_Test" #22785: deleting state #22785
<141>Sep 20 15:17:19 Vigor: pluto[13166]: packet from 146.90.x.x:500: ignoring informational payload, type AUTHENTICATION_FAILED
<141>Sep 20 15:17:19 Vigor: pluto[13166]: packet from 146.90.x.x:500: received and ignored informational message

We have setup on draytek Phase 1 Proposal: 3DES G1, Phase 1 Authentication: SHA1, Phase 2 Proposal: 3DES with auth, Phase 2 Authentication: All
Its the same on pfSense Phase 1 Encryption Algorithm: 3DES, Hash Alogrithm: SHA 1, DH Group 1 (768), Phase 2 Encryption Algorithm: 3DES, Hash Alogrithm: MD5 & SHA 1 , DH Group 1 (768)

Any help will be really appreciated, if you need any more information please let me know.

I have followed lots of posts and vlogs found searching the error but non have solved my issue.

Just wanted to give an update, I have managed to solve my issues connecting to pfSense firewall.

I would recommend initially creating the Ipsec connection with the following settings:
On the pfSense:

Phase 1: Encryption alogorithm: 3DES, Hash Algorithm, MD5, DH Group 1 (768 bit)
Phase 2: Encryption alogorithm: 3DES, Hash Algorithm, SHA1, PFS key group off

On the Draytek under Proposal tab:
IKE Phase 1 Proposal [Dial Out]: 3DES G1
IKE Phase 1 Authentication: MD5
IKE Phase 2 Proposal: 3DES with auth
IKE Phase 2 Authentication: SHA1
Accepted Propsal: acceptall

I would stress that this is initial setup as once I got the connection working and routing traffic I have started ramping up the encryption and will keep going as long it running stable.

Hope this saves someone the hours of frustration I have had.

Hi Pobster123
I'm troubleshooting a similar issue (Draytek 3900 to Cisco) - IPSEC AES256 G2, PFS, SHA. it was all working fine for months, then upgraded from FW 1.2.2 to 1.3.1 on the Draytek 3900 and now can't get any traffic through the VPN. I've tried recreating the VPN but it remains the same.

The connection appears to come up, but doesn't pass any traffic.

which FW version are you running on the Draytek?
Ollie

ollietait wrote: Hi Pobster123
I'm troubleshooting a similar issue (Draytek 3900 to Cisco) - IPSEC AES256 G2, PFS, SHA. it was all working fine for months, then upgraded from FW 1.2.2 to 1.3.1 on the Draytek 3900 and now can't get any traffic through the VPN. I've tried recreating the VPN but it remains the same.

The connection appears to come up, but doesn't pass any traffic.

which FW version are you running on the Draytek?
Ollie

Hi Ollie,

I'm just doing something similar on a 3900 (1.3.1). It would pass traffic one way, but I could not bring the tunnel up from the Cisco side until I set up a keep alive.
My settings are the same as yours but no PFS.

My main problem is stability of the 3900, it has locked up 3 times in 4 days. Have you had anything similar?

Bruce

Hi BruceR214
sorry bit late on response I don't often look on here. no, not seen any 3900 lock up (I have seen them stop passing RDP traffic over VPN (other traffic flows over VPN still), seen them dump all config on a straight forward reboot, seen them loose ability to sustain an IPSec VPN so have to re-enter the config after firmware upg, they have an odd issue with "logmein application" where you have to add all the logmein remote server to a rule to force all traffic to them through one of you IP aliases rather than primary external IP (something to do with the SSL encryption i believe))