I always setup keep alive but, in this case (mobile tunnel), it doesn't help (obviously, i'm pinging from dynamic side to static side)…

But, i'm facing a problem type i already had and that only depends from "experience feedback" :

previously, i already had bugs with netopia/ipsec...

But, in my actual case, once more, something strange appears :

depending on the firmware/shared key lenght : the vpn tunnel will wake immediately alone...or not...

:-X ...going to bed lol...

Thank you,

Sincerely,

@jimp:

While NAT-T does help Mobile IPsec work in more scenarios, it already works fine in plenty of other places.

I've had mobile IPsec clients working for customers for quite a while now, even without NAT-T. I think I started using it with pfSense 1.2.1.

You can also use mobile tunnels for pfsense-to-pfsense IPsec, if one end is on a dynamic IP, though now you can use dyndns hostnames for the remote peer address so that isn't needed quite so much.

It can be used for any IPsec connection you need where one side is static and the other end is somewhere unknown.

Oh OK ! I finally understood : it helps but isn't necessary…

Thank you !

You don't normally need to share printers over the VPN to get printing to work over RDP.

You need the driver for the local printer installing on the remote computer.

I've done this extensively over the years and never had to share the local printer.

fastcon68,

i'm using a tool called unicornscan homepage: http://www.unicornscan.org/

basically, i'm running the command```
unicornscan -r 50000 -R 5000 host/ip

so, scan the host with 50,000pps and repeat it 5000 times. talk about flooding state tables, that command will do it in a matter of seconds. you probably need server class gigabit interfaces to actually gen 50,000 pps but even 25,000 kills it. and unicornscan is in the ports tree if your running freebsd servers…

@focalguy:

I always set up the remote address as the remote gateway device. I'm not using any netopia but as far as I know they act about the same. It just sends traffic along to that address to keep the tunnel alive in case there is no other traffic being passed.

When you put in the remote gateway address did you put in the LAN address or the remote WAN address? If I was connecting 192.168.1.1/24 -> 192.168.2.1/24 I would set 192.168.2.1 to ping 192.168.1.1.

Oops, small misunderstood :

I already do as you say, but i was referring to put the remote WAN address, so :

192.168.2.1 to pinf WAN address of 192.168.1.1

I'm asking it because i read some tutorial that advice to do this instead of the classic "192.168.1.1 / 192.168.2.1"

But, if you say me that you do the same, with success, i'll continue doing as always  ;D

By the way, another question related :

I never setup keep alive on pfsense vpn setup, but only on remote routers that connect to it (well, my sentence is wrong about ipsec establishment between sites, but you understand what i mean). To be more accurate : i specify on remote site, to ping lan ip of pfSense (i think it doesn't need to be an internal remote address (e.g. : another server), does it ?).

Do you people setup mutual keep alive ?

Thank you,

Sincerely,

Today after making not the slidest change I've that in my logs:

Aug 14 12:01:06 racoon: [SiteToSite-VPN]: INFO: phase2 sa deleted yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx Aug 14 12:01:05 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Aug 14 12:01:05 racoon: [SiteToSite-VPN]: INFO: phase2 sa expired yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx Aug 14 12:01:04 racoon: ERROR: no peer's CERT payload found. Aug 14 12:01:04 racoon: INFO: received Vendor ID: DPD Aug 14 12:01:04 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:01:04 racoon: ERROR: failed to get subjectAltName Aug 14 12:01:04 racoon: ERROR: Aug 14 12:01:03 racoon: ERROR: no peer's CERT payload found. Aug 14 12:01:03 racoon: INFO: received Vendor ID: DPD Aug 14 12:01:03 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:01:03 racoon: ERROR: failed to get subjectAltName Aug 14 12:01:03 racoon: ERROR: Aug 14 12:00:54 racoon: ERROR: no peer's CERT payload found. Aug 14 12:00:54 racoon: INFO: received Vendor ID: DPD Aug 14 12:00:54 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:00:54 racoon: ERROR: failed to get subjectAltName Aug 14 12:00:54 racoon: ERROR: Aug 14 12:00:53 racoon: ERROR: no peer's CERT payload found. Aug 14 12:00:53 racoon: INFO: received Vendor ID: DPD Aug 14 12:00:53 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:00:53 racoon: ERROR: failed to get subjectAltName Aug 14 12:00:53 racoon: ERROR: Aug 14 12:00:45 racoon: [SiteToSite-VPN]: INFO: phase2 sa deleted yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx Aug 14 12:00:45 racoon: ERROR: no peer's CERT payload found. Aug 14 12:00:44 racoon: INFO: received Vendor ID: DPD Aug 14 12:00:44 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:00:44 racoon: ERROR: failed to get subjectAltName Aug 14 12:00:44 racoon: ERROR: Aug 14 12:00:44 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Aug 14 12:00:44 racoon: [SiteToSite-VPN]: INFO: phase2 sa expired yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx Aug 14 12:00:44 racoon: ERROR: no peer's CERT payload found. Aug 14 12:00:43 racoon: INFO: received Vendor ID: DPD Aug 14 12:00:43 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:00:43 racoon: ERROR: failed to get subjectAltName Aug 14 12:00:43 racoon: ERROR:

googling the first new error I found this posting:
http://forum.pfsense.org/index.php?topic=5774.0

As I'm using easy-rsa I don't know how to handle that circumstance

On http://www.fefe.de/racoon.txt I found that discription:

failed to get subjectAltName

You forgot to set "my_identifier asn1dn;" in the remote section.

But I've set my DynDNS Domain Name on the remote site as "My Identifier"

Anyone a hint?

seems the dnswatch command from the Aug 04 build is bad. Pulled a copy from a older build i was testing (July 31) and the older version works fine.

With the Aug 4th version of dnswatch

Aug 13 16:18:44 rt php: : The command '/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config' returned exit code '1', the output was '' Aug 13 16:18:45 rt kernel: pid 722 (dnswatch), uid 0: exited on signal 11 (core dumped)

With the July 31 version of dnswatch

Aug 13 16:46:20 rt php: /vpn_ipsec.php: IPSEC: Send a reload signal to the IPsec process Aug 13 16:46:20 rt php: /vpn_ipsec.php: The command '/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config' returned exit code '1', the output was '' Aug 13 16:46:21 rt check_reload_status: reloading filter

A quick ps show the process is running now

ps -efxww | grep -i dns ps: Process environment requires procfs(5) 6118  ??  Ss    0:00.00  /usr/local/sbin/dnswatch /var/run/dnswatch-ipsec.pid 60 /etc/rc.newipsecdns /var/etc/dnswatch-ipsec.hosts loki

I always ignore these messages. I've never run into a tunnel not negotiating because of these messages.

There is always a first for every error message.

I got tired of waiting for forum posts so I checked out IRC.  According to cmb, "you can't NAT traffic destined to IPSEC in FreeBSD"
The only way to accomplish what I want is to set up an additional pfSense box, or move to a Linux distribution like IPCop.

i'm sorry - this is an IPsec vpn question, not openvpn. if someone could move it to that forum it would be great…

I have a rule allowing any any on the ipsec interface, thinking that this was the problem but it made no difference.
Any other ideas?
Pat

Thanks that worked!

@jimp:

You may want to start a new thread for that question, it won't be seen by as many people when it is buried deep in a thread like this.

u're right  ;D

thanks for the advice  ;)

You can listen on enc0 with tcpdump instead of the physical interface; all encrypted traffic will pass through this virtual interface before the crypto is applied.

pfSense seems to default to masking all of it via sysctl tunables however, so read enc(4) in the manual and adjust the tunables as necessary to see the traffic. The example below should show you what you want to see:

sysctl -e net.enc.out.ipsec_bpf_mask=0x1 sysctl -e net.enc.out.ipsec_filter_mask=0x1 sysctl -e net.enc.in.ipsec_filter_mask=0x2 sysctl -e net.enc.in.ipsec_bpf_mask=0x2