hi, dont know which one did the trick. Tried few things and all of a sudden tunnel is up n running. thanks

Found one wrong setting in Advanced ("Prefer older SAs"). The tunnel itself stays up now (I can ping all the time), but the log nevertheless looks not good:

Mar 6 13:36:52 racoon: [Unknown Gateway/Dynamic]: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=755278420(0x2d04a254) Mar 6 13:35:43 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=822348144(0x31040970) Mar 6 13:35:43 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=251902539(0xf03ba4b) Mar 6 13:35:42 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:32:12 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=738466939(0x2c041c7b) Mar 6 13:30:43 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=755278420(0x2d04a254) Mar 6 13:30:43 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=171853136(0xa3e4550) Mar 6 13:30:43 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:28:56 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=671405877(0x2804d735) Mar 6 13:28:56 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=704921625(0x2a044019) Mar 6 13:27:52 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=738466939(0x2c041c7b) Mar 6 13:27:52 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=92006427(0x57be81b) Mar 6 13:27:52 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:25:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=704921625(0x2a044019) Mar 6 13:25:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=94974923(0x5a933cb) Mar 6 13:25:42 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:19:44 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=654630777(0x2704df79) Mar 6 13:19:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=671405877(0x2804d735) Mar 6 13:19:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=246440033(0xeb06061) Mar 6 13:19:42 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:18:46 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=637839420(0x2604a83c) Mar 6 13:18:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=654630777(0x2704df79) Mar 6 13:18:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=73550287(0x46249cf) Mar 6 13:18:42 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500] Mar 6 13:16:43 racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=621059908(0x25049f44) Mar 6 13:15:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=637839420(0x2604a83c) Mar 6 13:15:42 racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=182947104(0xae78d20) Mar 6 13:15:42 racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]

Any idea?

Both sides work with static IPs - I say this because the error in line 1 looks like I try to connect to a dynamic IP address…

Thanks for ANY help!

Best regards,

Thorsten

It would have been most interesting to thoroughly troubleshoot this issue, since the Cisco VPN Client is so widely deployed.

With regard to the "no reply" comment, you can't expect too much over a weekend …

No, on the other tunnel I did not had. Now it works like a charm on all other tunnel!

Thank you very much for your help!

thanks for the response. sure would be nice to have this feature.

if you check from ipconfig after connecting vpn, what ip-address you see on dns-server, is it the same what you use on your remote-end?
and can you ping that server? can you connect to it with nslookup?

I cracked the issue today and thought I would share it in case anyone else is having the same issue.

It turns out that on 2.0.1 install the captive portal was stopping the local devices from accessing the vpn subnet, in 1.3 release the captive portal is configured in the same way but traffic passes with no issue. Maybe somebody knows the answer to why but all I know is I have added the management ip in the captive portal allowed list and now all is working.

Hope this saves someone else a headache!!

Regards

Steve

You have the same problem as I described some postings earlier.

You have to use a COMPLETLY other IP address. Try 10.180.180.0 / 24 as virtual IP for your clients. Then you can connect to your firewalls LAN - but not any other tunnel…

BTW: Why do you use VPN-Tracker ?!?!?! OS X 10.6 has original cisco VPN client onboard which works perfectly with pfSense... ;-)

BTW 2: One of the moderators COULD answer to all the serious IPsec problems everybody (!) seems to have. Or do you get support ONLY if it's paid support ?!?!

I figured it out and thought I'd post here. Turns out when you delete a CA from the webgui you're not actually deleting it. I had at some point uploaded the CA from the IPCop side, but all the certs and CAs from my trying to get things working were getting messy, so I deleted everything, which is why I said there was no CA installed from the other side to trust. I started from scratch on the IPCop side to test, and the pfsense side denied the connection because it couldn't validate the cert, just as it should. Once I uploaded the new CA from the IPCop side it worked just fine.

Hello All,

SOLVED

Replying to my own thread here.
I just wanted to report that I did get this site to site Ipsec vpn functioning. After many days of wrangling, I did have to get familiar with doing the setkey structure to get the vpn up.

Summary–

My old CentOS 5 box kernel is getting long in the tooth.
2.6.18-8.1.6.el5 #1 SMP Thu Jun 14 17:46:09 EDT 2007 i686 i686 i386 GNU/Linux
This may in fact be part of the problem, but I can not really pinpoint this as even part of the probllem.. I simply can not update the kernel as I have had an Asterisk PBX running flawless for almost 5 years running and dont want to break with an kernel update.

I updated the ipsec-tools package from the repos 0.6.5 to a self built 0.8.0 ipsec-tools rpm. This did not make any difference,as I was hoping this may be the cure.
After umpteen configuration changes to racoon.conf on both local and remote machines,I always wound up with the following error regardless,of what i changed to:

ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.

Always would get phase 1 to complete but never phase 2 as it failed with the above error.

I did find my kernel does not suppoort fips,and dont know if this is a burden or not in trying to make this work?

After reading MANY setkey shell script examples, i setup one to suit my CentOS box and the remote pfSense machine and sure enough the VPN linked up without a hitch.
I guess I am not at all familar with how racoon racoonctl,and setkey hooks togther as I was to the understanding these all played together seamlessly.

I know more now how racoon works,,,if nothing else,out of all of this.
I would guess there is surely a more transparent way of making this work,,but I simply couldnt get it without the setkey shell script to run first.

Just posting this hoping it may help someone else down the road.  :'(

Take Care,
Barry

Try this!!!
I sort of had a simular problem…

Change Negotiation mode: Aggressive
Disable NAT Traversal
And make sure Dead Peer Detection is left on.

Also another cool thing which Pfsense do is OpenVPN, to create a secure and reliable tunnel.

Hope this helps! Best of luck.

I took over this from jank (co-worker) was able to figure it out.

needed to add a firewall rule for the other ends peer ip (public ip) to allow udp traffic to my target wan interface that the vpn traffic is coming in on.  Once I did that they were able to initialize the tunnel with a ping or any other traffic.

i found this by going to status > system logs > firewall and searching for anything on their lan subnet then their public ip (where i found the traffic was being dropped), auto added the rule from that page and good to go ;)

hopefully this will help someone out in the future.

thanks

Thanks anyway!

Hey,

maybe this will help you out if you look for complete pfSense firewall solutions: https://www.tranquilnet.com/support/cart.php?a=confproduct&i=0. You can add a PCI expansion card as well. We got one last year from Tranquilnet IT Solutions. Took 2 weeks to ship from USA to Germany.

Cheers,
Szop

I guess that I've found the mistake now and I'm a bit ashamed of this because I think I've wasted a lot of your time. I had no Firewall Rule on OPT2 and OPT1, so I wasn't able to ping from Network to Gateway. I thought I just need a firewall rule on the IPSec tab to route traffic over IPSec VPN to the destinated network. On my last post I said that I was able to ping from pfSense to network like 172.16.40.254 -> 172.16.40.16 and back, but somehow I made a mistake because the second time I tried I was not able :/, just pfSense to network like 172.16.40.254 -> 172.16.40.16 and pfSense to pfsense and it's network like 172.16.40.254 -> 172.16.30.254 and 172.16.30.1.

Besides that I had to add manually Routes on my Windows machines over command line. You can print the help of "route" by typing "route" into the command line. Like you can see I've added manually a statice route on this PC http://screencast.com/t/ixe55rM45Mk8. You can see that the routing works now http://screencast.com/t/fKmkbkHu

Thanks a lot for this great support on this forum!

Thank you. I will try tomorrow.