That is for failover between nodes of a CARP cluster, not from WAN1 to WAN2.

IN the intrest of completion, I got the two to connect by the folllowing:

Open TCP port 500 on the WAN port of pfSense in the firewall then:

Both:
Phase one Main Mode / Group 2 / 3DES / SHA1

**SonicWall:**Phase two ESP / 3DES / HMAC / SHA1 (PFS Off)

**pfSense:**Phase two ESP / 3DES / Blowfish / SHA1 (PFS Off)

That would be possible with the Cisco as well, you'd just have to add all of the possible network combinations into the ACL for the IPsec config on that end.

Still ugly, but it would work.

If you can't use OpenVPN you might be better off just making tunnels between each router instead of trying to "route" them all through the main office.

Hi,

i got same issue with multiple connection from one site in PSK mode.

u create multible users with preshared keys right? u use different user profiles for connection right?

Racoon dont create new SA when second user connect. So no traffic passes the tunnel.

this worked for me:

Switch to Mutal PSK + xAuth in phase1.

Users are promted for password then, but it works fine.

cya

Hi,

pfsense 1.2.3 dont support nat-t.

Limitations

NAT-T is not supported until version 2.0, which means mobile clients behind NAT are not supported. This limits pfSense's usefulness with mobile IPsec clients. OpenVPN or PPTP is a better solution.

Alternatively use Openvpn or pfsense v2 .

cya

Hi,

ESP Traffic is encapsulated by UDP Port 4500. So ur third rule should be unnecessary.

U can check it by activating logging on third rule. Then u can check firewall log to determine if its really used.

cya

Hi,

u cant use mac filtering on firewall rules. Only captive Portal is macfilter aware.

In ur environment u need to get employees into a range u can use for filterrules.

1. method - easy way

eg. clients that need to reach main office ressources

Static IP or DHCP with reservation within eg 192.168.1.100 -192.168.1.150

-> create Firewall Alias (IP Range)
-> then allow alias to pass traffic to ur main office.

This solution doesnt prevent users to change IP and get access to main office. So u need to restrict users that they can not change ip address.

2. method - hard way - higher administrative effort

Use vlans and get special employees into another subnet.
This require vlan aware network devices and  lan adapter on clientside.

Alternatively u can use port-based vlan if only ur switches support vlans. Use additional dhcp with MAC to IP assignments (Reservation) -> only special employees get an IP address, others get nothing on networkport that belong to special subnet. But then u need to make sure special employees use always the same network socket to reach main office.

-> configure pfsense with vlans (setup vlan trunk to network switch) or use second network port on pfsense for vlan that is allowed to reach main office.
-> create rule for vlan subnet to pass traffic to main office

cya

Oh in that case if you only need to get from site A to site B and site A to site C, and you can setup your IPsec as such that it looks to your firewall that they're two different subnets, that will work. It may also work with a /24 on one of them and a smaller subnet on the other, only if the other one comes first. That could lead to unpredictable results though, I wouldn't recommend it.

Aren't you getting any clues from Status - System Logs - Firewall or IPsec VPN?

I had a PPTP rule that was deleted - i could make a PPTP connection but all acces to LAN was blocked and traceable in system logs.

Thanks, this is what I needed to know. I downloaded v2 and have not yet installed it. I like the nat-t support and the ability to add more than 1 phase 2. Thanks again

The default transparent proxy rules for that will not catch traffic coming across IPsec, only in LAN or whatever interfaces are selected in the squid GUI.

Looks like the new version of the Shrew Soft client will support this, judging by the changelog.

http://www.shrew.net/download/changelog/vpn/2.2.0-beta-1

It really depends on on how your ISP delivers those IPs to you.

@spiritbreaker:

Hi,

plz provide more details.

How your phase1 and 2 looks like?

cya

Hi;
Cisco config looks like this:

interface Tunnel115
ip vrf forwarding apsdtp
ip address 192.168.115.1 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination PUBLIC_IP_SITEB
tunnel mode ipsec ipv4
tunnel protection ipsec profile s2s-ap
end

crypto ipsec profile s2s-ap
set transform-set s2s-TSET

crypto isakmp key KEEEY address 78.x.x.x5 no-xauth

On the pfsense I have used ordinary IPSEC configuration which work without any problem when the IPSEC tunnel is termineted on physically interface not vti

PFsens:
May 11 17:54:19 racoon: [do-tsp-monitoring]: INFO: IPsec-SA established: ESP 78.x.x.x5[500]->194.x.x.2xx[500] spi=4174818755(0xf8d6adc3)
May 11 17:55:07 racoon: [do-tsp-monitoring]: INFO: respond new phase 2 negotiation: 78.x.x.x5[500]<=>194.x.x.2xx[500]
May 11 17:55:07 racoon: ERROR: failed to get sainfo. May 11 17:55:07 racoon: ERROR: failed to get sainfo.
May 11 17:55:07 racoon: [do-tsp-monitoring]: [194.x.x.2xx] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

on the cisco:
Interface: Tunnel115
Session status: UP-ACTIVE
Peer: 78.x.x.x5 port 500
  IKE SA: local 194.x.x.2xx/500 remote 78.x.x.x5/500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.115.0/255.255.255.0 192.168.1.0/255.255.255.0
        Active SAs: 2, origin: crypto map

next P2:
*May 11 17:58:29: ISAKMP:(1244): Creating IPSec SAs
*May 11 17:58:29:        inbound SA from 78.x.x.x5 to 194.x.x.2xx (f/i)  0/ 0
        (proxy 192.168.1.0 to 192.168.115.0)
*May 11 17:58:29:        has spi 0xF8D6ADC3 and conn_id 0
*May 11 17:58:29:        lifetime of 3600 seconds
*May 11 17:58:29:        outbound SA from 194.x.x.2xx to 78.x.x.x5 (f/i) 0/0
        (proxy 192.168.115.0 to 192.168.1.0)
*May 11 17:58:29:        has spi  0x72F8D79 and conn_id 0
*May 11 17:58:29:        lifetime of 3600 seconds
*May 11 17:58:29: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
*May 11 17:58:29: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*May 11 17:58:29: ISAKMP:(1244):Node -393251934, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*May 11 17:58:29: ISAKMP:(1244):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
*May 11 17:58:29: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel115, changed state to up
*May 11 17:58:29: ISAKMP (1244): received packet from 78.x.x.x5 dport 500 sport 500 Global (R) QM_IDLE
*May 11 17:58:29: ISAKMP:(1244):deleting node -393251934 error FALSE reason "QM done (await)"
*May 11 17:58:29: ISAKMP:(1244):Node -393251934, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*May 11 17:58:29: ISAKMP:(1244):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*May 11 17:58:38: No peer struct to get peer description
*May 11 17:59:06: No peer struct to get peer description
*May 11 17:59:07: ISAKMP:(0):purging node -120744098
*May 11 17:59:07: ISAKMP:(0):purging node 284091442
*May 11 17:59:17: ISAKMP: set new node 0 to QM_IDLE
*May 11 17:59:17: SA has outstanding requests  (local 102.143.234.116 port 500, remote 102.143.234.144 port 500)
*May 11 17:59:17: ISAKMP:(1244): sitting IDLE. Starting QM immediately (QM_IDLE      )
*May 11 17:59:17: ISAKMP:(1244):beginning Quick Mode exchange, M-ID of 667183992
*May 11 17:59:17: ISAKMP:(1244):QM Initiator gets spi
*May 11 17:59:17: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
*May 11 17:59:17: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*May 11 17:59:17: ISAKMP:(1244):Node 667183992, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 11 17:59:17: ISAKMP:(1244):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*May 11 17:59:17: ISAKMP:(0):purging SA., sa=6692985C, delme=6692985C
*May 11 17:59:19: ISAKMP:(1244):purging node -393251934
*May 11 17:59:27: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      667183992 …
*May 11 17:59:27: ISAKMP (1244): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*May 11 17:59:27: ISAKMP (1244): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*May 11 17:59:27: ISAKMP:(1244): retransmitting phase 2 667183992 QM_IDLE
*May 11 17:59:27: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
*May 11 17:59:27: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*May 11 17:59:35: No peer struct to get peer description
*May 11 17:59:37: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      667183992 ...
*May 11 17:59:37: ISAKMP (1244): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*May 11 17:59:37: ISAKMP (1244): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*May 11 17:59:37: ISAKMP:(1244): retransmitting phase 2 667183992 QM_IDLE
*May 11 17:59:37: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
*May 11 17:59:37: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*May 11 17:59:40: No peer struct to get peer description
*May 11 17:59:47: ISAKMP: set new node 0 to QM_IDLE
*May 11 17:59:47: SA has outstanding requests  (local 102.143.234.116 port 500, remote 102.143.234.144 port 500)
*May 11 17:59:47: ISAKMP:(1244): sitting IDLE. Starting QM immediately (QM_IDLE      )
*May 11 17:59:47: ISAKMP:(1244):beginning Quick Mode exchange, M-ID of -1574076160
*May 11 17:59:47: ISAKMP:(1244):QM Initiator gets spi
*May 11 17:59:47: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
*May 11 17:59:47: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*May 11 17:59:47: ISAKMP:(1244):Node -1574076160, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 11 17:59:47: ISAKMP:(1244):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*May 11 17:59:47: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      667183992 ...
*May 11 17:59:47: ISAKMP (1244): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
*May 11 17:59:47: ISAKMP (1244): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
*May 11 17:59:47: ISAKMP:(1244): retransmitting phase 2 667183992 QM_IDLE
*May 11 17:59:47: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
*May 11 17:59:47: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*May 11 17:59:57: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      -1574076160 ...
*May 11 17:59:57: ISAKMP (1244): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*May 11 17:59:57: ISAKMP (1244): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
*May 11 17:59:57: ISAKMP:(1244): retransmitting phase 2 -1574076160 QM_IDLE
*May 11 17:59:57: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
*May 11 17:59:57: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*May 11 17:59:57: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      667183992 ...
*May 11 17:59:57: ISAKMP (1244): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
*May 11 17:59:57: ISAKMP (1244): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
*May 11 17:59:57: ISAKMP:(1244): retransmitting phase 2 667183992 QM_IDLE
*May 11 17:59:57: ISAKMP:(1244): sending packet to 78.x.x.x5 my_port 500 peer_port 500 (R) QM_IDLE
*May 11 17:59:57: ISAKMP:(1244):Sending an IKE IPv4 Packet.
*May 11 18:00:07: ISAKMP:(1244): retransmitting phase 2 QM_IDLE      -1574076160 ...
*May 11 18:00:07: ISAKMP:(1244):peer does not do paranoid keepalives.

*May 11 18:00:07: ISAKMP:(1244):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE      (peer 78.x.x.x5)

on the end I have
Interface: Tunnel115
Session status: UP-NO-IKE
Peer: 78.x.x.x5 port 500
  IKE SA: local 194.x.x.2xx/500 remote 78.x.x.x5/500 Inactive
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.115.0/255.255.255.0 192.168.1.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Hi,

what about step6? there is something wrong..this is not possible with inactive tunnel.

Check ur routing tables, maybe pakets get routed directly. Post ur networkconfig (site1 site2 wan)

Cya

Hi,

sure use Firewall rules.

go to Firewall -> Ipsec and restrict incomming traffic by setting up rules like this:

Example: Rule to permit only HTTP Traffic to ur Site2 LAN:

Proto Source       Port   Destination                   Port  Gateway Queue Schedule Description
  *        site1_lan         *     Site2-LAN net(or IP)      80               * none

Hope This helps.

Cya

You can run tcpdump on the enc0 interface to see what is coming and going in terms of IPsec traffic. No way to do that from the GUI in 1.2.3, if you're on a 2.0 snapshot you should be able to do that from Diagnostics > Packet Capture.

Oh, by the way,

I have no access to the Cisco side, as is configured by the technical staff of a customer, and they will not attend me if I ask them to change any parameter of their server.

Im trying to set a value for dpd as low a 2 seconds, so the tunnel is renegotiated as soon as the peer is dead, but it does not seem to work.

Thanks in advance for any sugestion.

Juan Diego.

@cmb:

You have to disable NAT too via outbound NAT when you're routing public IPs, on all the systems that are routing public IPs.

Great - good advice. I have disabled it on both routers.

Just to summarize to everyone, after upgrading to 2.0 and disabling outbound NAT, IPSEC is passed through from Router1 to Router2.

clearly no. When i set up the nat forwarding, i instantly loose completely all access to the pfsense. I don't know why but tested that 3 times with same end. I'll try to setup the whole pfsense newly and try again.