Hi Gordon,

Unfortunately this settings doesn't work. I have a green ok indication on both sides but after a minute the comunication is down. I can't understand why.  I already done another ipcops and pfsense  ipsec tunnel with no problems but with the pfsense 1.2.2 vers. I found in my ipsec logs (pfsense side) :

Sep 9 11:09:45 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3607332516(0xd70386a4)
Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3865395393(0xe66540c1)
Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP IPCOP RED IP[0]->wan pfsense[0] spi=184063618(0xaf89682)
Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: respond new phase 2 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: ISAKMP-SA established wan pfsense[500]-IPCOP RED IP[500] spi:dd3240523b1a178a:5edb221090fa00e5
Sep 9 11:09:45 racoon: INFO: received Vendor ID: DPD
Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Sep 9 11:09:45 racoon: INFO: received Vendor ID: RFC 3947
Sep 9 11:09:45 racoon: INFO: begin Identity Protection mode.
Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: respond new phase 1 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
Sep 9 11:09:44 racoon: [vpn a cordoba]: INFO: ISAKMP-SA deleted wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
Sep 9 11:09:43 racoon: [vpn a cordoba]: INFO: ISAKMP-SA expired wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
Sep 9 11:09:12 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP wan pfsense[500]->IPCOP RED IP[500] spi=253583350(0xf1d5ff6)
Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3607332516(0xd70386a4)
Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP IPCOP RED IP[0]->wan pfsense[0] spi=55126245(0x34928e5)
Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: respond new phase 2 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: ISAKMP-SA established wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
Sep 9 11:09:11 racoon: INFO: received Vendor ID: DPD
Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Sep 9 11:09:11 racoon: INFO: received Vendor ID: RFC 3947
Sep 9 11:09:11 racoon: INFO: begin Identity Protection mode.
Sep 9 11:09:11 racoon: [vpn a cordoba]: INFO: respond new phase 1 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
Sep 9 11:09:10 racoon: [vpn a cordoba]: INFO: ISAKMP-SA deleted wan pfsense[500]-IPCOP RED IP[500] spi:854e2e340ea487c6:f5eda415ea8305a6
Sep 9 11:09:09 racoon: [vpn a cordoba]: INFO: ISAKMP-SA expired wan pfsense[500]-IPCOP RED IP[500] spi:854e2e340ea487c6:f5eda415ea8305a6

Any clues?

Marcos

I am using the 2.1.5 BETA RC2 (not even latest one; haven't tried latest one yet released a few days ago) on RTM release of Windows 7 and I can connect to all of my pfSense FW at 4 different companies (2 T1's and 2 DSL) - just works.

OK, solved.
I had a mismatch in the phase 2 setup….the PFS keygroup was not exactly the same on both ends.

Now I believe routing is ok, next thing is setting up dhcp relay.

Thanks for the support!

Leon

ran into the same issue with one of the Aug 4th builds, reinstall with a build from mid july seems to fix the issue for me.

dont have access to my pfsense box now, but from what i remember if you have a harddrive install the config files should be in /var/etc/ .

-loki

It turns out the problem with the Cisco VPN client wasn't a problem, wifey didn't remember her passcode right…

Anyway, the Watchguard Mobile VPN is still not working.

I have setup a few rules in the firewall: allow all communication on ports 500 and 4500 from any to any, and allow ESP and AH protocols from any to any. All those four rules are under "WAN" tab in the Firewall rule table page in the webGUI - do I need anything under the "LAN" tab?

No worries then, that specific issue is fixed in RC2 snapshots.

I always setup keep alive but, in this case (mobile tunnel), it doesn't help (obviously, i'm pinging from dynamic side to static side)…

But, i'm facing a problem type i already had and that only depends from "experience feedback" :

previously, i already had bugs with netopia/ipsec...

But, in my actual case, once more, something strange appears :

depending on the firmware/shared key lenght : the vpn tunnel will wake immediately alone...or not...

:-X ...going to bed lol...

Thank you,

Sincerely,

@jimp:

While NAT-T does help Mobile IPsec work in more scenarios, it already works fine in plenty of other places.

I've had mobile IPsec clients working for customers for quite a while now, even without NAT-T. I think I started using it with pfSense 1.2.1.

You can also use mobile tunnels for pfsense-to-pfsense IPsec, if one end is on a dynamic IP, though now you can use dyndns hostnames for the remote peer address so that isn't needed quite so much.

It can be used for any IPsec connection you need where one side is static and the other end is somewhere unknown.

Oh OK ! I finally understood : it helps but isn't necessary…

Thank you !

You don't normally need to share printers over the VPN to get printing to work over RDP.

You need the driver for the local printer installing on the remote computer.

I've done this extensively over the years and never had to share the local printer.

fastcon68,

i'm using a tool called unicornscan homepage: http://www.unicornscan.org/

basically, i'm running the command```
unicornscan -r 50000 -R 5000 host/ip

so, scan the host with 50,000pps and repeat it 5000 times. talk about flooding state tables, that command will do it in a matter of seconds. you probably need server class gigabit interfaces to actually gen 50,000 pps but even 25,000 kills it. and unicornscan is in the ports tree if your running freebsd servers…

@focalguy:

I always set up the remote address as the remote gateway device. I'm not using any netopia but as far as I know they act about the same. It just sends traffic along to that address to keep the tunnel alive in case there is no other traffic being passed.

When you put in the remote gateway address did you put in the LAN address or the remote WAN address? If I was connecting 192.168.1.1/24 -> 192.168.2.1/24 I would set 192.168.2.1 to ping 192.168.1.1.

Oops, small misunderstood :

I already do as you say, but i was referring to put the remote WAN address, so :

192.168.2.1 to pinf WAN address of 192.168.1.1

I'm asking it because i read some tutorial that advice to do this instead of the classic "192.168.1.1 / 192.168.2.1"

But, if you say me that you do the same, with success, i'll continue doing as always  ;D

By the way, another question related :

I never setup keep alive on pfsense vpn setup, but only on remote routers that connect to it (well, my sentence is wrong about ipsec establishment between sites, but you understand what i mean). To be more accurate : i specify on remote site, to ping lan ip of pfSense (i think it doesn't need to be an internal remote address (e.g. : another server), does it ?).

Do you people setup mutual keep alive ?

Thank you,

Sincerely,

Today after making not the slidest change I've that in my logs:

Aug 14 12:01:06 racoon: [SiteToSite-VPN]: INFO: phase2 sa deleted yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx Aug 14 12:01:05 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Aug 14 12:01:05 racoon: [SiteToSite-VPN]: INFO: phase2 sa expired yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx Aug 14 12:01:04 racoon: ERROR: no peer's CERT payload found. Aug 14 12:01:04 racoon: INFO: received Vendor ID: DPD Aug 14 12:01:04 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:01:04 racoon: ERROR: failed to get subjectAltName Aug 14 12:01:04 racoon: ERROR: Aug 14 12:01:03 racoon: ERROR: no peer's CERT payload found. Aug 14 12:01:03 racoon: INFO: received Vendor ID: DPD Aug 14 12:01:03 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:01:03 racoon: ERROR: failed to get subjectAltName Aug 14 12:01:03 racoon: ERROR: Aug 14 12:00:54 racoon: ERROR: no peer's CERT payload found. Aug 14 12:00:54 racoon: INFO: received Vendor ID: DPD Aug 14 12:00:54 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:00:54 racoon: ERROR: failed to get subjectAltName Aug 14 12:00:54 racoon: ERROR: Aug 14 12:00:53 racoon: ERROR: no peer's CERT payload found. Aug 14 12:00:53 racoon: INFO: received Vendor ID: DPD Aug 14 12:00:53 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:00:53 racoon: ERROR: failed to get subjectAltName Aug 14 12:00:53 racoon: ERROR: Aug 14 12:00:45 racoon: [SiteToSite-VPN]: INFO: phase2 sa deleted yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx Aug 14 12:00:45 racoon: ERROR: no peer's CERT payload found. Aug 14 12:00:44 racoon: INFO: received Vendor ID: DPD Aug 14 12:00:44 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:00:44 racoon: ERROR: failed to get subjectAltName Aug 14 12:00:44 racoon: ERROR: Aug 14 12:00:44 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Aug 14 12:00:44 racoon: [SiteToSite-VPN]: INFO: phase2 sa expired yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx Aug 14 12:00:44 racoon: ERROR: no peer's CERT payload found. Aug 14 12:00:43 racoon: INFO: received Vendor ID: DPD Aug 14 12:00:43 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Aug 14 12:00:43 racoon: ERROR: failed to get subjectAltName Aug 14 12:00:43 racoon: ERROR:

googling the first new error I found this posting:
http://forum.pfsense.org/index.php?topic=5774.0

As I'm using easy-rsa I don't know how to handle that circumstance

On http://www.fefe.de/racoon.txt I found that discription:

failed to get subjectAltName

You forgot to set "my_identifier asn1dn;" in the remote section.

But I've set my DynDNS Domain Name on the remote site as "My Identifier"

Anyone a hint?

seems the dnswatch command from the Aug 04 build is bad. Pulled a copy from a older build i was testing (July 31) and the older version works fine.

With the Aug 4th version of dnswatch

Aug 13 16:18:44 rt php: : The command '/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config' returned exit code '1', the output was '' Aug 13 16:18:45 rt kernel: pid 722 (dnswatch), uid 0: exited on signal 11 (core dumped)

With the July 31 version of dnswatch

Aug 13 16:46:20 rt php: /vpn_ipsec.php: IPSEC: Send a reload signal to the IPsec process Aug 13 16:46:20 rt php: /vpn_ipsec.php: The command '/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config' returned exit code '1', the output was '' Aug 13 16:46:21 rt check_reload_status: reloading filter

A quick ps show the process is running now

ps -efxww | grep -i dns ps: Process environment requires procfs(5) 6118  ??  Ss    0:00.00  /usr/local/sbin/dnswatch /var/run/dnswatch-ipsec.pid 60 /etc/rc.newipsecdns /var/etc/dnswatch-ipsec.hosts loki

I always ignore these messages. I've never run into a tunnel not negotiating because of these messages.

There is always a first for every error message.