Ipsec Configuration not Working!
-
I'm tuning in and grabbing popcorn for this one.
@ibnkamala you say here that "both sides are behind NAT". I'm trying to wrap my head around how this is expected to work. IPsec uses static outbound ports so having >1 Phase1 behind a single NAT shouldn't really be possible without some crazy configuration involving port forwarding and outbound NAT on both sides. Later on you state "I really don't know what our partner uses in the other side of the tunnel" ... so
And then on top of it you're running a 2+ year old version on one end...
-
@luckman212 having both routers behind NAT should work fine. I believe I’ve done it in the past. The key however is you have to set that identifier to a KeyID instead of IP address. Googling produces a hit that supports my belief/understanding.
https://networkengineering.stackexchange.com/questions/70626/is-an-ipsec-connection-between-2-devices-behind-nat-possible
I’m strongly inclined to believe the OP has an interoperability issue due to the different pfsense versions. More than happy play with @ibnkamala more once we are comparing apples to apples.
-
@gabacho4 I can see how a single IPsec P1 could be made to work where both sides are using NAT-T but I am failing to understand how you could have multiple working P1s like that. I admit I haven't seen the KeyID method you linked to used in the wild so maybe I'm just unaware of that. Anyway, curious how this ends up.
-
@luckman212 I am as well. Enjoy the show! Either we emerge victorious or I lose my sanity.
-
@gabacho4 and @luckman212 since you spoke about NAT and port forwarding I decided to share with you my infra. in both sides to have a clear picture of what I have.
@gabacho4 I hope I did not give you wrong information, if so I apologize in advance
-
@ibnkamala why are you making things harder than they need to be? why not replace the "simple internet box" with the pfsense VM and connect IPSEC directly to the Sonicwall on the other end (no NAT required)
Am I missing something?
-
@luckman212 how can I replace internetBox by Pfsense/vm? your point was siteA right?
-
@ibnkamala just unplug "simple internet box" and enable dhcp on your pfsense VM. You will need 2 NICs on there so you can have LAN/WAN or you'll need to use VLANs and have a VLAN-capable switch (I'm guessing you may not have this)
Yes I am talking about SiteA. I assume you have no direct control over SiteB but I hope that you are at least able to coordinate with whoever controls the Sonicwall to have them set up the tunnel and provide you with the P1/P2 settings.
-
@luckman212 sadly I only have one NIC on the workstation that I have pfsense on. (However in reality siteA will be behind NAT)
Yes I do have direct access to the SiteB, you want me to use SonicWall for the IPsec instead pfsense?
-
@gabacho4 and @luckman212 also for your information when I check the port with the Public IPs:
SiteB is open,
But SiteA is closed! do you think this is what makes the problem? and since it's a simple internetBox I do not have a firewall to ope the ports at all.
-
This post is deleted! -
This post is deleted! -
@gabacho4 now both sides are running on 2.6.
But still not working!
For your information when I check the port with the Public IPs here https://www.yougetsignal.com/tools/open-ports/:
SiteB is open
But SiteA is closed! do you think this is what makes the problem? and since it's a simple internetBox I do not have a firewall to ope the ports at all.
-
@ibnkamala sorry just got home from work. So it appears in the last screenshot that both the P1s are connected. That would seem better than it was before. Can you show me the logs so I can see what the P2 is doing? I’m not going to lie to you, your setup is insanely more complicated than I’d ever use. Why would you have pfsense behind another firewall and other hardware? And what is an internet box? A modem? A router? An ONT?
-
@ibnkamala Ok so I did some Googling. Are you located in Switzerland? I find a internetBox that the ISP in Switzerland offers. If not Switzerland perhaps you are in another European country where the internetBox is used. If you have the device I have found, you can most certainly do port forwarding and/or set up a DMZ. I can't find anything about Ipsec passthrough but it's either there or a DMZ/port forwarding would get the job done.
Some advice - except for art, less is not more. I'm a little tweaked to find out you're using virtualized instances of pfsense that are behind multiple devices etc. Should have asked more about your setup at the beginning but for the next time, cough up all the details from the get go please.
-
SiteA Logs:
Last 50 IPsec Log Entries. (Maximum 50)
Time Process PID Message
Jun 13 14:56:36 charon 35179 09[CFG] mark_out = 0/0
Jun 13 14:56:36 charon 35179 09[CFG] set_mark_in = 0/0
Jun 13 14:56:36 charon 35179 09[CFG] set_mark_out = 0/0
Jun 13 14:56:36 charon 35179 09[CFG] inactivity = 0
Jun 13 14:56:36 charon 35179 09[CFG] proposals = ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jun 13 14:56:36 charon 35179 09[CFG] local_ts = 192.168.1.0/24|/0
Jun 13 14:56:36 charon 35179 09[CFG] remote_ts = 10.10.0.0/24|/0
Jun 13 14:56:36 charon 35179 09[CFG] hw_offload = no
Jun 13 14:56:36 charon 35179 09[CFG] sha256_96 = 0
Jun 13 14:56:36 charon 35179 09[CFG] copy_df = 1
Jun 13 14:56:36 charon 35179 09[CFG] copy_ecn = 1
Jun 13 14:56:36 charon 35179 09[CFG] copy_dscp = out
Jun 13 14:56:36 charon 35179 09[CFG] version = 2
Jun 13 14:56:36 charon 35179 09[CFG] local_addrs = 192.168.1.27
Jun 13 14:56:36 charon 35179 09[CFG] remote_addrs = SiteB
Jun 13 14:56:36 charon 35179 09[CFG] local_port = 500
Jun 13 14:56:36 charon 35179 09[CFG] remote_port = 500
Jun 13 14:56:36 charon 35179 09[CFG] send_certreq = 1
Jun 13 14:56:36 charon 35179 09[CFG] send_cert = CERT_SEND_IF_ASKED
Jun 13 14:56:36 charon 35179 09[CFG] ppk_id = (null)
Jun 13 14:56:36 charon 35179 09[CFG] ppk_required = 0
Jun 13 14:56:36 charon 35179 09[CFG] mobike = 0
Jun 13 14:56:36 charon 35179 09[CFG] aggressive = 0
Jun 13 14:56:36 charon 35179 09[CFG] dscp = 0x00
Jun 13 14:56:36 charon 35179 09[CFG] encap = 0
Jun 13 14:56:36 charon 35179 09[CFG] dpd_delay = 10
Jun 13 14:56:36 charon 35179 09[CFG] dpd_timeout = 0
Jun 13 14:56:36 charon 35179 09[CFG] fragmentation = 2
Jun 13 14:56:36 charon 35179 09[CFG] childless = 0
Jun 13 14:56:36 charon 35179 09[CFG] unique = UNIQUE_REPLACE
Jun 13 14:56:36 charon 35179 09[CFG] keyingtries = 1
Jun 13 14:56:36 charon 35179 09[CFG] reauth_time = 0
Jun 13 14:56:36 charon 35179 09[CFG] rekey_time = 34920
Jun 13 14:56:36 charon 35179 09[CFG] over_time = 3880
Jun 13 14:56:36 charon 35179 09[CFG] rand_time = 3880
Jun 13 14:56:36 charon 35179 09[CFG] proposals = IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 13 14:56:36 charon 35179 09[CFG] if_id_in = 0
Jun 13 14:56:36 charon 35179 09[CFG] if_id_out = 0
Jun 13 14:56:36 charon 35179 09[CFG] local:
Jun 13 14:56:36 charon 35179 09[CFG] class = pre-shared key
Jun 13 14:56:36 charon 35179 09[CFG] id = SiteA
Jun 13 14:56:36 charon 35179 09[CFG] remote:
Jun 13 14:56:36 charon 35179 09[CFG] class = pre-shared key
Jun 13 14:56:36 charon 35179 09[CFG] id = SiteB
Jun 13 14:56:36 charon 35179 09[CFG] updated vici connection: con1
Jun 13 14:56:36 charon 35179 07[CFG] vici client 472 disconnected
Jun 13 14:56:42 charon 35179 13[CFG] vici client 473 connected
Jun 13 14:56:42 charon 35179 16[CFG] vici client 473 registered for: list-sa
Jun 13 14:56:42 charon 35179 12[CFG] vici client 473 requests: list-sas
Jun 13 14:56:42 charon 35179 13[CFG] vici client 473 disconnected -
@ibnkamala can you go to Status - System Logs - Settings and change the GUI log entries from 50 to 500?
-
@gabacho4 I can't post my logs because
I am in France, once side is orange livebox pro fibre/SiteB and the other end is freebox revolution fibre/SiteA
-
@ibnkamala attach them as a file then.
-
@ibnkamala said in Ipsec Configuration not Working!:
@gabacho4 I can't post my logs because
I am in France, once side is orange bank pro firber /SiteB and the other end is freebox revolution fibre/SiteA
OK then note what I said about being able to port forward or set up a DMZ. Your device should have documentation that shows how to do this.
