• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Site to site

Scheduled Pinned Locked Moved IPsec
8 Posts 3 Posters 3.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    stuff_and_things
    last edited by Jun 21, 2007, 11:06 PM

    http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/
    I followed this exactly.
    Both firewalls where installed from the same cd.
    Version pfSense-1.2-BETA-1-LiveCD-Installer.iso
    FreeBSD REMOTE1.local 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4
    #0: Mon Apr 30 10:46:52 EDT 2007 
    sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense.6  i386
    Both sides are on static addresses from different internet providers.
    I checked to confirm that both internet connections are unfiltered.
    Is there some sort of firewall rules that need to be added to allow
    the vpn to complete or maybe I need to use a non-beta version ?

    1 Reply Last reply Reply Quote 0
    • C
      cmb
      last edited by Jun 22, 2007, 1:23 AM

      Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).

      1 Reply Last reply Reply Quote 0
      • U
        usuarioforum
        last edited by Jun 22, 2007, 11:56 AM

        The public IP is in pfsense or in a router before?

        1 Reply Last reply Reply Quote 0
        • S
          stuff_and_things
          last edited by Jun 22, 2007, 5:06 PM

          @cmb:

          Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).

          I re-installed with the non-beta iso.
          I will try this. What logs are useful in troubleshooting this?

          1 Reply Last reply Reply Quote 0
          • S
            stuff_and_things
            last edited by Jun 22, 2007, 5:07 PM

            @usuarioforum:

            The public IP is in pfsense or in a router before?

            The public ip is in pfsense.

            1 Reply Last reply Reply Quote 0
            • S
              stuff_and_things
              last edited by Jun 22, 2007, 5:56 PM Jun 22, 2007, 5:54 PM

              From main location ipsec vpn log

              Jun 22 10:49:28 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
              Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 10:49:28 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
              Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 10:49:28 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
              Jun 22 10:49:28 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
              Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 10:49:28 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
              Jun 22 10:49:28 racoon: INFO: ::1[500] used as isakmp port (fd=14)
              Jun 22 10:49:28 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
              Jun 22 10:49:28 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
              Jun 22 10:49:28 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
              Jun 22 10:49:27 racoon: INFO: racoon shutdown
              Jun 22 10:49:26 racoon: INFO: caught signal 15
              Jun 22 10:48:07 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
              Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 10:48:07 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
              Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 10:48:07 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
              Jun 22 10:48:07 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
              Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 10:48:07 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
              Jun 22 10:48:07 racoon: INFO: ::1[500] used as isakmp port (fd=14)
              Jun 22 10:48:07 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
              Jun 22 10:48:05 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
              Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 10:48:05 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
              Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 10:48:05 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
              Jun 22 10:48:05 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
              Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 10:48:05 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)

              From remotesite 2 ipsec vpn log

              Jun 22 17:43:34 racoon: INFO: delete phase 2 handler.
              Jun 22 17:43:34 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP xxx.xxx.xxx.xxx[500]->xxx.xxx.xxx.xxx[500]
              Jun 22 17:43:03 racoon: INFO: begin Aggressive mode.
              Jun 22 17:43:03 racoon: INFO: initiate new phase 1 negotiation: xxx.xxx.xxx.xxx [500]<=>xxx.xxx.xxx.xxx [500]
              Jun 22 17:43:03 racoon: INFO: IPsec-SA request for xxx.xxx.xxx.xxx queued due to no phase1 found.
              Jun 22 17:36:14 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.1/32[0] 192.168.10.0/24[0] proto=any dir=out
              Jun 22 17:36:14 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 192.168.10.1/32[0] proto=any dir=in
              Jun 22 17:36:14 racoon: INFO: fe80::2c0:26ff:fe80:ed37%ed0[500] used as isakmp port (fd=19)
              Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 17:36:14 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=18)
              Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 17:36:14 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=17)
              Jun 22 17:36:14 racoon: INFO: fe80::20f:1fff:fe46:173a%bfe0[500] used as isakmp port (fd=16)
              Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 17:36:14 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
              Jun 22 17:36:14 racoon: INFO: ::1[500] used as isakmp port (fd=14)
              Jun 22 17:36:14 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
              Jun 22 17:36:14 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
              Jun 22 17:36:14 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
              Jun 22 17:36:13 racoon: INFO: racoon shutdown
              Jun 22 17:36:12 racoon: INFO: caught signal 15
              Jun 22 17:36:01 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.1/32[0] 192.168.10.0/24[0] proto=any dir=out
              Jun 22 17:36:01 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 192.168.10.1/32[0] proto=any dir=in
              Jun 22 17:36:01 racoon: INFO: fe80::2c0:26ff:fe80:ed37%ed0[500] used as isakmp port (fd=19)
              Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 17:36:01 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=18)
              Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 17:36:01 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=17)
              Jun 22 17:36:01 racoon: INFO: fe80::20f:1fff:fe46:173a%bfe0[500] used as isakmp port (fd=16)
              Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
              Jun 22 17:36:01 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
              Jun 22 17:36:01 racoon: INFO: ::1[500] used as isakmp port (fd=14)
              Jun 22 17:36:01 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
              Jun 22 17:36:01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
              Jun 22 17:36:01 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
              Jun 22 17:36:00 racoon: INFO: racoon shutdown
              Jun 22 17:35:59 racoon: INFO: caught signal 15

              Neither side is able to access anything on remotes or vise-versa.
              I understand that I will not be able to ping the lan interface of the
              pfsense device.
              These are both fresh installs of pfSense-1.0.1-LiveCD-Installer.iso
              Is there a how to on setting up static remotes?

              1 Reply Last reply Reply Quote 0
              • S
                stuff_and_things
                last edited by Jun 22, 2007, 6:44 PM Jun 22, 2007, 6:40 PM

                @cmb:

                Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).

                Okay maybe I`m stupid, but what your saying is to add tunnels under the VPN: IPsec
                Area to the main location for each remote ? Right?
                Then add tunnels at each remote for each of the other sites all in the VPN: IPsec
                All sites with the same pre-shared keys? Right?
                Lans of sites
                Main location
                192.168.1.0/24
                Remotes
                192.168.10.0/24
                192.168.11.0/24

                1 Reply Last reply Reply Quote 0
                • S
                  stuff_and_things
                  last edited by Jun 22, 2007, 8:25 PM Jun 22, 2007, 8:06 PM

                  Okay now the sites are working.  ???
                  Now I`m going to try and add a
                  adtran netvanta 2300,and a
                  cisco 2600 into the mix.
                  Looks like the adtran will not support blowfish encryption.

                  1 Reply Last reply Reply Quote 0
                  4 out of 8
                  • First post
                    4/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received