Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgraded from 1.0.1 to 1.2 RC1 and Ipsec is not working

    Scheduled Pinned Locked Moved
    IPsec
    9
    17
    6.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      usuarioforum
      last edited by

      Do you have working with mobile clients?

      1 Reply Last reply Reply Quote 0
      • H
        heiko
        last edited by

        yes

        static <–> mobile
        static <--> static
        mobile --> cluster

        and so on

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          When you upgrade to 1.2 you need to add IPsec rules for incoming IPsec traffic. I'm not sure if that's done automatically or not.

          Though since your P1 is failing, it's not even getting that far.

          What's at the other end of these tunnels?

          I upgrade my half dozen or so boxes at home 2-3 times a week on average and have never had IPsec stop working.

          1 Reply Last reply Reply Quote 0
          • F
            fastcon68
            last edited by

            I am having the same exact issue when trying to build a new vpn tunnel.  I have one tunnel up and running, but I am trying to added soem additional tunnels and running in the extact message.  I do have packet shaping running would this cause a issue.
            RC

            1 Reply Last reply Reply Quote 0
            • H
              hopeful
              last edited by

              I had same problem at attempt to connect through IPSEC FreeBSD 5.5 and pfsense 1.2 RC2.

              racoon: INFO: IPsec-SA request for 192.168.1.100 queued due to no phase1 found.
              Aug 30 13:50:19 racoon: INFO: initiate new phase 1 negotiation: 192.168.1.101[500]<=>192.168.1.100[500]
              Aug 30 13:50:19 racoon: INFO: begin Aggressive mode.
              Aug 30 13:50:19 racoon: INFO: received Vendor ID: DPD
              Aug 30 13:50:19 racoon: WARNING: No ID match.
              Aug 30 13:50:19 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
              Aug 30 13:50:20 racoon: INFO: ISAKMP-SA established 192.168.1.101[500]-192.168.1.100[500] spi:b85a286710483d05:9e0d8687a1f8c9c6
              Aug 30 13:50:20 racoon: INFO: initiate new phase 2 negotiation: 192.168.1.101[500]<=>192.168.1.100[500]
              Aug 30 13:50:50 racoon: ERROR: 192.168.1.100 give up to get IPsec-SA due to time up to wait.
              Aug 30 13:51:05 racoon: INFO: initiate new phase 2 negotiation: 192.168.1.101[500]<=>192.168.1.100[500]

              SPD (Two lines)

              Source Destination Direction Protocol Tunnel endpoints 
              10.3.3.0/24 10.3.0.0/24  ESP 192.168.1.100 - 192.168.1.101   
              10.3.0.0/24 10.3.3.0/24  ESP 192.168.1.101 - 192.168.1.100

              SAD (Only one line)

              Source Destination Protocol SPI Enc. alg. Auth. alg. 
              192.168.1.100 192.168.1.101 ESP 01f5ce42 replay=0 pid=3138

              Show please a working configuration for IPSEC - FreeBSD.
              Excuse for weak English.
              Thanks.

              !–--------------------------------------------------------------------------------------------!
              P.S.
              ::)
              The problem was solved.
              There was my mistake in SPD-rules in/etc/ipsec.conf (FreeBSD PC side).
              !----------------------------------------------------------------------------------------------!

              1 Reply Last reply Reply Quote 0
              • F
                fastcon68
                last edited by

                racoon: INFO: begin Identity Protection mode.
                Aug 30 22:56:52 racoon: INFO: respond new phase 1 negotiation: 208.xxx.xxx.xxx[500]<=>24.xxx.xxx.xxx[500]
                Aug 30 22:56:52 racoon: ERROR: phase1 negotiation failed due to time up. 4e2e3df766fe2532:3a4a329759c15328
                Aug 30 22:56:45 racoon: ERROR: none message must be encrypted
                Aug 30 22:56:21 racoon: INFO: begin Identity Protection mode.
                Aug 30 22:56:21 racoon: INFO: respond new phase 1 negotiation: 208.xxx.xxx.xxx[500]<=>24.xxx.xxx.xxx[500]
                Aug 30 22:56:14 racoon: ERROR: none message must be encrypted
                Aug 30 22:56:00 racoon: ERROR: phase1 negotiation failed due to time up. 3f04ad4d1ec3467e:fbfadb805c4f9318
                Aug 30 22:55:53 racoon: ERROR: phase1 negotiation failed due to time up. 825956a98d394856:fafa1b816a4b816f
                Aug 30 22:55:51 racoon: INFO: begin Identity Protection mode.
                Aug 30 22:55:51 racoon: INFO: respond new phase 1 negotiation: 208.xxx.xxx.xxx[500]<=>24.xxx.xxx.xxx[500]
                Aug 30 22:55:33 racoon: ERROR: none message must be encrypted
                Aug 30 22:55:29 racoon: ERROR: none message must be encrypted
                Aug 30 22:55:23 racoon: INFO: delete phase 2 handler.
                Aug 30 22:55:23 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 24.xxx.xxx.xxx[0]->208.xxx.xxx.xxx[0]
                Aug 30 22:55:21 last message repeated 2 times

                This is the error messages that I am getting when trying to configure the VPN tunnels.  I have a new client that is coming on and it have to get this resolved or it will be a no go.

                1 Reply Last reply Reply Quote 0
                • M
                  morbus
                  last edited by

                  Have you added firewall rules to allow udp 500 and esp from the wan address of your pfsense box?

                  Is this a carp system or a single?

                  1 Reply Last reply Reply Quote 0
                  • F
                    fastcon68
                    last edited by

                    It is a system that only has one wan ip address..  Can you explain how to add the rules?  I have not completely got a handle on how to create rules with pfsense yet.
                    RC

                    1 Reply Last reply Reply Quote 0
                    • F
                      fastcon68
                      last edited by

                      I created a different post, but I finally got past my issue.  i found that the phase1 password was too long to support the device that I was trying to connect too.  I got that resolved and it is working great.  thanks.
                      RC

                      1 Reply Last reply Reply Quote 0
                      • M
                        morbus
                        last edited by

                        go to Firewall -> Rules the select the wan tab
                        then click the little square with a plus icon.
                        then create a rule to allow the ESP protocol and another to allow UDP port 500

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post