Site-to-site pfSense-pfSense IPsec VPN

strick1226 · Feb 19, 2007, 2:51 AM

Hi, All,

I know I did this less than a year ago (pre-release), but I can't figure out how to do this now…

I have two pfSense 1.01 boxes:

Box A: a definite static WAN IP, LAN is 192.168.1.0/255.255.255.0
Box B: a relatively static (changes ~monthly) WAN IP, LAN is 192.168.100.0/255.255.255.0 .

I've set up a preshared key on both boxes, and have attempted to create a tunnel between the two.

Box A Phase 1:

Interface: WAN
Local subnet: LAN subnet
Remote subnet: 192.168.100.0 / 24
Remote gateway: {public IP of box B}

Negotation mode: aggressive
My identifier: My IP address
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 28800
Authentication method: pre-shared key

Box A Phase2:

Protocol: ESP
Encryption algorithm: Blowfish
Hash algorithm: SHA1
PFS key group: 2 (1024 bit)
Lifetime: 86400

Box B Phase 1:

Interface: WAN
Local subnet: LAN subnet
Remote subnet: 192.168.1.0 / 24
Remote gateway: {public static IP of box A}

Negotation mode: aggressive
My identifier: My IP address
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2 (1024 bit)
Lifetime: 28800
Authentication method: pre-shared key

Box B Phase2:

Protocol: ESP
Encryption algorithm: Blowfish
Hash algorithm: SHA1
PFS key group: 2 (1024 bit)
Lifetime: 86400

I still can't get the two to connect, no matter what I try...
Since Box B isn't completely static, do I have to set it up as a mobile client? I think I was able to do it before as site-to-site, I just had to update the tunnel config when the IP changed etc.

Here's the IPsec error log from Box A:

Feb 18 21:40:18 racoon: INFO: caught signal 15
Feb 18 21:40:19 racoon: INFO: racoon shutdown
Feb 18 21:40:21 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Feb 18 21:40:21 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Feb 18 21:40:21 racoon: INFO: fe80::202:b3ff:fe9d:a31%ng0[500] used as isakmp port (fd=13)
Feb 18 21:40:21 racoon: INFO: {Box A public IP}[500] used as isakmp port (fd=14)
Feb 18 21:40:21 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 18 21:40:21 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=15)
Feb 18 21:40:21 racoon: INFO: ::1[500] used as isakmp port (fd=16)
Feb 18 21:40:21 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=17)
Feb 18 21:40:21 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 18 21:40:21 racoon: INFO: fe80::203:47ff:fe99:f922%fxp1[500] used as isakmp port (fd=18)
Feb 18 21:40:21 racoon: INFO: fe80::202:b3ff:fe9d:a31%fxp0[500] used as isakmp port (fd=19)
Feb 18 21:40:21 racoon: INFO: 192.168.1.5[500] used as isakmp port (fd=20)
Feb 18 21:40:21 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

And from Box B:

Feb 18 21:42:21 racoon: INFO: caught signal 15
Feb 18 21:42:22 racoon: INFO: racoon shutdown
Feb 18 21:42:23 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Feb 18 21:42:23 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Feb 18 21:42:23 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Feb 18 21:42:23 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Feb 18 21:42:23 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Feb 18 21:42:23 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 18 21:42:23 racoon: INFO: fe80::206:29ff:fea9:9362%fxp1[500] used as isakmp port (fd=16)
Feb 18 21:42:23 racoon: INFO: 192.168.100.1[500] used as isakmp port (fd=17)
Feb 18 21:42:23 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 18 21:42:23 racoon: INFO: [Box B public IP}[500] used as isakmp port (fd=18)
Feb 18 21:42:23 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 18 21:42:23 racoon: INFO: fe80::2d0:b7ff:fe90:69c1%fxp0[500] used as isakmp port (fd=19)
Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.100.1/32[0] proto=any dir=in
Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.100.0/24[0] proto=any dir=in
Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.1/32[0] 192.168.100.0/24[0] proto=any dir=out
Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.1.0/24[0] proto=any dir=out

Is there something really basic I'm missing here? I've looked over the m0n0wall guides but I just don't seem to be able to figure this out…

Thanks in advance for any assistance. I'm running out of hair to pull ???

hoba · Feb 19, 2007, 10:03 AM

http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/

strick1226 · Feb 19, 2007, 11:32 PM

Ok,

I tried setting up Site B as a mobile client, enabling mobile clients on A.
Still getting the same errors in the IPsec logs, though.

From Box B:

Feb 19 18:27:23 racoon: INFO: caught signal 15
Feb 19 18:27:24 racoon: INFO: racoon shutdown
Feb 19 18:27:26 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Feb 19 18:27:26 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Feb 19 18:27:26 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Feb 19 18:27:26 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Feb 19 18:27:26 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Feb 19 18:27:26 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 19 18:27:26 racoon: INFO: fe80::206:29ff:fea9:9362%fxp1[500] used as isakmp port (fd=16)
Feb 19 18:27:26 racoon: INFO: 192.168.100.1[500] used as isakmp port (fd=17)
Feb 19 18:27:26 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 19 18:27:26 racoon: INFO: {Box B Public IP}[500] used as isakmp port (fd=18)
Feb 19 18:27:26 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 19 18:27:26 racoon: INFO: fe80::2d0:b7ff:fe90:69c1%fxp0[500] used as isakmp port (fd=19)
Feb 19 18:27:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.100.1/32[0] proto=any dir=in
Feb 19 18:27:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.1/32[0] 192.168.100.0/24[0] proto=any dir=out

Do they have to be on completely different subnets or something? I'm 98% positive I did this with three boxes before–192.168.1.0, 192.168.10.0, and 192.168.20.0--and it worked...

Delex · Feb 20, 2007, 6:17 AM

Just checked my logs and find the same error messages, but my tunnels are up and working fine. The settings mentioned above seem to be ok.
Did you try to wait a while to let things settle? (maybe decrease the lifetimes to speed things up).

hoba · Feb 20, 2007, 11:21 AM

I have a 12 location setup like this with only one of the locations having a static IP with even "routing" all traffic between the sublocations through the mainlocation. No issues with that.

strick1226 · Feb 20, 2007, 2:42 PM

Strange, I'll try letting it settle, as suggested.

Thanks for the encouragement, guys!

usuarioforum · Jun 20, 2007, 9:28 PM

Which pfsense versions you have??

grab3 · Dec 29, 2007, 11:04 AM

I had the same trouble, but after i pinged opposite side of tunnel, everything went ok.

Last message before i pinged was
racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

After

racoon: INFO: IPsec-SA established: ESP/Tunnel 10.7.3.115[0]->192.170.1.2[0] spi=236667421(0xe1b421d)
racoon: INFO: IPsec-SA established: ESP/Tunnel 192.170.1.2[0]->10.7.3.115[0] spi=53599917(0x331dead)

And it works fine.