IPSEC between 2 pfsense boxes over WAN2
-
(coming from this topic: http://forum.pfsense.org/index.php/topic,8478.msg47570.html#msg47570)
i need a ipsec tunnel between 2 psense boxes, over my WAN2 connection
i use the 1.2-RELEASE
WAN(pppoe)–-----\ /--- LAN (192.168.1.0/24)
remote LAN \ /
192.168.0.0/24 -- pfsense--
| /
remote pfsense---------WAN--------IPSEC---WAN2(dhcp)--------/ --- AIR1 (192.168.10.0/24) |
81.165.xxx.xxx 81.165.zzz.zzz --- AIR2 (192.168.10.0/24) | (bridged)
--- AIR3 (192.168.10.0/24) | (bridged)i added a static route for the ip adress of the remote pfsense:
Interface Network Gateway
WAN2 81.165.xxx.xxx/32 WAN2 gateway ipi also added a firewall rule (on top) on the LAN interface (wich i don't need if the tunnel goes over the default WAN):
Prot Src Port Destination Port Gw Schedule Description
* LAN net * 192.168.0.0/24 * WAN2i get errors, wich i don't have when the tunnel is made over my WAN
Diagnostic System logs: on my side of the tunnel (in reverse order):
racoon: ERROR: failed to pre-process packet.
racoon: ERROR: failed to get proposal for responder.
racoon: [Unknown Gateway/Dynamic]: ERROR: no policy found: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in
racoon: [tunnel to quanti]: INFO: respond new phase 2 negotiation: 81.165.zzz.zzz[0]<=>81.165.xxx.xxx[0]
racoon: ERROR: failed to pre-process packet.
racoon: ERROR: failed to get proposal for responder.
racoon: [Unknown Gateway/Dynamic]: ERROR: no policy found: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in
racoon: [tunnel to quanti]: INFO: respond new phase 2 negotiation: 81.165.zzz.zzz[0]<=>81.165.xxx.xxx[0]
…Diagnostic System logs: on remote side of the tunnel (in reverse order):
...
racoon: [tunnel to eekie schilde]: ERROR: 81.165.zzz.zzz give up to get IPsec-SA due to time up to wait.
racoon: [tunnel to eekie schilde]: INFO: initiate new phase 2 negotiation: 81.165.xxx.xxx[0]<=>81.165.zzz.zzz[0]
…when i remove the static route and adjust the tunnel on both sides for my WAN inerface it works
any help would be greatly apreciated...
-
I think your rule
Prot Src Port Destination Port Gw Schedule Description
* LAN net * 192.168.0.0/24 * WAN2should be like:
i also added a firewall rule (on top) on the LAN interface (wich i don't need if the tunnel goes over the default WAN):
Prot Src Port Destination Port Gw Schedule Description
* LAN net * 192.168.0.0/24 * *The static route is needed to get the tunnel up.
After the tunnel is up, the traffic for the remote subnet no longer leaves the pfSense (logically seen) over WAN2 but over the IPSEC interface.
If you force this traffic to WAN2 it never reaches the remote end. -
GruensFroeschli is right (as always ;) ). However the tunnel should come up even with that setting in place though you would not get the traffic through then. When switching from WAN to WAN2 it might take some time for the other end to recognize the change or the other end even hast to be reconfigured. What kind of identifiers are you useing for that tunel at both ends? It looks like the pfSense at the multiwan side has no static IPs? Please provide some more info on how you set up the tunnel parameters.
-
i got it to work a little more
i changed the settings of the WAN2 interface to static (and used the exact same ip, subnetmask and gateway as if it was assigned by dhcp)
now SPD rules are created when i look in "status>ipsec>spd"
but when i look at "status>ipsec>sad" doesn't get filled in…hopefully i get this to work because these connections are from the same provider, it's more stable and has more bandwith then my pppoe
-
If you use static IPs at your opt interface it won't renew it's lease and you'll sooner or later cause IP conflicts in your providers netwok. Please provide the info that I have asked for in my previous post or we can't help you much.
-
ok, i'll try to give all information the best i can…
remote pfsense (default WAN):
dhcp
IP address 81.165.XXX.XXX
Gateway 81.165.RRR.RRRidentifier ip adress 81.165.XXX.XXX
preshared key <same secret="">this key is also in preshared keys tab:Identifier Pre-shared key
81.165.ZZZ.ZZZ <same secret="">Local net Interface
Remote net Remote gw P1 mode P1 Enc. Algo P1 Hash Algo DescriptionLAN WAN
192.168.1.0/24 81.82.ZZZ.ZZZ aggressive Blowfish SHA1local pfsense (WAN2):
dhcp
IP address 81.165.ZZZ.ZZZ
Gateway 81.165.YYY.YYYidentifier ip adress 81.165.ZZZ.ZZZ
preshared key <same secret="">
this key is also in preshared keys tab:Identifier Pre-shared key
81.165.XXX.XXX <same secret="">Local net Interface
Remote net Remote gw P1 mode P1 Enc. Algo P1 Hash Algo DescriptionLAN WAN2
192.168.0.0/24 81.82.ZZZ.ZZZ aggressive Blowfish SHA1</same></same></same></same> -
http://forum.pfsense.org/index.php/topic,1917.0.html
the last post on this topic explains exactly the same problem, only i have a 1.2-RELEASE
did sbyoon's problem get solved there?
-
That thread is already 1.5 years old and was talking about a pre 1.0 version. It should be possible in 1.2, yes. Your settings look valid at a glance though you might want to use identifiers different than the IP-adresses as one if the ends is dynamic (the dhcp one). You even could set this up as mobile client joining the other end (at least one end has to have a static IP though). Please try the following: After adding the route to the remote site through the opwan go to the ipsec settings tab on both machines and simply hit save. This should restart racoon and also dump old SAs. Maybe even try to reboot both ends. Does that solve the issue? Maybe something does not reload correctly when switching the tunnel to a different IP.
-
after a lot of trying, i only got it to work when i set the dhcp connection (WAN2) to static
only then the spd rules get created
i know, its not very smart to set a static ip on a dhcp connection, but its a very "static" dhcp adress, i've only seen it change when the network went down for several hours…
there's definitely something not working when you want a tunnel over an opt interface that has dhcp.
-
Actually it might be a problem if the dhcp is not yet connected and has no IP when you try to create the tunnel and save settings. I'll take this as discussion to the devchanel but I doubt that a dhcp assigned interface will work with IPSEC reliably anyway (even if the IP does not change).
If your client is not renewing the DHCP lease frequently it will lose the IP (after some hours like you said). The ISP will then assign that IP to someone else though you are using that IP as static. This will mess up their network and they maybe will start to block you to avoid the conflict. You really should not do that.
-
We had some discussion about dhcp and IPSEC in the dev-channel and we currently don't see a need to improve this as it won't work reliably anyway. We will be working on something that will allow hostnames as vpn endpoints though. Once that part is done we'll make sure it will work with DHCP or PPPoE WANs too. There is no timeframe for that feature though so don't expect it in the near future.
-
ok, thanks a lot anyway :)
i switched the tunnel back to my WAN interface for the time being…i also had in mind a different sort of setup, because the tunnel works when the dhcp connection goes over the WAN interface
my idea was:
current setup: alternative setup:
WAN: pppoe WAN: dhcp cable
WAN2: dhcp cable WAN2: static ip and gate way: 3com router that has pppoe abilitythis is the "pppoe dialer":
http://www.3com.com/prod/nl_BE_EMEA/detail.jsp?tab=features&sku=3CRWER200-75 -
this setup seems to work this way,
i've redirected all requests getting to the 3com device to the pfsense on the WAN2, so everything works from my server
al the rest is on the WAN, including the tunnel (the dhcp cable connection)
again, thanks for all the help!!
greets