Ipsec errors please help need this up Monday
-
one thing this is the error i get at the remote location, the server at the main office shows nothing under the ipsec log
-
could it be the two subnets?
main network is 192.168.0.0
255.255.252.0remote is 192.168.1.0
255.255.255.0Thanks
-
Changed ip and now i get this again! Im getting ready to give up this is so frustrating. I have done ipsec on Cisco before
Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.0/26[0] 192.168.0.0/22[0] proto=any dir=out
Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.1/32[0] 128.168.1.0/26[0] proto=any dir=out
Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 128.168.1.0/26[0] proto=any dir=in
Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.0/26[0] 128.168.1.1/32[0] proto=any dir=in -
Back to this! Im getting ready to throw in the towl in go buy a firewall for both places…
Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 192.168.0.0/22[0] proto=any dir=out
Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any dir=out
Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 172.16.10.0/24[0] proto=any dir=in
Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any dir=in -
could it be the two subnets?
main network is 192.168.0.0
255.255.252.0remote is 192.168.1.0
255.255.255.0That might be why the negotiation is failing, even if it were successful it's not going to work with those two subnets. 192.168.1.0/24 is within 192.168.0.0/22, the latter subnet will think the remote subnet is on its local network, hence it won't work.
Not sure if negotiation would actually fail in that circumstance, but it would make sense if it did.
-
@cmb:
could it be the two subnets?
main network is 192.168.0.0
255.255.252.0remote is 192.168.1.0
255.255.255.0That might be why the negotiation is failing, even if it were successful it's not going to work with those two subnets. 192.168.1.0/24 is within 192.168.0.0/22, the latter subnet will think the remote subnet is on its local network, hence it won't work.
Not sure if negotiation would actually fail in that circumstance, but it would make sense if it did.
Actually that will work. I use such a setup to route traffic from remote home offices through the mainlocation:
From the SPD-List at the mainlocation (10 remote locations):
192.168.10.0/24 - 192.168.0.0/18
192.168.51.0/24 - 192.168.0.0/18
192.168.57.0/24 - 192.168.0.0/18
192.168.9.0/24 - 192.168.0.0/18
192.168.43.0/24 - 192.168.0.0/18
…The mainlocation that holds the 192.168.0.0/18 subnet in ipsec has some local subnets like 192.168.2.0/24 and others inside the /18-range that can all be reached from the home offices. Additionally the homeoffices can talk to each other. The traffic gets routed through the mainlocation and there are no tunnels from one homeoffice to another. This is the sam situation with overlapping/conflicting subnets.
-
Getting this again someone plese help…
I have two pfsense firewalls both with public ips on is at a remote location the other is at a main location. I have checked all settings over and over and they are correct!Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/16[0] 192.168.0.0/22[0] proto=any dir=out
Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.1/32[0] 10.0.0.0/16[0] proto=any dir=out
Mar 31 15:32:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 10.0.0.0/16[0] proto=any dir=in
Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/16[0] 10.0.0.1/32[0] proto=any dir=in -
Please provide info on how the tunnels are setup on each side.
-
Heres the info
Remote Location
Interface = WAN
Local Subnet
Type - LAN SubnetRemote Subnet
192.168.0.0 /22Remote Gateway
66.17.X.XDescription
RemotePhase1
Negotiation Mode
AgressiveMy Identifier
My IP AddressEncryption Agorithm
SHA1DH Key Group
2Lifetime
28800Authentication Method
Pre SHared KeyPre Shared Key
St0rmw1ndPhase2
Protocol
ESPEncryption Alogorithms
Rijndael(AES)Has Algorithms
SHA1PS Key Group
2Lifetime
84400MAIN SITE
Interface = SPARKPLUG (second WAN, I have tried both)
Local Subnet
Type - LAN SubnetRemote Subnet
10.0.0.0 /16Remote Gateway
168.158.X.XDescription
Main
Phase1Negotiation Mode
AgressiveMy Identifier
My IP AddressEncryption Agorithm
SHA1DH Key Group
2Lifetime
28800Authentication Method
Pre SHared KeyPre Shared Key
St0rmw1ndPhase2
Protocol
ESPEncryption Alogorithms
Rijndael(AES)Has Algorithms
SHA1PS Key Group
2Lifetime
84400 -
What i am trying to do is connect my remote office to my main office bot have pfsense installed. I want to be able to get my DHCP from the Main office as well. I just need a tunnel between the two PFsense firewalls in order to connect the two and make it as one network. Am I missing something here?
-
now im getting this error
Mar 31 17:38:07 racoon: INFO: delete phase 2 handler.
Mar 31 17:38:07 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 168.158.228.10[0]->66.17.85.18[0]
Mar 31 17:37:36 racoon: INFO: begin Aggressive mode.
Mar 31 17:37:36 racoon: INFO: initiate new phase 1 negotiation: 66.17.85.18[500]<=>168.158.228.10[500]
Mar 31 17:37:36 racoon: INFO: IPsec-SA request for 168.158.228.10 queued due to no phase1 found.would it be easier to just go by a linksys router?
-
as you are doing this on a multiwan, die you add static routes for the site with the multiwan to the remote IP/32 via the gateway on wan2? There's a thread about that exact same issue already around at the forum.
I now understand the logs too: the one system is trying to talk to the other system with the dual wan on wan2 but the dual wan system answers at wan1 due to the missing route.
-
I guess I am confused, what if I just have the remote site look for wan1 instead? Would I add the static route in the rules section?
-
I both firewalls have the tunnels at wan you don't need static routes as it will use the defaultgateway then.
-
still had issues that way.. also one note is that i am using the firewall as a dhcp server on the remote site. I have a dhcp server on the main site. How can I just link the two firewalls and use everything at the main site such as dhcp for the remote site? I am wanting to have the two sites as if they are 1
-
You can work with dhcprelay to do that though I probably wouldn't do it that way. If the tunnel fails your clients won't be able to get dhcp. I would set up a second dhcp at the remote office (could be the pfSense) but assign the mainlocations dns server as the first dns to the clients. This way lookups should work forward and backward. As second dns you could assign the local dns forwarder of the pfSense so clients would still be able to access the internet even if the tunnel is down.
-
Ok I am now using a sonicwall firewall at the remote location and the pfsense at the main. I have set everything up and now I am getting the following errors.
Apr 1 11:31:35 racoon: ERROR: failed to pre-process packet.
Apr 1 11:31:35 racoon: ERROR: failed to get sainfo.
Apr 1 11:31:35 racoon: ERROR: failed to get sainfo.
Apr 1 11:31:35 racoon: INFO: respond new phase 2 negotiation: 66.93.X.X[0]<=>168.158.X.X[0]
Apr 1 11:31:34 racoon: INFO: ISAKMP-SA established 66.93.X.X[500]-168.158.X.X[500] spi:a84321dfbb05a217:2a9e8c8e5d8a57a4
Apr 1 11:31:34 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Apr 1 11:31:34 racoon: WARNING: No ID match.
Apr 1 11:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 1 11:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 1 11:31:34 racoon: INFO: begin Aggressive mode. -
You just made things more complicated. Try this guide, maybe it will help you http://doc.m0n0.ch/handbook-single/#id2608734
-
In my experience you should never use aggressive mode with IPSEC. 1) It's less secure 2) Some of the check and balances (to include the mechanism for logging it) are missing. Use Main mode. If you need some closer to realtime help, email the support mailing list or you may be able to use the IRC channel.
Curtis
-
Chris,
Would a lilnksys be easier? NO. Setting up tunnels with anything other than PfSense is difficuilt. I used 10 different router and firewalls. PfSense has been the simplist to setup and get working. I have netgear, symantec vpn100 and 320's in service all work but some can really pull your hair out.I had this happen several times to me. It looks like you have a couple of things going on. I would make sure that you have your phase 1 settings correct. I recently had a similiar issue. I found that one end had was using agressive instead of MAIN. I ended up removing all settings on that router and rebuilding the tunnel after flashing the firmware.
Send me a email to ron.carter@cartersweb.net and see what I can do to give you a hand. I do agree with clamasters use MAIN mode. I can give you a call tomorrow after 6:00 PM east coast time. We should be able to get it to work with out too much trouble.
I have my PFSense firewall up for over a year now with limited problems most have been self inflicted. But I have been able to recover. The forum is a great place to get issues resolved and too get help.
RC