Ipsec errors please help need this up Monday
-
Please provide info on how the tunnels are setup on each side.
-
Heres the info
Remote Location
Interface = WAN
Local Subnet
Type - LAN SubnetRemote Subnet
192.168.0.0 /22Remote Gateway
66.17.X.XDescription
RemotePhase1
Negotiation Mode
AgressiveMy Identifier
My IP AddressEncryption Agorithm
SHA1DH Key Group
2Lifetime
28800Authentication Method
Pre SHared KeyPre Shared Key
St0rmw1ndPhase2
Protocol
ESPEncryption Alogorithms
Rijndael(AES)Has Algorithms
SHA1PS Key Group
2Lifetime
84400MAIN SITE
Interface = SPARKPLUG (second WAN, I have tried both)
Local Subnet
Type - LAN SubnetRemote Subnet
10.0.0.0 /16Remote Gateway
168.158.X.XDescription
Main
Phase1Negotiation Mode
AgressiveMy Identifier
My IP AddressEncryption Agorithm
SHA1DH Key Group
2Lifetime
28800Authentication Method
Pre SHared KeyPre Shared Key
St0rmw1ndPhase2
Protocol
ESPEncryption Alogorithms
Rijndael(AES)Has Algorithms
SHA1PS Key Group
2Lifetime
84400 -
What i am trying to do is connect my remote office to my main office bot have pfsense installed. I want to be able to get my DHCP from the Main office as well. I just need a tunnel between the two PFsense firewalls in order to connect the two and make it as one network. Am I missing something here?
-
now im getting this error
Mar 31 17:38:07 racoon: INFO: delete phase 2 handler.
Mar 31 17:38:07 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 168.158.228.10[0]->66.17.85.18[0]
Mar 31 17:37:36 racoon: INFO: begin Aggressive mode.
Mar 31 17:37:36 racoon: INFO: initiate new phase 1 negotiation: 66.17.85.18[500]<=>168.158.228.10[500]
Mar 31 17:37:36 racoon: INFO: IPsec-SA request for 168.158.228.10 queued due to no phase1 found.would it be easier to just go by a linksys router?
-
as you are doing this on a multiwan, die you add static routes for the site with the multiwan to the remote IP/32 via the gateway on wan2? There's a thread about that exact same issue already around at the forum.
I now understand the logs too: the one system is trying to talk to the other system with the dual wan on wan2 but the dual wan system answers at wan1 due to the missing route.
-
I guess I am confused, what if I just have the remote site look for wan1 instead? Would I add the static route in the rules section?
-
I both firewalls have the tunnels at wan you don't need static routes as it will use the defaultgateway then.
-
still had issues that way.. also one note is that i am using the firewall as a dhcp server on the remote site. I have a dhcp server on the main site. How can I just link the two firewalls and use everything at the main site such as dhcp for the remote site? I am wanting to have the two sites as if they are 1
-
You can work with dhcprelay to do that though I probably wouldn't do it that way. If the tunnel fails your clients won't be able to get dhcp. I would set up a second dhcp at the remote office (could be the pfSense) but assign the mainlocations dns server as the first dns to the clients. This way lookups should work forward and backward. As second dns you could assign the local dns forwarder of the pfSense so clients would still be able to access the internet even if the tunnel is down.
-
Ok I am now using a sonicwall firewall at the remote location and the pfsense at the main. I have set everything up and now I am getting the following errors.
Apr 1 11:31:35 racoon: ERROR: failed to pre-process packet.
Apr 1 11:31:35 racoon: ERROR: failed to get sainfo.
Apr 1 11:31:35 racoon: ERROR: failed to get sainfo.
Apr 1 11:31:35 racoon: INFO: respond new phase 2 negotiation: 66.93.X.X[0]<=>168.158.X.X[0]
Apr 1 11:31:34 racoon: INFO: ISAKMP-SA established 66.93.X.X[500]-168.158.X.X[500] spi:a84321dfbb05a217:2a9e8c8e5d8a57a4
Apr 1 11:31:34 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Apr 1 11:31:34 racoon: WARNING: No ID match.
Apr 1 11:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 1 11:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 1 11:31:34 racoon: INFO: begin Aggressive mode. -
You just made things more complicated. Try this guide, maybe it will help you http://doc.m0n0.ch/handbook-single/#id2608734
-
In my experience you should never use aggressive mode with IPSEC. 1) It's less secure 2) Some of the check and balances (to include the mechanism for logging it) are missing. Use Main mode. If you need some closer to realtime help, email the support mailing list or you may be able to use the IRC channel.
Curtis
-
Chris,
Would a lilnksys be easier? NO. Setting up tunnels with anything other than PfSense is difficuilt. I used 10 different router and firewalls. PfSense has been the simplist to setup and get working. I have netgear, symantec vpn100 and 320's in service all work but some can really pull your hair out.I had this happen several times to me. It looks like you have a couple of things going on. I would make sure that you have your phase 1 settings correct. I recently had a similiar issue. I found that one end had was using agressive instead of MAIN. I ended up removing all settings on that router and rebuilding the tunnel after flashing the firmware.
Send me a email to ron.carter@cartersweb.net and see what I can do to give you a hand. I do agree with clamasters use MAIN mode. I can give you a call tomorrow after 6:00 PM east coast time. We should be able to get it to work with out too much trouble.
I have my PFSense firewall up for over a year now with limited problems most have been self inflicted. But I have been able to recover. The forum is a great place to get issues resolved and too get help.
RC
-
hoba,
could you please link to the existing thread for multiwan ipsec vpn route issue.
I'm not able to find it by using search form.
thanks.
-
Not sure which thread exactly you mean but that topic is covered multiple time like for example here: http://forum.pfsense.org/index.php/topic,8476.msg47573.html#msg47573
However I don't think that this has something to do with the issue we are seeing here.