First timer/newbie IPSec VPN….

NoDoze · May 7, 2008, 11:49 PM

I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.

Am I missing something here?
Is there more to it?

What is the difference between SAD and SPD anyways...?

Thanks!

moffl · May 13, 2008, 5:29 AM

I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.

If you only have a SPD and not a SAD then you have no tunnel. In my experience Security Association Database (SAD) tells you that you are associated. If you have nothing in overview then i would say tunnel is not working

What is the difference between SAD and SPD anyways…?

Security Policy Database = SPD
Security Association Database = SAD

Thanks!

heiko · May 13, 2008, 7:34 AM

@NoDoze:

Am I missing something here?
Is there more to it?

Thanks!

Please give us more informations about your ipsec config

NoDoze · May 21, 2008, 5:55 PM

Here are my settings… They are almost identical on both ends.

Office
VPN: IPsec: Edit tunnel

Mode Tunnel
Interface WAN
Local subnet Type: LAN subnet
Remote subnet 255.255.252.0 / 32
Remote gateway 76.XX.XX.115
Description Home

Phase 1 proposal (Authentication)
Negotiation mode aggressive
My identifier My IP address
Encryption algorithm Blowfish
Hash algorithm SHA1
Must match the setting chosen on the remote side.
DH key group 1
Lifetime 28800
Authentication method Pre-shared key
Pre-Shared Key XXXXXXyadayadayadaXXXXX

Phase 2 proposal (SA/Key Exchange)
Protocol ESP
Encryption algorithms Blowfish
Hash algorithms SHA1
PFS key group off
Lifetime 28800

Home
VPN: IPsec: Edit tunnel

Mode Tunnel
Interface WAN
Local subnet Type: LAN subnet
Remote subnet 255.255.255.224 / 32
Remote gateway 71.XX.XX.162
Description Office

Phase 1 proposal (Authentication)
Negotiation mode aggressive
My identifier My IP address
Encryption algorithm Blowfish
Hash algorithm SHA1
Must match the setting chosen on the remote side.
DH key group 1
Lifetime 28800
Authentication method Pre-shared key
Pre-Shared Key XXXXXXyadayadayadaXXXXX

Phase 2 proposal (SA/Key Exchange)
Protocol ESP
Encryption algorithms Blowfish
Hash algorithms SHA1
PFS key group off
Lifetime 28800

heiko · May 21, 2008, 8:04 PM

what is Remote subnet 255.255.252.0 / 32 ??

NoDoze · May 21, 2008, 8:31 PM

Uhmmm… Not sure what you're asking... I just copy/pasted from the pfsense VPN:IPsec window my settings...

I basically followed the directions from: http://doc.pfsense.org/index.php/VPN_Capability_IPSec

heiko · May 22, 2008, 7:23 AM

Remote subnet 255.255.252.0 / 32 !!!

The Remote subnet is for example 192.168.1.1, your lan subnet of the other side and not the "subnet mask" ;)

NoDoze · May 22, 2008, 5:36 PM

OOooooohhhhh….! I always get those two mixed up...sorry...

I made the changes 192.168.1.0 for the office and 192.168.2.0 for home, but still a no go...

I'm getting these eror in the log:

May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in

What does it mean?

NoDoze · May 22, 2008, 7:37 PM

I reduced the lifetime on both ends, and now get this error in the logs:

On the home side:


May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.5/32[0] 192.168.2.0/24[0] proto=any dir=out 
May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.5/32[0] proto=any dir=in

On the office side:


May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out 
May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in

So for some reason the liftime reduced the errors to one pair set on each side, whereas earlier is was two pair sets on each side.

Still get nothing on the SAD and Overview. Just says "No IPsec security associations."
Which leads me to beleive I'm leaving somthing out…?

Help!

Thanks!

NoDoze · May 22, 2008, 8:56 PM

Ok, disregurad that last post… It went back to the way it was...

Seams like PF keeps trying to make the connection but gets different responses?

Anyways, I still can't get it to work...

heiko · May 22, 2008, 9:13 PM

all ipsec endpoints are pfsense? if this so, are there are static or dynamic?

NoDoze · May 22, 2008, 9:21 PM

PF to PF both sides…
the office is a static, the home a dynamic, but has never changed in 4 years.
PF on both sides are setup static.

NoDoze · May 22, 2008, 11:04 PM

Ok, just to see if I could get it to work…I setup another IPsec tunnel, this time an internal one...
...I still get the same errors in the logs:

May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.1.0/24[0] proto=any dir=out
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.1/32[0] 192.168.25.0/24[0] proto=any dir=out
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.25.0/24[0] proto=any dir=in
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.25.1/32[0] proto=any dir=in

Can anyone make sense of this? (no pun intended)

Thanks!

heiko · May 23, 2008, 12:35 PM

both on 1.2? / Unknown Gateway says that comes from a dynamic endpoint, nothing more

I would work for example on the static side with the option "mobile clients enable" so the pf on the dynamic side
works as it should. ;)

NoDoze · May 23, 2008, 3:27 PM

Yup!…. both 1.2...

Are you saying for the dynamic setup "mobile clients" needs to be enabled...?

Well, I do have it enabled...on both sides....but it still isn't making the tunnel...

Any other ideas...?

NoDoze · May 23, 2008, 5:08 PM

WOOT! 'bout half an hour later we have CONNECTION! YES!
Thank you! Thank you! Thank you!

…All I did was just let it sit idle... the error log cleared out....I pinged, and then the logs showed CONNECTION ESTABLISHED!

YES!

So...why does it take so long for it to connect....?

Thanks for the help!

heiko · May 23, 2008, 6:34 PM

mobile client ipsec issue in 1.2 –> in 1.21 that is fixed

NoDoze · May 23, 2008, 6:50 PM

Cool!

Thanks!