First timer/newbie IPSec VPN….

NoDoze

I reduced the lifetime on both ends, and now get this error in the logs:

On the home side:

May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.5/32[0] 192.168.2.0/24[0] proto=any dir=out 
May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.5/32[0] proto=any dir=in 

On the office side:

May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out 
May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in 

So for some reason the liftime reduced the errors to one pair set on each side, whereas earlier is was two pair sets on each side.

Still get nothing on the SAD and Overview. Just says "No IPsec security associations."
Which leads me to beleive I'm leaving somthing out…?

Help!

Thanks!

NoDoze

Ok, disregurad that last post… It went back to the way it was...

Seams like PF keeps trying to make the connection but gets different responses?

Anyways, I still can't get it to work...

heiko

all ipsec endpoints are pfsense? if this so, are there are static or dynamic?

NoDoze

PF to PF both sides…
the office is a static, the home a dynamic, but has never changed in 4 years.
PF on both sides are setup static.

NoDoze

Ok, just to see if I could get it to work…I setup another IPsec tunnel, this time an internal one...
...I still get the same errors in the logs:

May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.1.0/24[0] proto=any dir=out
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.1/32[0] 192.168.25.0/24[0] proto=any dir=out
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.25.0/24[0] proto=any dir=in
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.25.1/32[0] proto=any dir=in

Can anyone make sense of this? (no pun intended)

Thanks!

heiko

both on 1.2? / Unknown Gateway says that comes from a dynamic endpoint, nothing more

I would work for example on the static side with the option "mobile clients enable" so the pf on the dynamic side
works as it should. ;)

NoDoze

Yup!…. both 1.2...

Are you saying for the dynamic setup "mobile clients" needs to be enabled...?

Well, I do have it enabled...on both sides....but it still isn't making the tunnel...

Any other ideas...?

NoDoze

WOOT! 'bout half an hour later we have CONNECTION! YES!
Thank you! Thank you! Thank you!

…All I did was just let it sit idle... the error log cleared out....I pinged, and then the logs showed CONNECTION ESTABLISHED!

YES!

So...why does it take so long for it to connect....?

Thanks for the help!

heiko

mobile client ipsec issue in 1.2 –> in 1.21 that is fixed

NoDoze

Cool!

Thanks!