Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec tunnel between dhcp and NATed PFsense boxes

    IPsec
    2
    5
    3.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SpaceBass
      last edited by

      Hey Folks,
      I have a tricky one…
      For the past 24 months I have had a working tunnel b/t SiteA (static IP) and SiteB (static, but PF was behind a 1:1 NAT).

      Recently SiteA had to move to a DHCP connection on the WAN side. That was a fairly smooth transition, however it has left me without a working IPsec tunnel. I am hoping there is a user error quotient here and that the combination of NAT and DHCP is not a deal breaker.

      Again, both SiteA and SiteB are PFsense, both running 1.2

      SiteA(DHCP) ---internet--Cisco Router(Public IP)...1:1nat...SiteB

      There is no port blocking b/t the cisco router and SiteB's pfsense

      The first question I have is what to use for identifier? In the logs of SiteB (see below) it seems to be trying to use the WAN IP (which is a private IP).

      I'll post the logs below. Thanks in advance for any thoughts, tips or suggestions!

      SiteA IPsec Log:

      Last 50 IPSEC log entries
Apr 24 17:51:46 	racoon: INFO: unsupported PF_KEY message REGISTER
Apr 24 17:51:46 	racoon: INFO: fe80::218:1ff:fe30:c961%dc0[500] used as isakmp port (fd=28)
Apr 24 17:51:46 	racoon: INFO: 72.84.xxx.zzz[500] used as isakmp port (fd=27)
Apr 24 17:51:46 	racoon: INFO: 10.1.2.1[500] used as isakmp port (fd=26)
Apr 24 17:51:46 	racoon: INFO: fe80::280:c8ff:feb9:6d8e%dc1[500] used as isakmp port (fd=25)
Apr 24 17:51:46 	racoon: INFO: 10.1.20.1[500] used as isakmp port (fd=24)
Apr 24 17:51:46 	racoon: INFO: fe80::280:c8ff:feb9:6d8f%dc2[500] used as isakmp port (fd=23)
Apr 24 17:51:46 	racoon: INFO: 10.1.1.1[500] used as isakmp port (fd=22)
Apr 24 17:51:46 	racoon: INFO: fe80::230:48ff:fe41:135%fxp1[500] used as isakmp port (fd=21)
Apr 24 17:51:46 	racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=20)
Apr 24 17:51:46 	racoon: INFO: ::1[500] used as isakmp port (fd=19)
Apr 24 17:51:46 	racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=18)
Apr 24 17:51:46 	racoon: INFO: fe80::218:1ff:fe30:c961%tun0[500] used as isakmp port (fd=17)
Apr 24 17:51:46 	racoon: INFO: 10.50.1.1[500] used as isakmp port (fd=16)
Apr 24 17:43:52 	racoon: INFO: unsupported PF_KEY message REGISTER
Apr 24 17:43:52 	racoon: INFO: fe80::218:1ff:fe30:c961%dc0[500] used as isakmp port (fd=27)
Apr 24 17:43:52 	racoon: INFO: 72.84.xxx.zzz[500] used as isakmp port (fd=26)
Apr 24 17:43:52 	racoon: INFO: 10.1.2.1[500] used as isakmp port (fd=25)
Apr 24 17:43:52 	racoon: INFO: fe80::280:c8ff:feb9:6d8e%dc1[500] used as isakmp port (fd=24)
Apr 24 17:43:52 	racoon: INFO: 10.1.20.1[500] used as isakmp port (fd=23)
Apr 24 17:43:52 	racoon: INFO: fe80::280:c8ff:feb9:6d8f%dc2[500] used as isakmp port (fd=22)

      SiteB's Log:

      Last 50 IPSEC log entries
Apr 24 14:15:08 	racoon: [Richmond]: INFO: phase2 sa deleted 172.15.1.2-72.84.xxx.zzz
Apr 24 14:15:07 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Apr 24 14:15:07 	racoon: [Richmond]: INFO: phase2 sa expired 172.15.1.2-72.84.xxx.zzz
Apr 24 14:14:40 	racoon: [Richmond]: INFO: phase2 sa deleted 172.15.1.2-72.84.xxx.zzz
Apr 24 14:14:39 	racoon: INFO: begin Aggressive mode.
Apr 24 14:14:39 	racoon: [Richmond]: INFO: initiate new phase 1 negotiation: 172.15.1.2[500]<=>72.84.xxx.zzz[500]
Apr 24 14:14:39 	racoon: [Richmond]: INFO: IPsec-SA request for 72.84.xxx.zzz queued due to no phase1 found.
Apr 24 14:14:39 	racoon: [Richmond]: INFO: phase2 sa expired 172.15.1.2-72.84.xxx.zzz
Apr 24 14:14:28 	racoon: ERROR: phase1 negotiation failed due to time up. 8e634588f2063f20:0000000000000000
Apr 24 14:14:09 	racoon: INFO: delete phase 2 handler.
Apr 24 14:14:09 	racoon: [Richmond]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 72.84.xxx.zzz[0]->172.15.1.2[0]
Apr 24 14:14:09 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Apr 24 14:14:09 	racoon: [Richmond]: INFO: phase2 sa expired 172.15.1.2-72.84.xxx.zzz
Apr 24 14:13:39 	racoon: [Richmond]: INFO: phase2 sa deleted 172.15.1.2-72.84.xxx.zzz
Apr 24 14:13:38 	racoon: INFO: begin Aggressive mode.
Apr 24 14:13:38 	racoon: [Richmond]: INFO: initiate new phase 1 negotiation: 172.15.1.2[500]<=>72.84.xxx.zzz[500]
Apr 24 14:13:38 	racoon: [Richmond]: INFO: IPsec-SA request for 72.84.xxx.zzz queued due to no phase1 found.
Apr 24 14:13:38 	racoon: [Richmond]: INFO: phase2 sa expired 172.15.1.2-72.84.xxx.zzz
Apr 24 14:13:32 	racoon: ERROR: phase1 negotiation failed due to time up. 1b79f713d733e7b0:0000000000000000
Apr 24 14:13:13 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Apr 24 14:13:13 	racoon: INFO: delete phase 2 handler.
Apr 24 14:13:13 	racoon: [Richmond]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 72.84.xxx.zzz[0]->172.15.1.2[0]
Apr 24 14:12:43 	racoon: [Richmond]: INFO: phase2 sa deleted 172.15.1.2-72.84.xxx.zzz
Apr 24 14:12:42 	racoon: INFO: begin Aggressive mode.
Apr 24 14:12:42 	racoon: [Richmond]: INFO: initiate new phase 1 negotiation: 172.15.1.2[500]<=>72.84.xxx.zzz[500]
Apr 24 14:12:42 	racoon: [Richmond]: INFO: IPsec-SA request for 72.84.xxx.zzz queued due to no phase1 found.
Apr 24 14:12:42 	racoon: [Richmond]: INFO: phase2 sa expired 172.15.1.2-72.84.xxx.zzz
Apr 24 14:12:28 	racoon: ERROR: phase1 negotiation failed due to time up. 5e13eeca2f6b5b9e:0000000000000000
Apr 24 14:12:13 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Apr 24 14:12:09 	racoon: INFO: delete phase 2 handler.
      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Create an identifier at siteA-pfSense and make siteB-pfSense use it. You'll have to use aggressive mode for this. Btw, this won't work reliably if siteA's IP is changing. Dynamic to Dynamic Tunnels are not supported.

        1 Reply Last reply Reply Quote 0
        • S
          SpaceBass
          last edited by

          Hoba - thanks for the quick reply

          So just set the identifier to anything I want on siteA, ABC123 for example and use ABC123 as the same identifier on SiteB?
          That's how it is setup now (including set to Aggressive). I've been using domain name (abc.com) for both, I'll try the other options and see what I get.

          The good news is that this is dynamic to static, but the static is behind a NAT … and, knock on wood, the dynamic has not changed once in several months...

          1 Reply Last reply Reply Quote 0
          • S
            SpaceBass
            last edited by

            Here I am, three months and still no site-to-site VPN…
            I've given up on each (IPsec and OVPN) and switched back and fourth so many times that I'm starting to think there is just something wrong with the hardware involved.

            I'm back trying to make IPsec work - according to the logs, SiteB is still failing to complete phase 2 ...

            As for identifier, the only thing I think I can use is user FQDN ... so I made up: vpn@nsnet.local and I'm using that on both sides.

            Anyone have any ideas?

            1 Reply Last reply Reply Quote 0
            • S
              SpaceBass
              last edited by

              I cannot explain it but things just started working…
              I didn't make any changes, but after letting it sit a few days, the tunnel just came up on its own.

              Thanks for all the great help from this thread - I'm sure it was something from here that was the cure!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.