Access Opt1 network from different subnets
-
On pfsense1 (10.25.18.0/24) the IPSec tunnel is as follows
Interface: WAN
NAT-T: Disabled
DPD interval: BLANK
Local Subnet: LAN Subnet
Remote Subnet: 10.25.19.0/24
Remote Gateway: xxx.xxx.com
–------
Negotiation mode: main
My Identifier: My IP Address
Encryption Algorithm: 3DES
Hash Algorithm: SHA1
DH Key Group: 2 (1024 bit)
Lifetime: BLANK
Authentication Method: Preshared Key
Pre-Shared Key: xxxxxxxxxx
Certificate: BLANK
Key: BLANK
Peer Certificate: BLANKProtocol: ESP
Encryption Algorithms: 3DES, Blowfish, CAST128, Rijndael (AES), Rijndael 256
Hash Algorithms: SHA1, MD5
PFS Key Group: OFF
Lifetime: BLANK
Keep Alive: 10.25.19.254pfsense2 is setup the same way just just with the correct subnet and gateway information changed. I did try and create a VPN tunnel just a few minutes ago from pfsense1 to pfsense2 using the opt interface information on pfsense2. It connected but did not allow any traffic thru because I could not ping 10.25.22.254 or the switch 10.25.22.253
-
Good. You do need this second tunnel.
Did you allow ICMP to 192.10.25.22.0/24 in rules at LAN on pfSense1 and at IPSEC interface on pfSense2?
If yes then you should be able to ping at least 192.10.25.22.x pfSense2 interface. -
I have the rules on the IPSec tunnels to allow anything to come in and out from the tunnels. I attached my IPSEC firewall page so you can look at it. Ive already tried to create a IPSec tunnel to the second network on pfsense2 but it wasnt allowing any traffic.
The IPSec Rules are identical on every pfsense box I setup. I also attached the WAN Firewalls rules for the pfsense1 box and the LAN rules are set basically like the IPSec rules with the source as LAN Subnet and allow all.
-
As you are trying to reach 10.25.22.0/24 from 10.25.18.0/24 it would be interesting to look at rules you have at the interface connected to 10.25.18.0/24 network (LAN I suspect). pfSense apply rules whe a packet enters pfSense not when it leaves.
-
Here is the LAN Rules for pfsense1 - 10.25.18.0
-
Here are the LAN Rules for both pfsense2 subnets - 10.25.19.0 & 10.25.22.0
-
and here are the WAN and IPSec rules for pfsense2.
-
Ok. Please from both pfSenses
setkey -D
setkey -DPAnd at pfSense1 run continuous ping to 10.25.22.x (ip address of the pfSense2 interface).
At the same time at pfSense2 runtcpdump -i <wan int="">-n esp</wan>
where <wan int="">is WAN interface name.</wan>
-
so in the console I need to this on both pfsenses?
-
console or ssh session. (it's kind of hard to copy-paste) from console…
-
OK i ssh into each box what option do I use to do all this. I will post back in a second
-
Install Putty software http://www.putty.org/
then Enable Secure Shell on both pfSenses System->Advanced
Connect to the box with root and your password and choose 8) shell.
CAREFUL! you can destroy the system, you have full power now.
Now you can execute commands I gave you earlier.
I've never used php console, so I can't not tell you how to use it, but I suspect it gives you the same result as the method described above. -
this is what came from pfsense2.
13:38:53.031131 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e31), length 76
13:38:53.034763 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c2), length 340
13:38:53.039349 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e32), length 428
13:38:53.053124 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c3), length 156
13:38:53.053743 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e33), length 132
13:38:53.066648 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c4), length 180
13:38:53.068800 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e34), length 212
13:38:53.086310 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c5), length 1480
13:38:53.087144 IP 74.192.197.63 > 74.197.181.236: esp
13:38:53.088697 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c6), length 404
13:38:53.090259 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e35), length 76
13:38:53.091378 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e36), length 124
13:38:53.108205 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c7), length 140
13:38:53.108915 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e37), length 380
13:38:53.122254 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c8), length 316
13:38:53.125367 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e38), length 124
13:38:53.138263 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7c9), length 140
13:38:53.138804 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e39), length 212
13:38:53.154298 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ca), length 300
13:38:53.156573 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3a), length 244
13:38:53.170306 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cb), length 268
13:38:53.171327 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3b), length 228
13:38:53.184349 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cc), length 396
13:38:53.186403 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3c), length 244
13:38:53.200359 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cd), length 268
13:38:53.201251 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3d), length 228
13:38:53.214387 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ce), length 316
13:38:53.216420 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3e), length 244
13:38:53.230397 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7cf), length 348
13:38:53.231298 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e3f), length 260
13:38:53.244431 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d0), length 348
13:38:53.246330 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e40), length 276
13:38:53.272971 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d1), length 348
13:38:53.274156 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e41), length 260
13:38:53.287994 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d2), length 268
13:38:53.289870 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e42), length 244
13:38:53.304015 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d3), length 316
13:38:53.304953 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e43), length 228
13:38:53.332548 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d4), length 268
13:38:53.334488 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e44), length 244
13:38:53.346070 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d5), length 268
13:38:53.346821 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e45), length 228
13:38:53.360599 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d6), length 380
13:38:53.362673 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e46), length 244
13:38:53.382102 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d7), length 268
13:38:53.383175 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e47), length 244
13:38:53.398635 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d8), length 116
13:38:53.400207 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e48), length 116
13:38:53.506570 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e49), length 1468
13:38:53.506886 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4a), length 852
13:38:53.507666 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4b), length 1468
13:38:53.521700 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4c), length 804
13:38:53.611921 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7d9), length 84
13:38:53.612580 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4d), length 1468
13:38:53.612861 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4e), length 892
13:38:53.615945 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7da), length 84
13:38:53.619934 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7db), length 140
13:38:53.627684 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e4f), length 84
13:38:53.629963 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7dc), length 76
13:38:53.645967 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7dd), length 84
13:38:54.018527 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7de), length 92
13:38:54.019432 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e50), length 92
13:38:54.032020 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7df), length 84
13:38:54.032126 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e0), length 84
13:38:54.033097 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e51), length 84
13:38:54.033208 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e52), length 84
13:38:54.046040 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e1), length 76
13:38:54.046143 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e2), length 76
13:38:54.050057 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e3), length 212
13:38:54.050818 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e53), length 260
13:38:54.067755 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e4), length 1480
13:38:54.068554 IP 74.192.197.63 > 74.197.181.236: esp
13:38:54.072097 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e5), length 460
13:38:54.072635 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e54), length 76
13:38:54.074125 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e55), length 356
13:38:54.091751 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e6), length 172
13:38:54.092336 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e56), length 132
13:38:54.107664 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e7), length 180
13:38:54.108376 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e57), length 212
13:38:54.123779 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e8), length 1480
13:38:54.124631 IP 74.192.197.63 > 74.197.181.236: esp
13:38:54.130687 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7e9), length 412
13:38:54.131174 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e58), length 76
13:38:54.131278 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e59), length 124
13:38:54.150197 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ea), length 140
13:38:54.150682 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5a), length 260
13:38:54.166247 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7eb), length 284
13:38:54.166714 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5b), length 124
13:38:54.183257 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ec), length 140
13:38:54.183813 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5c), length 436
13:38:54.196803 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ed), length 420
13:38:54.197303 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5d), length 124
13:38:54.211797 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ee), length 140
13:38:54.212322 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5e), length 212
13:38:54.227822 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7ef), length 276
13:38:54.228656 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e5f), length 212
13:38:54.242354 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f0), length 244
13:38:54.242917 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e60), length 196
13:38:54.258384 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f1), length 372
13:38:54.259049 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e61), length 212
13:38:54.273882 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f2), length 244
13:38:54.274423 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e62), length 196
13:38:54.290429 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f3), length 292
13:38:54.291073 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e63), length 212
13:38:54.305925 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f4), length 244
13:38:54.306454 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e64), length 212
13:38:54.320471 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f5), length 244
13:38:54.321181 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e65), length 212
13:38:54.335979 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f6), length 116
13:38:54.336360 IP 74.197.181.236 > 74.192.197.63: ESP(spi=0x03b4fb0d,seq=0x8e66), length 116
13:38:54.501690 IP 74.192.197.63 > 74.197.181.236: ESP(spi=0x0bfa29ed,seq=0xa7f7), length 76
^C
1382 packets captured
3834 packets received by filter
0 packets dropped by kernel -
Ohhh.. I forgot that you have two tunnels… it's impossible to say whether esp packet belongs to the first tunnel or to the second.
What about setkey commands output? -
pfsense1 - 10.25.18.0
setkey -D
74.192.197.63 74.197.181.236
esp mode=any spi=60471947(0x039aba8b) reqid=16391(0x00004007)
E: 3des-cbc 6e0b248a c6e085cc 60d2c785 89fa6591 6e7f1285 e4fbb0d8
A: hmac-sha1 9923d945 c4b2010d 69f84b9e 4b749689 757d22db
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:48:57 2009
diff: 19(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=9 pid=27536 refcnt=1
74.192.197.63 74.197.181.236
esp mode=any spi=233187485(0x0de6289d) reqid=16391(0x00004007)
E: 3des-cbc 2edfdf2c 64a2d7c3 bdb43c01 2216f7ed b190d2c6 67ca09b4
A: hmac-sha1 cfc0db0d b2f053d5 794d1f09 16cbd88b 405515e0
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:48:57 2009
diff: 24(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:38 2009 hard: 0(s) soft: 0(s)
current: 112(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=8 pid=27536 refcnt=2
74.192.197.63 74.197.181.236
esp mode=any spi=221953858(0x0d3abf42) reqid=16393(0x00004009)
E: 3des-cbc af3484af c3fb45be 1351f357 c6c45f15 f79e1505 01aa72e3
A: hmac-sha1 6a24a389 87a9de65 9b055c45 215aacfe 9a1dbc7c
seq=0x000001d3 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:48:57 2009
diff: 50(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:55 2009 hard: 0(s) soft: 0(s)
current: 129416(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 467 hard: 0 soft: 0
sadb_seq=7 pid=27536 refcnt=2
74.197.181.236 74.192.197.63
esp mode=tunnel spi=201338668(0x0c002f2c) reqid=16394(0x0000400a)
E: 3des-cbc f3890148 ec257e0d ceead7f4 57d4855a 2f86672d 82eb2ebd
A: hmac-sha1 5b7b5b75 25e7dc9e 340d5e19 c29c8500 658f5fa8
seq=0x00000191 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:48:57 2009
diff: 50(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:55 2009 hard: 0(s) soft: 0(s)
current: 94969(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 401 hard: 0 soft: 0
sadb_seq=6 pid=27536 refcnt=1
74.197.181.236 74.192.197.63
esp mode=tunnel spi=41187146(0x0274774a) reqid=16392(0x00004008)
E: 3des-cbc 493c8031 7c7027cf 34100863 715a81ef 709dcd21 d9591056
A: hmac-sha1 ef30bdca affca9de 10f0e2b1 441e3427 a4d83664
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:48:57 2009
diff: 19(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=5 pid=27536 refcnt=1
74.197.181.236 74.192.197.63
esp mode=tunnel spi=30718151(0x01d4b8c7) reqid=16392(0x00004008)
E: 3des-cbc 127ffe1a 2b3b6f72 fc1ecebc cb3d9d30 acc1402d 91828761
A: hmac-sha1 d45da5dd 66447eeb 0ac952f5 a59c0b7a eddd710b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:48:57 2009
diff: 24(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=4 pid=27536 refcnt=1
74.192.197.63 75.9.221.112
esp mode=any spi=3234821474(0xc0cf7562) reqid=16387(0x00004003)
E: 3des-cbc a2293efa 07a9fef0 8719a944 25688c60 284a672b 67645902
A: hmac-sha1 813dab38 2e3fa9bb 451d4ebc 2d4a5883 1a34789b
seq=0x0000a643 replay=4 flags=0x00000000 state=mature
created: May 23 10:28:26 2009 current: May 23 13:48:57 2009
diff: 12031(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:51 2009 hard: 0(s) soft: 0(s)
current: 13826576(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 42563 hard: 0 soft: 0
sadb_seq=3 pid=27536 refcnt=2
75.9.221.112 74.192.197.63
esp mode=tunnel spi=115498621(0x06e25e7d) reqid=16388(0x00004004)
E: 3des-cbc 572de107 9721aa59 b4d5c757 669538cf 64e20d38 8442723a
A: hmac-sha1 c737669f a260ba62 f8643bca 20ef0e24 d5740cf1
seq=0x00009377 replay=4 flags=0x00000000 state=mature
created: May 23 10:28:26 2009 current: May 23 13:48:57 2009
diff: 12031(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:51 2009 hard: 0(s) soft: 0(s)
current: 6794020(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 37751 hard: 0 soft: 0
sadb_seq=2 pid=27536 refcnt=1
74.192.197.63 74.192.216.72
esp mode=any spi=89425175(0x05548517) reqid=16389(0x00004005)
E: 3des-cbc 352c7456 1735fd46 849d4307 b35dc1e5 ebc47391 ca397dba
A: hmac-sha1 ee096c0a 5ffa6af0 f1e23349 4584ab9a bfc03cea
seq=0x0000a205 replay=4 flags=0x00000000 state=mature
created: May 23 10:25:59 2009 current: May 23 13:48:57 2009
diff: 12178(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:50 2009 hard: 0(s) soft: 0(s)
current: 13297208(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 41477 hard: 0 soft: 0
sadb_seq=1 pid=27536 refcnt=2
74.192.216.72 74.192.197.63
esp mode=tunnel spi=62317237(0x03b6e2b5) reqid=16390(0x00004006)
E: 3des-cbc 1df63d33 a1acdccb 8d717591 8af05130 b8d7065e fa9aee41
A: hmac-sha1 862c82d7 6b06e932 f3eadd64 ca5592a7 580e6275
seq=0x00008db4 replay=4 flags=0x00000000 state=mature
created: May 23 10:25:59 2009 current: May 23 13:48:57 2009
diff: 12178(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:50 2009 hard: 0(s) soft: 0(s)
current: 6393009(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 36276 hard: 0 soft: 0
sadb_seq=0 pid=27536 refcnt=1setkey -DP
10.25.18.0/24[any] 10.25.18.254[any] any
in none
spid=1 seq=9 pid=27643
refcnt=1
10.25.20.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/75.9.221.112-74.192.197.63/unique#16388
spid=6 seq=8 pid=27643
refcnt=1
10.25.21.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/74.192.216.72-74.192.197.63/unique#16390
spid=8 seq=7 pid=27643
refcnt=1
10.25.22.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16392
spid=10 seq=6 pid=27643
refcnt=1
10.25.19.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16394
spid=12 seq=5 pid=27643
refcnt=1
10.25.18.254[any] 10.25.18.0/24[any] any
out none
spid=2 seq=4 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.20.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-75.9.221.112/unique#16387
spid=5 seq=3 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.21.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-74.192.216.72/unique#16389
spid=7 seq=2 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.22.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16391
spid=9 seq=1 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.19.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16393
spid=11 seq=0 pid=27643
refcnt=1
– -- -- -- --
pfsense2 - 10.25.19.0 & 10.25.22.0setkey -D
74.197.181.236 74.192.197.63
esp mode=any spi=41187146(0x0274774a) reqid=16401(0x00004011)
E: 3des-cbc 493c8031 7c7027cf 34100863 715a81ef 709dcd21 d9591056
A: hmac-sha1 ef30bdca affca9de 10f0e2b1 441e3427 a4d83664
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:50:38 2009
diff: 120(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=9 pid=26490 refcnt=1
74.192.197.63 74.197.181.236
esp mode=tunnel spi=60471947(0x039aba8b) reqid=16402(0x00004012)
E: 3des-cbc 6e0b248a c6e085cc 60d2c785 89fa6591 6e7f1285 e4fbb0d8
A: hmac-sha1 9923d945 c4b2010d 69f84b9e 4b749689 757d22db
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:50:38 2009
diff: 120(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=8 pid=26490 refcnt=1
74.197.181.236 74.192.197.63
esp mode=any spi=30718151(0x01d4b8c7) reqid=16399(0x0000400f)
E: 3des-cbc 127ffe1a 2b3b6f72 fc1ecebc cb3d9d30 acc1402d 91828761
A: hmac-sha1 d45da5dd 66447eeb 0ac952f5 a59c0b7a eddd710b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:50:38 2009
diff: 125(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=7 pid=26490 refcnt=1
74.192.197.63 74.197.181.236
esp mode=tunnel spi=233187485(0x0de6289d) reqid=16400(0x00004010)
E: 3des-cbc 2edfdf2c 64a2d7c3 bdb43c01 2216f7ed b190d2c6 67ca09b4
A: hmac-sha1 cfc0db0d b2f053d5 794d1f09 16cbd88b 405515e0
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:50:38 2009
diff: 125(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:38 2009 hard: 0(s) soft: 0(s)
current: 80(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=6 pid=26490 refcnt=1
74.197.181.236 75.9.221.112
esp mode=any spi=3379262788(0xc96b7544) reqid=16397(0x0000400d)
E: 3des-cbc 04e34d8b 33d1dfaf 144ebfbe fe894aec 2a9176d8 dca69d10
A: hmac-sha1 c2cb6e07 c69f0e0d 38384cac 9bbc80a5 e45689ef
seq=0x00000e90 replay=4 flags=0x00000000 state=mature
created: May 23 09:48:48 2009 current: May 23 13:50:38 2009
diff: 14510(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:49:43 2009 hard: 0(s) soft: 0(s)
current: 848464(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3728 hard: 0 soft: 0
sadb_seq=5 pid=26490 refcnt=2
75.9.221.112 74.197.181.236
esp mode=tunnel spi=127481662(0x0799373e) reqid=16398(0x0000400e)
E: 3des-cbc 44ac5d5b 858c76b0 5d9ac25e b3b0256c 1a2b6551 7283f422
A: hmac-sha1 d14f3d7e f9616234 1ecd270e 067a89dd 514aa3a8
seq=0x0000113c replay=4 flags=0x00000000 state=mature
created: May 23 09:48:48 2009 current: May 23 13:50:38 2009
diff: 14510(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:49:43 2009 hard: 0(s) soft: 0(s)
current: 1065056(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4412 hard: 0 soft: 0
sadb_seq=4 pid=26490 refcnt=1
74.197.181.236 74.192.197.63
esp mode=any spi=201338668(0x0c002f2c) reqid=16391(0x00004007)
E: 3des-cbc f3890148 ec257e0d ceead7f4 57d4855a 2f86672d 82eb2ebd
A: hmac-sha1 5b7b5b75 25e7dc9e 340d5e19 c29c8500 658f5fa8
seq=0x000004e6 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:50:39 2009
diff: 152(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 276064(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1254 hard: 0 soft: 0
sadb_seq=3 pid=26490 refcnt=2
74.192.197.63 74.197.181.236
esp mode=tunnel spi=221953858(0x0d3abf42) reqid=16392(0x00004008)
E: 3des-cbc af3484af c3fb45be 1351f357 c6c45f15 f79e1505 01aa72e3
A: hmac-sha1 6a24a389 87a9de65 9b055c45 215aacfe 9a1dbc7c
seq=0x000005b4 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:50:39 2009
diff: 152(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 369919(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1460 hard: 0 soft: 0
sadb_seq=2 pid=26490 refcnt=1
74.197.181.236 74.192.216.72
esp mode=any spi=134029274(0x07fd1fda) reqid=16395(0x0000400b)
E: 3des-cbc c082eca1 8e191556 7bb56e70 7ef2672b 47ee316d 94086086
A: hmac-sha1 4346247e 220ffd8c d193751f 6315b637 7a8d5672
seq=0x00001025 replay=4 flags=0x00000000 state=mature
created: May 23 10:16:13 2009 current: May 23 13:50:39 2009
diff: 12866(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 1000728(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4133 hard: 0 soft: 0
sadb_seq=1 pid=26490 refcnt=2
74.192.216.72 74.197.181.236
esp mode=tunnel spi=118067582(0x0709917e) reqid=16396(0x0000400c)
E: 3des-cbc 6975ebe4 202a4a7b 6afe7045 273f20d3 ff0af353 7498bd43
A: hmac-sha1 34bcc40e 0727fe3d c567b6e1 67f3e3fa 4c7210c8
seq=0x000011e1 replay=4 flags=0x00000000 state=mature
created: May 23 10:16:13 2009 current: May 23 13:50:39 2009
diff: 12866(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 1118602(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4577 hard: 0 soft: 0
sadb_seq=0 pid=26490 refcnt=1setkey -DP
10.25.19.0/24[any] 10.25.19.254[any] any
in none
spid=7 seq=11 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.19.0/24[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16392
spid=10 seq=10 pid=26869
refcnt=1
10.25.21.0/24[any] 10.25.19.0/24[any] any
in ipsec
esp/tunnel/74.192.216.72-74.197.181.236/unique#16396
spid=14 seq=9 pid=26869
refcnt=1
10.25.20.0/24[any] 10.25.19.0/24[any] any
in ipsec
esp/tunnel/75.9.221.112-74.197.181.236/unique#16398
spid=16 seq=8 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.22.0[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16400
spid=18 seq=7 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.22.0/24[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16402
spid=20 seq=6 pid=26869
refcnt=1
10.25.19.254[any] 10.25.19.0/24[any] any
out none
spid=8 seq=5 pid=26869
refcnt=1
10.25.19.0/24[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16391
spid=9 seq=4 pid=26869
refcnt=1
10.25.19.0/24[any] 10.25.21.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.216.72/unique#16395
spid=13 seq=3 pid=26869
refcnt=1
10.25.19.0/24[any] 10.25.20.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-75.9.221.112/unique#16397
spid=15 seq=2 pid=26869
refcnt=1
10.25.22.0[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16399
spid=17 seq=1 pid=26869
refcnt=1
10.25.22.0/24[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16401
spid=19 seq=0 pid=26869
refcnt=1I think that is everything. It shows the tunnels are all connected but I can not ping 10.25.22.254 from the 10.25.18.0 subnet. I can ping every other subnet but that one
-
That is weird, why would you have this tunnel?
@reynolwi:pfsense1 - 10.25.18.0
setkey -DP
10.25.18.0/24[any] 10.25.18.254[any] any
in none
spid=1 seq=9 pid=27643
refcnt=1
10.25.18.254[any] 10.25.18.0/24[any] any
out none
spid=2 seq=4 pid=27643
refcnt=1And this is weird, again - what is it?
@reynolwi:– -- -- -- --
pfsense2 - 10.25.19.0 & 10.25.22.0setkey -DP
10.25.19.0/24[any] 10.25.19.254[any] any
in none
spid=7 seq=11 pid=26869
refcnt=1
10.25.19.254[any] 10.25.19.0/24[any] any
out none
spid=8 seq=5 pid=26869
refcnt=1But your problem with pings may be here:
@reynolwi:10.25.18.0/24[any] 10.25.22.0/24[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16400
spid=18 seq=7 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.22.0/24[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16402
spid=20 seq=6 pid=26869
refcnt=110.25.22.0[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16399
spid=17 seq=1 pid=26869
refcnt=1
10.25.22.0/24[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16401
spid=19 seq=0 pid=26869
refcnt=1It seems at pfSense2 you have two tunnels interconnecting the same networks. The simpliest thing you can do now - restart ipsec at pfSense2.
-
I do not know why it seems to have a tunnel to itself. I do not see that in the setup. I did finally get traffic to the 10.25.22.0 subnet and now the phone traffic is traveling thru the IPSec tunnel to the 10.25.18.0 subnet to the pbx server.
I had to reboot both systems and something kicked in and now I can access the phones webgui and the phones registered with the server.