Ipsec

jimp

Did you add firewall rules under Firewall > Rules, on the IPsec tab?

rana

do you mean this

rana

also i hope this helps you to help me thank you

Feb 8 15:48:26 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 67.49.xxx.xxx[500]-12.173.xxx.xxx[472] spi:ea5a84ca885ca505:c542fcd1decf936c
Feb 8 15:48:26 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 67.49.xxx.xxx[0]<=>12.173.xxx.xxx[0]
Feb 8 15:48:26 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.4.32/32[0] 192.168.1.0/24[0] proto=any dir=in
Feb 8 15:48:27 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 12.173.xxx.xxx[0]->67.49.xxx.xxx[0] spi=161391074(0x99ea1e2)
Feb 8 15:48:27 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 67.49.xxx.xxx[0]->12.173.xxx.xxx[0] spi=1085753737(0x40b74989)
Feb 8 15:48:27 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.4.32/32[0] 192.168.1.0/24[0] proto=any dir=in"
Feb 8 15:48:27 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.4.32/32[0] proto=any dir=out"
Feb 8 15:54:16 racoon: INFO: generated policy, deleting it.
Feb 8 15:54:16 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 67.49.xxx.xxx[500]-12.173.xxx.xxx[472] spi:ea5a84ca885ca505:c542fcd1decf936c
Feb 8 15:54:17 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 67.49.xxx.xxx[500]-12.173.xxx.xxx[472] spi:ea5a84ca885ca505:c542fcd1decf936c
Feb 8 16:13:26 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 67.49.xxx.xxx[500]<=>12.173.xxx.xxx[489]

jimp

@rana:

do you mean this

The protocol on that rule is set for only TCP. Change that to "Any"

rana

i tryed that but no lock here are more pic
i have been reading the book and i still dont get it please help its making me go crazy i think im missing some rules or something

jimp

That all looks right.

Are you seeing any entries in the firewall log for the times you have tried to ping?

Is pfSense the default gateway for the PCs you are trying to ping?

rana

nothing in the firewall logs and yes its on the default gateway

jimp

Do you have the Dashboard package installed on pfSense? There is an IPsec status widget there which can report the status of mobile tunnels. I wonder if it shows as up/green in that view when the client is connected.

rana

Active Tunnels  Inactive Tunnels
        0                          0

and nothing under
Tunnel Status

rkelleyrtp

Can you please tell us exactly what you are trying to accomplish?  Are you configuring a site-to-site ipsec tunnel, or are you configuring mobile ipsec clients?  Your screenshots seem to indicate you are doing a site-to-site tunnel.  If so, what device is at the other end of the tunnel (Cisco, pfSense, etc)?

rkelleyrtp

Sorry, my mistake.  Your screen grabs looked just like the site-to-site tunnel config screen.

What kind of logs does your client get during tunnel negotiation?  What kind of client are you using?