Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec troubles (solved)

    IPsec
    1
    3
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eddie4
      last edited by

      Hello I have been trying for a while now to get ipsec working between 2 pfsense machines and I just can't figure it out why it won't work. Although I don't have a lot of experience whit VPN connections so it might be something really silly.

      Background info

      PFsense 1 (whit loadbalancer)
      ip Wan1 81.161.x.x (DHCP Static ip)
      ip Wan2 Not connected atm
      ip lan 172.16.1.136/24
      Version: 1.2.3-RC1

      PFsense 2 (whit loadbalancer all settings are cloned from pfsense 1)
      ip Wan1 Not connected atm
      ip Wan2 62.194.x.x (DHCP dynamic ip for test purposes only)
      ip lan 172.16.2.136/24
      version: 1.2.3-RELEASE

      Something weird also seems to happen when I go to Status:IPsec there are no rules/tunnels there, it just says: No IPsec security associations.

      VPN Config PFSense 1

      - <ipsec>
   <preferredoldsa>- <tunnel>
  <interface>wan</interface> 
   <natt>- <local-subnet>
  <network>lan</network> 
  </local-subnet>
  <remote-subnet>172.16.2.0/24</remote-subnet> 
  <remote-gateway>62.194.X.X</remote-gateway> 
  <dpddelay>60</dpddelay> 
- <p1>
  <mode>aggressive</mode> 
- <myident>

<address>83.161.X.X</address>

  </myident>
  <encryption-algorithm>3des</encryption-algorithm> 
  <hash-algorithm>sha1</hash-algorithm> 
  <dhgroup>2</dhgroup> 
  <lifetime>28800</lifetime> 
  <pre-shared-key>S0m3w3rdkey</pre-shared-key> 
   <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
- <p2>
  <protocol>esp</protocol> 
  <encryption-algorithm-option>3des</encryption-algorithm-option> 
  <encryption-algorithm-option>blowfish</encryption-algorithm-option> 
  <encryption-algorithm-option>cast128</encryption-algorithm-option> 
  <encryption-algorithm-option>rijndael</encryption-algorithm-option> 
  <encryption-algorithm-option>rijndael 256</encryption-algorithm-option> 
  <hash-algorithm-option>hmac_sha1</hash-algorithm-option> 
  <hash-algorithm-option>hmac_md5</hash-algorithm-option> 
  <pfsgroup>0</pfsgroup> 
  <lifetime>86400</lifetime> 
  </p2>
  <descr>Test Tunnel</descr></natt></tunnel>
- <mobilekey>
  <ident>62.194.X.X</ident> 
  <pre-shared-key>S0m3w3rdkey</pre-shared-key> 
  </mobilekey></preferredoldsa></ipsec>

      VPN Config PFSense 2

      - <ipsec>
   <preferredoldsa>- <tunnel>
  <interface>opt1</interface> 
- <local-subnet>
  <network>lan</network> 
  </local-subnet>
  <remote-subnet>172.16.1.0/24</remote-subnet> 
  <remote-gateway>83.161.X.X</remote-gateway> 
  <dpddelay>60</dpddelay> 
- <p1>
  <mode>aggressive</mode> 
- <myident>

<address>62.194.X.X</address>

  </myident>
  <encryption-algorithm>3des</encryption-algorithm> 
  <hash-algorithm>sha1</hash-algorithm> 
  <dhgroup>2</dhgroup> 
  <lifetime>28800</lifetime> 
  <pre-shared-key>S0m3w3rdkey</pre-shared-key> 
   <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
- <p2>
  <protocol>esp</protocol> 
  <encryption-algorithm-option>3des</encryption-algorithm-option> 
  <encryption-algorithm-option>blowfish</encryption-algorithm-option> 
  <encryption-algorithm-option>cast128</encryption-algorithm-option> 
  <encryption-algorithm-option>rijndael</encryption-algorithm-option> 
  <encryption-algorithm-option>aes 256</encryption-algorithm-option> 
  <hash-algorithm-option>hmac_sha1</hash-algorithm-option> 
  <hash-algorithm-option>hmac_md5</hash-algorithm-option> 
  <pfsgroup>0</pfsgroup> 
  <lifetime>86400</lifetime> 
  </p2>
  <descr>Test Tunnel</descr> 
  </tunnel>
- <mobilekey>
  <ident>83.161.X.X</ident> 
  <pre-shared-key>S0m3w3rdkey</pre-shared-key> 
  </mobilekey></preferredoldsa></ipsec>
      1 Reply Last reply Reply Quote 0
      • E
        eddie4
        last edited by

        After some more debugging and trying to make it work the log showed me this

        May 23 12:38:11 racoon: ERROR: phase1 negotiation failed due to time up. af7b8f8f50116a1a:0000000000000000
        May 23 12:37:52 racoon: INFO: delete phase 2 handler.
        May 23 12:37:52 racoon: [Test Tunnel]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 62.194.X.X[0]->83.161.X.X[0]
        May 23 12:37:21 racoon: INFO: begin Aggressive mode.
        May 23 12:37:21 racoon: [Test Tunnel]: INFO: initiate new phase 1 negotiation: 83.161.X.X[500]<=>62.194..X.X[500]
        May 23 12:37:21 racoon: [Test Tunnel]: INFO: IPsec-SA request for 62.194.X.X queued due to no phase1 found.

        Really beginning to wonder what the problem is, Checked if the isp was blocking port 500 but that wasn't the case.

        1 Reply Last reply Reply Quote 0
        • E
          eddie4
          last edited by

          Solved my problem

          PFsense 1 still had his second connection cached (now used for pfsense2) There for expected the wrong ip

          Also ran into not being able to ping but that was simple adding ICMP rule. Hope this might help some one else out

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.