Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot establish pfsense <- -> pfsense ipsec link

    IPsec
    2
    3
    2.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      duffman
      last edited by

      Hello forum,

      I'm trying to set up a test pfsense/pfsense link, but cannot ping accross it (SAs are not being established either).

      Here's the topology (all networks are /24):
      192.168.1.2  –--  192.168.1.1/66.66.66.1 ----- 66.66.66.2/192.168.2.1 ------- 192.168.2.2

      All are virtual machines.  The left two are on one physical host, the right two are on another physical host.  The hosts are connected by a switch.  The left pair of VMs are connected by a host-only network, the right pair of VMs are connected by a host-only network.  The client machines are SystemRescueCD (using the corresponding pfsense as default gateway), and the pfsenses are v1.2.3-RELEASE.

      Both pfsense boxes have the following firewall configuration:
      LAN:  LAN to anywhere allowed (all protocols)
      WAN: anywhere to anywhere allowed (all protocols)
      IPSec: anywhere to anywhere allowed (all protocols)

      The left pfsense has the following IPsec config:
      Interface = WAN
      Dead peer = 60 seconds
      Local subnet = LAN
      Remote subnet = 192.168.2.0/24
      Aggressive mode
      Identifier = domain name = b.com
      Encryption = 3des
      Hash = SHA1
      DH group = 2
      Lifetime = 28800 seconds
      Auth method = Preshared Key = "secret key with at least 30 chars"
      Protocol = ESP
      Algorithms = 3DES + Blowfish + CAST128 + AES + AES-256
      Hash = SHA1 + MD5
      PFS = off
      Lifetime = 86400
      Keepalive = 192.168.2.1

      The right pfsense has this config (same with reversed local and remote):
      Iface = WAN, DPD = 60sec, Local subnet = LAN, Remote subnet = 192.168.1.0/24, Remote gw = 66.66.66.1, aggressive
      Identifier = domain = a.com, Encryption = 3des, Hash = SHA1, DH = 2, Lifetime = 28800, Auth = PSK = "secret key with at least 30 chars",
      Protocol = ESP, Encryption = 3DES + Blowfish + CAST128 + AES + AES256, Hash = SHA1 + MD5, PFS = off, Lifetime = 86400,
      Keepalive = 192.168.1.1

      Racoon log on the left pfsense has lines like:
      http://www.postimage.org/image.php?v=gx4HYW9

      I just don't see why this is not working.  It looks like it is not even trying to connect.
      When a client tries to ping the other client (each has its respective pfsense as default gateway), it receives Destination Host Unreachable from the pfsense box.  Pinging from one pfsense to the other pfsense's internal interface does not receive replies.  The pfsenses can ping each other's external interfaces ok.

      Thankyou in advance.

      1 Reply Last reply Reply Quote 0
      • S
        spiritbreaker
        last edited by

        Hi,

        1. the pfsense boxes can ping each other on wan?
        2. go into webinterface from left pfsense Diagnostic ->ping

        Ping 192.168.2.1 interface LAN

        3. look IPSEC now. u will see some phase 1 negotations.

        4. Post IPSEC log

        Maybe its better to specify algos and use standardsettings on sites

        The left pfsense has the following IPsec config:
        Interface = WAN
        Dead peer = 60 seconds
        Local subnet = LAN
        Remote subnet = 192.168.2.0/24
        Aggressive mode
        Identifier = my interface ip
        Encryption = 3des
        Hash = SHA1
        DH group = 2
        Lifetime = 28800 seconds
        Auth method = Preshared Key = "secret key with at least 30 chars"
        Protocol = ESP
        Algorithms = 3DES
        Hash = SHA1
        PFS = off
        Lifetime = 86400
        Keepalive = 192.168.2.1

        cya

        Pfsense running at 11 Locations
        -mobile OPENVPN and IPSEC
        -multiwan failover
        -filtering proxy(squidguard) in bridgemode with ntop monitoring

        1 Reply Last reply Reply Quote 0
        • D
          duffman
          last edited by

          Sorry about the lack of ipsec logs, but IPsec seems to be fine now and I'm nowhere near the computers in question.

          I've made some progress with this on other computers, but I haven't got it to work yet.  I followed the tutorial in http://www.pfsense.org/mirror.php?section=tutorials/mobile_ipsec/ on two fresh installs of pfsense and two systemrescuecds running as clients.  I've got a VPN tunnel (SAs, SADs and SPDs OK) established between the two pfsenses, but the traffic can only go from the dynamic site to the static site and not in reverse.

          If I ping the static client from the dynamic client, I can see the ping echo requests arriving on the static client (tcpdump icmp), and I can see it trying to send replies.  I've set logging on the both firewalls, and I can see the ping reply arriving on the LAN interface of the static pfsense – but nothing is getting back to the dynamic client.  Pinging from the static client goes nowhere.

          Also, when the static side times out the VPN connection, it refuses to allow the dynamic side to reestablish it (without me rebooting it).  The dynamic side says 'none message must be encrypted' in the ipsec.log.

          Sorry for changing the subject, but it seems to be closer to a working solution.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.