Connection to non pfSense remote network.

jrapp

I have a colo server, the guest is running Ubuntu and a variety of VMs, using a host only network on RFC1918 space (which does not conflict with any in-office ranges)

I'd like to set up an IPsec tunnel from the Ubuntu host to the Office pfSense box (1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009) to allow us to access this private subnet from the office.

However, I can't figure out what I need to do.
There is a single shared secret on the pfSense IPSec pages, but ipsec_tools.conf expects one in each direction - this is just the first of a few things which have pickled my brain.  Does anyone have a similar setup, and or some other sensible resource to point me at?

Cheers,

John

jrapp

OK - Figuring out more about pfSense helped some…

Stage 1 seems OK, but...

I'm now getting the following in syslog on the Colo box:

Aug 25 06:24:59 Colo racoon: INFO: respond new phase 2 negotiation: ColoIP[500]<=>pFsenseIP[500]
Aug 25 06:24:59 Colo racoon: ERROR: failed to get sainfo.
Aug 25 06:24:59 Colo racoon: ERROR: failed to get sainfo.
Aug 25 06:24:59 Colo racoon: ERROR: failed to pre-process packet.

and the following from the pfSense box:

Aug 25 06:25:09 pfSense racoon: ERROR: ColoIP give up to get IPsec-SA due to time up to wait.
Aug 25 06:25:13 pfSense racoon: INFO: initiate new phase 2 negotiation: pFsenseIP[0]<=>ColoIP[0]

Both units have 'proper' public IPs, and unfiltered (as far as I know) connections.

Config is as follows:
Colo:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote pfSenseIP {
        exchange_mode main;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
                lifetime time 28800 secs;
        }
#        generate_policy off;                                                                          
}

sainfo address 192.168.128.0/24 any address 192.168.1.0/24 any {
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
	compression_algorithm deflate;
        pfs_group modp768;
        lifetime time 86400 secs;
}

pfSense:

# This file is automatically generated. Do not edit
listen {
	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
}
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote ColoIP {
	exchange_mode main;
	my_identifier address "pfSenseIP";

	peers_identifier address ColoIP;
	initial_contact on;
	dpd_delay 30;
	ike_frag on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 192.168.1.0/24 any address 192.168.128.0/24 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
	pfs_group 1;
	lifetime time 86400 secs;
}

Generated from the following on the interface on pfSense:

 * Disabled (no)
 * Interface WAN
 * DPD interval 30
 * Local subnet LAN subnet (192.168.1.0/24)
 * Remote gateway ColoIP
Phase1:
 * Negotiation main
 * My ID My IP (pfSenseIP)
 * Crypto 3DES
 * Hash SHA1
 * DH key group 2 (1024 bit)
 * Lifetime 28800
 * Auth Preshared key
 * Key - pasted to file on Colo box
Phase2:
 * Protocol ESP
 * Crypto 3DES
 * Hash MD5
 * PFS key 1 (768 bit)
 * Lifetime 86400
Keepalive:
 * Ping - private IP of Colo

And I've reached the limit of my IPSec knowhow :(

Any pointers? (also known as "What did I screw up?")

Cheers,

John

jrapp

More syslog from the colo box:

Sep  2 13:25:34 Colo racoon: DEBUG: configuration found for 94.125.134.209.
Sep  2 13:25:34 Colo racoon: DEBUG: getsainfo params: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='pfSenseIP', id=0
Sep  2 13:25:34 Colo racoon: DEBUG: getsainfo pass #1
Sep  2 13:25:34 Colo racoon: DEBUG: evaluating sainfo: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='ANY', id=0
Sep  2 13:25:34 Colo racoon: DEBUG: getsainfo pass #2
Sep  2 13:25:34 Colo racoon: DEBUG: evaluating sainfo: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='ANY', id=0
Sep  2 13:25:34 Colo racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
Sep  2 13:25:34 Colo racoon: DEBUG: cmpid target: '192.168.128.0/24'
Sep  2 13:25:34 Colo racoon: DEBUG: cmpid source: '192.168.128.0/24'
Sep  2 13:25:34 Colo racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
Sep  2 13:25:34 Colo racoon: DEBUG: cmpid target: '192.168.1.0/24'
Sep  2 13:25:34 Colo racoon: DEBUG: cmpid source: '192.168.1.0/24'
Sep  2 13:25:34 Colo racoon: DEBUG: selected sainfo: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='ANY', id=0
Sep  2 13:25:34 Colo racoon: DEBUG: get a src address from ID payload 192.168.1.0[0] prefixlen=24 ul_proto=255
Sep  2 13:25:34 Colo racoon: DEBUG: get dst address from ID payload 192.168.128.0[0] prefixlen=24 ul_proto=255
Sep  2 13:25:34 Colo racoon: ERROR: no policy found: 192.168.1.0/24[0] 192.168.128.0/24[0] proto=any dir=in
Sep  2 13:25:34 Colo racoon: ERROR: failed to get proposal for responder.
Sep  2 13:25:34 Colo racoon: ERROR: failed to pre-process packet.
Sep  2 13:25:34 Colo racoon: DEBUG: IV freed

??? ??? ???

jrapp

OK - finally got it working…

First - I had no "generate_policy" command
Then - I had various firewall issues on the pfSense end (it would make sense to have some indication that the IPsec connection will be pointless until explicitly openned)
Then - I had firewall issues on the other end
Then - I had routing issues on the other end (masquerading got done before IPsec got a look in)

My head hurts.

I'm going for a lie down.