Migrating from 1.2.3 to 2.0rc3 problem
-
I did switch on debug and found that I had phase 1 policy mismatch errors. Despite setting up the pfsense side of the tunnel exactly as needed, things didn't work. I suspect that the 2.0 version of the web pages that deal with IPsec and maybe even racoon itself are a bit more bolted down. This would explain why I'd get a mismatch.
After much fiddling with Ids, I managed to get p1 working and had an SA, or so I thought. Nothing, but nothing I did with the very simple p2 config worked, every time failing with an error.
-
may this could help you
http://forum.pfsense.org/index.php/topic,39383.0.html -
What exactly did it say mismatched? What errors prevented a working phase 2? We need as many specifics as possible, log entries, etc. Unfortunately in a case like this, without details it tells us nothing, and speculation is practically worthless.
-
Hello Jimp,
I understand and appreciate your position. Unfortunately I've had to go back to 1.2.3 and will not be in a position to try 2.0 for a couple of weeks (in October). I'm keen to work this problem out though so I'll let you and others know when I next get a chance to see what is happening.
-
Hi guys!
I tried from pf 1.2.3 to 2.0rc3 configuration backup / restore to migrate, but it received a nasty message …:
"The following input errors were detected:
The configuration could not be restored.
"
I try with Restore area changes but nothing happened... (after reboot too)
What can I do?
one by one set that up the rules, configs? :O ???best wishes
-
http://doc.pfsense.org/index.php/Upgrade_Guide
http://doc.pfsense.org/index.php/Upgrade_Guide#International.2FSpecial_Characters_in_1.2.x_Configs -
Hi Jimp and All. I'm back and have a few quiet days of being able to work through this issue. The VPN between my two data centres will not be needed so I'm keen to dig in and figure this out.
I've just installed the 2.0 release and have been working on this to see if it'd work but alas, no. My tunnel target is a Fortigate 200B and the settings there have not changed. The current error I'm seeing is "ERROR: notification NO-PROPOSAL-CHOSEN". There are a few more ph1 options in 2.0 so I'm not sure what needs to be matched up for things to line up. I'll keep reading, playing but assistance and guidance would be appreciated.
Thanks
-
I think I've found a bug in the web config for phase 2. If selecting PFS key group 5, what ends up in /var/etc/racoon.conf is 2, not 5. I now have a VPN working :)
-
I just tried this out and that is most definitely not the case. I select 2, save/apply, and 2 is in the config. I select 5, save/apply, and 5 is in the config.
So if you are changing to 5, then save/apply, and it's still set to 2, there is something else going on, perhaps it's not actually rewriting the config. But it's most certainly not writing the incorrect thing.
-
I've played a bit more with the link. I can change the PFS group setting in my browser (Firefox 7.0.1 Linux) and it will remember the setting for the PFS key group, whether it's off, 1, 2 or 5. However, there's nothing in the /var/etc/racoon.conf file which deviates from pfs_group 2. I can change any other setting in phase 2 and it will be reflected in racoon.conf. Only the pfs_group setting remains unchanged, weird. At the tunnel target end, I now simply keep the PFS group to 2, just works. It'd be good to know what's going on though. Is there anything I can do to help understand what's going on?
-
Go to Diagnostics > Commands, in the PHP exec box and put in:
var_dump($config['ipsec']['client']);Is there a pfs setting in there?
-
The following comes up:
array(3) { ["enable"]=> string(0) "" ["user_source"]=> string(6) "system" ["group_source"]=> string(6) "system" } -
ok, the only place I saw that could have possibly overridden the chosen pfs_group setting would have been in there. I don't see any other way that what you choose isn't ending up in the racoon.conf
