IPsec Doesn't connect … with no error
-
Hi Guys,
I'm trying to establish a VPN connection between a pfSense 2.0.1 box and a Dlink router. But after starting the IPsec service on the pfSense box - it doesn't appear to do anything.
I did a packet dump on both WAN and IPsec interfaces and there was no packets at all. On the IPsec status page, it just shows as amber with a X.
It is as if it doesn't bother starting at all. Am I missing something here?
racoon -d -v -F -f /var/etc/racoon.conf
2012-10-04 18:30:40: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) 2012-10-04 18:30:40: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) 2012-10-04 18:30:40: INFO: Reading configuration from "/var/etc/racoon.conf" 2012-10-04 18:30:40: DEBUG: call pfkey_send_register for AH 2012-10-04 18:30:40: DEBUG: call pfkey_send_register for ESP 2012-10-04 18:30:40: DEBUG: call pfkey_send_register for IPCOMP 2012-10-04 18:30:40: DEBUG: reading config file /var/etc/racoon.conf 2012-10-04 18:30:40: DEBUG2: lifetime = 86400 2012-10-04 18:30:40: DEBUG2: lifebyte = 0 2012-10-04 18:30:40: DEBUG2: encklen=0 2012-10-04 18:30:40: DEBUG2: p:1 t:1 2012-10-04 18:30:40: DEBUG2: 3DES-CBC(5) 2012-10-04 18:30:40: DEBUG2: MD5(1) 2012-10-04 18:30:40: DEBUG2: 1024-bit MODP group(2) 2012-10-04 18:30:40: DEBUG2: pre-shared key(1) 2012-10-04 18:30:40: DEBUG2: 2012-10-04 18:30:40: DEBUG2: Etype mismatch: got 2, expected 4. 2012-10-04 18:30:40: DEBUG: no check of compression algorithm; not supported in sadb message. 2012-10-04 18:30:40: DEBUG: getsainfo params: loc='192.168.0.0/24' rmt='192.168.1.0/24' peer='NULL' client='NULL' id=1 2012-10-04 18:30:40: DEBUG2: parse successed. 2012-10-04 18:30:40: DEBUG: open /var/db/racoon/racoon.sock as racoon management. 2012-10-04 18:30:40: INFO: 55.33.22.11[4500] used for NAT-T 2012-10-04 18:30:40: INFO: 55.33.22.11[4500] used as isakmp port (fd=7) 2012-10-04 18:30:40: INFO: 55.33.22.11[500] used for NAT-T 2012-10-04 18:30:40: INFO: 55.33.22.11[500] used as isakmp port (fd=8) 2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv() 2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message 2012-10-04 18:30:40: DEBUG2: 02120000 0a000100 03000000 37860000 03000500 ff180000 10020000 0afefe00 00000000 00000000 03000600 ff200000 10020000 0afefe03 00000000 00000000 02001200 01000100 3e000000 00000000 2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv() 2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message 2012-10-04 18:30:40: DEBUG2: 02120000 0f000100 02000000 37860000 03000500 ff180000 10020000 0a000000 00000000 00000000 03000600 ff180000 10020000 ac100000 00000000 00000000 07001200 02000100 58000000 00000000 28003200 02034e40 10020000 5111414a 00000000 00000000 10020000 5c2a7ec9 00000000 00000000 2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in 2012-10-04 18:30:40: DEBUG: db :0x80163b610: 10.254.254.0/24[0] 10.254.254.3/32[0] proto=any dir=in 2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv() 2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message 2012-10-04 18:30:40: DEBUG2: 02120000 0a000100 01000000 37860000 03000500 ff200000 10020000 0afefe03 00000000 00000000 03000600 ff180000 10020000 0afefe00 00000000 00000000 02001200 01000200 3d000000 00000000 2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 10.254.254.3/32[0] 10.254.254.0/24[0] proto=any dir=out 2012-10-04 18:30:40: DEBUG: db :0x80163b610: 10.254.254.0/24[0] 10.254.254.3/32[0] proto=any dir=in 2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 10.254.254.3/32[0] 10.254.254.0/24[0] proto=any dir=out 2012-10-04 18:30:40: DEBUG: db :0x80163b790: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in 2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv() 2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message 2012-10-04 18:30:40: DEBUG2: 02120000 0f000100 00000000 37860000 03000500 ff180000 10020000 ac100000 00000000 00000000 03000600 ff180000 10020000 0a000000 00000000 00000000 07001200 02000200 57000000 00000000 28003200 02034d40 10020000 5c2a7ec9 00000000 00000000 10020000 5111414a 00000000 00000000 2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out 2012-10-04 18:30:40: DEBUG: db :0x80163b610: 10.254.254.0/24[0] 10.254.254.3/32[0] proto=any dir=in 2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out 2012-10-04 18:30:40: DEBUG: db :0x80163b790: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in 2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out 2012-10-04 18:30:40: DEBUG: db :0x80163b910: 10.254.254.3/32[0] 10.254.254.0/24[0] proto=any dir=out
/var/etc/racoon.conf
# This file is automatically generated. Do not edit path pre_shared_key "/var/etc/psk.txt"; path certificate "/var/etc"; listen { adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660; isakmp 55.33.22.11 [500]; isakmp_natt 55.33.22.11 [4500]; } remote 66.33.22.11 { ph1id 1; exchange_mode main; my_identifier address 55.33.22.11; peers_identifier address 66.33.22.11; ike_frag on; generate_policy = off; initial_contact = on; nat_traversal = off; dpd_delay = 10; dpd_maxfail = 5; support_proxy on; proposal_check claim; proposal { authentication_method pre_shared_key; encryption_algorithm 3des; hash_algorithm md5; dh_group 2; lifetime time 86400 secs; } } sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/24 any { remoteid 1; encryption_algorithm 3des; authentication_algorithm hmac_md5; lifetime time 28800 secs; compression_algorithm deflate; }
-
A tunnel will not try to connect unless some data tries to cross the tunnel. You can either try to send some traffic directly, or set a keep-alive IP in the Phase 2 settings, targeting an IP inside of the remote phase 2 network.
-
Hi Jimp,
Okay that makes sense and you were correct. The keepalive didn't do anything, but pinging a system on the remote network did initiate the tunnel.