PfSense <–> IPcop IPSEC VPN



  • Hi
    I have read within this forum that users have successfully connected a pfSense box to an IPcop via an IPSEC VPN tunnel.
    I have a test LAN in my office connecting to the internet with a public IP on the WAN interface of a pfSense box.
    My Production LAN conncts to the internet using an IPcop box using another public IP on the same subnet as the pfsense box.

    Both boxes are on the same side of my ISP's router.

    I have successfully created an IPSEC VPN between my test LAN and my production LAN. It has been up and stable for several weeks.
    I have spent 2 days trying to connect the pfSense LAN to an IPcop on a remote site with a different ISP but have had no luck.
    I have followed the various threads within this forum but most seem to deal with issues relating to NAT, whereas all of my sites are using static public IPs with no NAT.

    Can anyone offer any further suggestions?

    Thanks



  • ps…
    the closest thing I have achieved is the tunnel shows open on the pfSense (green arrow) but closed on the ipcop.



  • pfsense and ipcop works as it should with ipsec vpn, please post your configuration…
    regards
    heiko



  • Really odd!
    The tunnel says closed at the ipcop end but it is working!
    Although working I would really like it to say Open at the IPcop end.
    Here is the config anyway…

    pfSense Config:

    IF: WAN
    Local Subnet: (Network) 192.168.254.0/24
    Remote Subnet: 192.168.250.0/24
    Remote GW: [Public IP Addr of IPcop]

    Phase 1
    Negotiation Mode: Main
    My ID: IP Address: [Public IP of pfSense]
    Encryption Alg: 3DES
    Hash Alg: MD5
    DH Key Grp: 5
    Lifetime: [BLANK]
    Auth Method: PSK

    Phase 2
    Protocol: ESP
    Encryption Alg: 3DES [only]
    Hash Alg: MD5
    PFS Key Group: 5
    Lifetime [BLANK]

    IPcop Config:

    IPcop Side: Left
    Local Subnet: 192.168.250.0/255.255.255.0
    Remote Host/IP: [pfSense Public IP]
    Remote Subnet: 192.168.254.0/255.255.255.0
    Dead Peer Detection: Restart
    PFS: YES
    Compression: NO
    IKE Encryption: 3DES
    IKE Integrity: MD5
    IKE Lifetime: 1 hour
    IKE Grouptype: MODP-1536
    ESP Encryption: 3DES
    ESP Integrity: MD5
    ESP Keylife: 8 hours
    ESP Grouptype: MODP-1536



  • 1.) you haven´t a lifetime in your pfsense config? ?? if it so, please fill in proper values for Phase 1+2
    2.) Please change your pfsense key groups to 2 and also change the ipcop config to these values.
    3.) Change your IPCOP DPD to Hold.

    And make a retest, what says the ipseclog-tab in pfsense! Do you can ping from/to both sides? You need pass rules on pfsense, please take a look at the rules section.

    Regards
    heiko



  • I did have the lifetimes specified originally but following a M0n0wall <–> Ipcop forum post it said leave them blank  ???

    I have made the amendments as requested but still the ipcop end says closed.
    I can ping both ends and already have the following IPSEC firewall rules in place:

    Proto Source              Port Destination      Port  Gateway

    *  192.168.250.0/24  *  LAN net              *      *         
      *  LAN net              *  192.168.250.0/24  *      *

    The IPSEC pfSense logs show the following recurring errors:

    Jul 31 14:16:02 racoon: [250 - COLO]: NOTIFY: the packet is retransmitted by xxx.xxx.xxx.xxx[500].
    Jul 31 14:16:02 racoon: [250 - COLO]: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
    Jul 31 14:15:42 racoon: [250 - COLO]: NOTIFY: the packet is retransmitted by xxx.xxx.xxx.xxx[500].
    Jul 31 14:15:32 racoon: [250 - COLO]: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0]
    Jul 31 14:14:52 racoon: [250 - COLO]: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
    Jul 31 14:14:52 racoon: [250 - COLO]: NOTIFY: the packet is retransmitted by xxx.xxx.xxx.xxx[500].
    Jul 31 14:14:32 racoon: [250 - COLO]: NOTIFY: the packet is retransmitted by xxx.xxx.xxx.xxx[500].
    Jul 31 14:14:22 racoon: [250 - COLO]: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0]

    Thanks



  • A word of advice…
    Do not try to configure a new firewall at 3am!

    I have managed to create two VPN tunnels on the IPcop side. One was open and working whereas the other one was closed. I could only see the big red CLOSED icon in our list of 30 tunnels and not the one which was actually working.

    Sorry for wasting your time!



  • Ok, no problem, have fun
    Greetings from Germany
    heiko


Log in to reply