PfSense <–> IPcop IPSEC VPN

Gob

Hi
I have read within this forum that users have successfully connected a pfSense box to an IPcop via an IPSEC VPN tunnel.
I have a test LAN in my office connecting to the internet with a public IP on the WAN interface of a pfSense box.
My Production LAN conncts to the internet using an IPcop box using another public IP on the same subnet as the pfsense box.

Both boxes are on the same side of my ISP's router.

I have successfully created an IPSEC VPN between my test LAN and my production LAN. It has been up and stable for several weeks.
I have spent 2 days trying to connect the pfSense LAN to an IPcop on a remote site with a different ISP but have had no luck.
I have followed the various threads within this forum but most seem to deal with issues relating to NAT, whereas all of my sites are using static public IPs with no NAT.

Can anyone offer any further suggestions?

Thanks

Gob

ps…
the closest thing I have achieved is the tunnel shows open on the pfSense (green arrow) but closed on the ipcop.

heiko

pfsense and ipcop works as it should with ipsec vpn, please post your configuration…
regards
heiko

Gob

Really odd!
The tunnel says closed at the ipcop end but it is working!
Although working I would really like it to say Open at the IPcop end.
Here is the config anyway…

pfSense Config:

IF: WAN
Local Subnet: (Network) 192.168.254.0/24
Remote Subnet: 192.168.250.0/24
Remote GW: [Public IP Addr of IPcop]

Phase 1
Negotiation Mode: Main
My ID: IP Address: [Public IP of pfSense]
Encryption Alg: 3DES
Hash Alg: MD5
DH Key Grp: 5
Lifetime: [BLANK]
Auth Method: PSK

Phase 2
Protocol: ESP
Encryption Alg: 3DES [only]
Hash Alg: MD5
PFS Key Group: 5
Lifetime [BLANK]

IPcop Config:

IPcop Side: Left
Local Subnet: 192.168.250.0/255.255.255.0
Remote Host/IP: [pfSense Public IP]
Remote Subnet: 192.168.254.0/255.255.255.0
Dead Peer Detection: Restart
PFS: YES
Compression: NO
IKE Encryption: 3DES
IKE Integrity: MD5
IKE Lifetime: 1 hour
IKE Grouptype: MODP-1536
ESP Encryption: 3DES
ESP Integrity: MD5
ESP Keylife: 8 hours
ESP Grouptype: MODP-1536

heiko

1.) you haven´t a lifetime in your pfsense config? ?? if it so, please fill in proper values for Phase 1+2
2.) Please change your pfsense key groups to 2 and also change the ipcop config to these values.
3.) Change your IPCOP DPD to Hold.

And make a retest, what says the ipseclog-tab in pfsense! Do you can ping from/to both sides? You need pass rules on pfsense, please take a look at the rules section.

Regards
heiko

Gob

I did have the lifetimes specified originally but following a M0n0wall <–> Ipcop forum post it said leave them blank  ???

I have made the amendments as requested but still the ipcop end says closed.
I can ping both ends and already have the following IPSEC firewall rules in place:

Proto Source              Port Destination      Port  Gateway

*  192.168.250.0/24  *  LAN net              *      *         
  *  LAN net              *  192.168.250.0/24  *      *

The IPSEC pfSense logs show the following recurring errors:

Jul 31 14:16:02 racoon: [250 - COLO]: NOTIFY: the packet is retransmitted by xxx.xxx.xxx.xxx[500].
Jul 31 14:16:02 racoon: [250 - COLO]: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
Jul 31 14:15:42 racoon: [250 - COLO]: NOTIFY: the packet is retransmitted by xxx.xxx.xxx.xxx[500].
Jul 31 14:15:32 racoon: [250 - COLO]: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0]
Jul 31 14:14:52 racoon: [250 - COLO]: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
Jul 31 14:14:52 racoon: [250 - COLO]: NOTIFY: the packet is retransmitted by xxx.xxx.xxx.xxx[500].
Jul 31 14:14:32 racoon: [250 - COLO]: NOTIFY: the packet is retransmitted by xxx.xxx.xxx.xxx[500].
Jul 31 14:14:22 racoon: [250 - COLO]: INFO: respond new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0]

Thanks

Gob

A word of advice…
Do not try to configure a new firewall at 3am!

I have managed to create two VPN tunnels on the IPcop side. One was open and working whereas the other one was closed. I could only see the big red CLOSED icon in our list of 30 tunnels and not the one which was actually working.

Sorry for wasting your time!

heiko

Ok, no problem, have fun
Greetings from Germany
heiko