Tunnel established but no communications



  • Hello
    Is there somebody who can explain to me how the IPSec tunnel between network and RoadWarrior computer works?

    I know that pf does not support modcfg (ike push/pull) for remote configurations, if so I have to make the settings manually.
    I have pf 1.2 stable version. Client computer are using latest shrew software. My local network I tried to connect 192.168.3.0/24.
    I have configured virtual interface in shrew with my local network settings. I am able to establish vpn connection but I can not comunicate with with any machine inside my network.
    Routing table on my laptop looks fine, moreover I added log option to the default rule in IPSEC interface and I see that traffic is logged, I can see my ping trials and udp packets to my DNS server but I got no answer…
    Did I missed something?

    Please se bellow SPD

    Source  	Destination  	Direction  	Protocol  	Tunnel endpoints  	
    192.168.3.11 	192.168.3.0/24 		ESP 	83.31.78.XX -
    83.19.104.XX 	
    192.168.3.0/24 	192.168.3.11 		ESP 	83.19.104.XX -
    83.31.78.XX 	
    

    See SAD entries

    83.19.104.XX  	83.31.78.XX  	ESP  	b2479f4c  	aes-cbc  	hmac-md5  	
    83.31.78.XX 	83.19.104.XX 	ESP 	0d53a2a3 	aes-cbc 	hmac-md5 	
    

    and IP VPN logs

    Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.3.0/24[0] 192.168.3.11/32[0] proto=any dir=out"
    Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.3.11/32[0] 192.168.3.0/24[0] proto=any dir=in"
    Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 83.19.104.XX[0]->83.31.78.XX[0] spi=1470564891(0x57a70a1b)
    Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 83.31.78.XX[0]->83.19.104.XX[0] spi=180987997(0xac9a85d)
    Jan 11 16:17:22 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:CAST peer:AES
    Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:CAST peer:AES
    Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
    Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
    Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:3DES peer:AES
    Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:3DES peer:AES
    Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.3.11/32[0] 192.168.3.0/24[0] proto=any dir=in
    Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 83.19.104.XX[0]<=>83.31.78.XX[0]
    Jan 11 16:17:14 	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 83.19.104.XX[500]-83.31.78.XX[500] spi:3b968ae039e80a3b:efe770dfdcb20ba5
    Jan 11 16:17:14 	racoon: INFO: received Vendor ID: DPD
    Jan 11 16:17:14 	racoon: INFO: begin Aggressive mode.
    Jan 11 16:17:14 	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 83.19.104.XX[500]<=>83.31.78.240[500]
    


  • I've got the same problem with quite the same logs.
    I followed the IPsec tutorial, but I think there is a routing issue that is not explained in it.



  • it was my first guess … but I think routing to ipsec network devices should be creating automaticaly. I consider to set it manually but there is a note

    Do not enter static routes for networks assigned on any interface of this firewall. Static routes are only used for networks reachable via a different router, and not reachable via your default gateway.

    hmmm ???


Locked