Vpn ipsec, Pfsense to Netopia, net to net



  • Hi everybody,

    I didn't get some answer in the french support, so I try here. :)

    Sorry for this post, but I have spent many time to search and read without any answer to my problem.

    I'm using Ipcop to establish ipsec vpn with a Netopia 3346ENT router. I'm seriously thinking about changing Ipcop for Pfsense (v1.2.2 for my tests), but I can't succeed in establishing the ipsec vpn between Pfsense and the Netopia router.

    All my vpn use the following parameters  :

    Phase 1 :
    mode : main
    encryption : 3des
    hash algorithm : md5
    dh key group : 2
    authentication method : PSK

    Phase 2 :
    protocol : esp
    encryption algorithm : 3des
    hash algorithm : md5
    PFS key group : 2

    Pfsense, Ipcop and Netopia have there own fixed ip. The wan of Pfsense is in PPPOE mode. The ipsec vpn give these results :

    Pfsense <-> Ipcop = Ok (under condition)
    Pfsense <-> Netopia = Impossible
    Ipcop <-> Netopia = Ok

    I can succeed in establishing a vpn with Ipcop, but only if I initiate the tunnel on the Ipcop side. If the tunnel is broken, I am not able to get it up again on the Pfsense side (even with the racoon restart). I add a rule in Pfsense in order to see the trafic on the port 500, and if nothing comes for this port from Ipcop, the tunnel is not going up. If I make a restart of the tunnel on the Ipcop side, the tunnel is coming up immediately.

    On the logs side, there is nothing really useful, on the Pfsense side, and on the Netopia side. Nevertheless, the Netopia logs clearly show that there is some informations coming from Ipcop but not from Pfsense. It seems that Pfsense is not able to initiate the tunnel, Netopia either…

    Of course, Pfsense can talk to Netopia and conversely (ping in particular). The udp 500 port and the 50 protocol are opened to Pfsense on the Netopia. The firewall logs don't show anything blocked but clearly show some traffic on the 500 port coming from Ipcop (but not from Netopia),

    A racoon restart with only Ipcop tunnel (so without Netopia) give me this :

    Apr 21 17:35:28 	racoon: [Self]: INFO: 192.168.170.1[500] used as isakmp port (fd=15)
    Apr 21 17:35:28 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Apr 21 17:35:28 	racoon: [Self]: INFO: {ip.publique.pfsense}[500] used as isakmp port (fd=13)
    Apr 21 17:35:28 	racoon: WARNING: /var/etc/racoon.conf:3: "0660" admin port support not compiled in
    Apr 21 17:35:28 	racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 21 17:35:28 	racoon: [Self]: INFO: 192.168.170.1[500] used as isakmp port (fd=15)
    Apr 21 17:35:28 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Apr 21 17:35:28 	racoon: [Self]: INFO: {ip.publique.pfsense}[500] used as isakmp port (fd=13)
    Apr 21 17:35:28 	racoon: WARNING: /var/etc/racoon.conf:3: "0660" admin port support not compiled in
    Apr 21 17:35:28 	racoon: INFO: Resize address pool from 0 to 255
    Apr 21 17:35:28 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Apr 21 17:35:28 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Apr 21 17:35:28 	racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
    

    A restart with the Netopia tunnel give this :

    Apr 21 17:40:00 	racoon: [Self]: INFO: 192.168.170.1[500] used as isakmp port (fd=15)
    Apr 21 17:40:00 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Apr 21 17:40:00 	racoon: [Self]: INFO: {ip.publique.pfsense}[500] used as isakmp port (fd=13)
    Apr 21 17:40:00 	racoon: WARNING: /var/etc/racoon.conf:3: "0660" admin port support not compiled in
    Apr 21 17:40:00 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.12.0/24[0] 192.168.170.0/24[0] proto=any dir=in
    Apr 21 17:40:00 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.170.0/24[0] 192.168.12.0/24[0] proto=any dir=out
    Apr 21 17:40:00 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.170.0/24[0] proto=any dir=in
    Apr 21 17:40:00 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.170.0/24[0] 192.168.2.0/24[0] proto=any dir=out
    Apr 21 17:40:00 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.170.1/32[0] 192.168.170.0/24[0] proto=any dir=out
    Apr 21 17:40:00 	racoon: ERROR: such policy already exists. anyway replace it: 192.168.170.0/24[0] 192.168.170.1/32[0] proto=any dir=in
    Apr 21 17:40:00 	racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 21 17:40:00 	racoon: [Self]: INFO: 192.168.170.1[500] used as isakmp port (fd=15)
    Apr 21 17:40:00 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Apr 21 17:40:00 	racoon: [Self]: INFO: {ip.publique.pfsense}[500] used as isakmp port (fd=13)
    Apr 21 17:40:00 	racoon: WARNING: /var/etc/racoon.conf:3: "0660" admin port support not compiled in
    Apr 21 17:40:00 	racoon: INFO: Resize address pool from 0 to 255
    Apr 21 17:40:00 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Apr 21 17:40:00 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Apr 21 17:40:00 	racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
    

    So. I hope there is enough informations to help you to help me, but not too much to help you to read all this message. :) If anyone has any idea to solve this problem, it would be great. Thank you !



  • I simply can't believe it !  ??? ??? ??? This morning, without changing anything, the tunnel is up ! ??? ??? ??? Is it necessary to wait before the tunnel get up ? How many time ?

    Anyway, this looks like a good news. I will continue my exploration. Thanks for your help !  ;D ;D ;D


Log in to reply