Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site with two pfSense 1.2.2 and certs

    IPsec
    1
    2
    4.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mircsicz
      last edited by

      Hi all, I've setup a site-to-site VPN on two 1.2.2 Boxes, one of them, the office, is a RAID1-HDD Install on an intel-atom-board, the other is a WRAP…

      I followed this howto:
      http://pfsense.iserv.nl/tutorials/mobile_ipsec/

      And connected the two LAN's without a prob!

      Here's the setup:

      Home network:  192.168.0.0/24
      pfsense LAN: 192.168.0.1/24
      WAN: PPPoe

      Office network: 192.168.115.0/24
      Office name server: 192.168.115.1
      WAN: PPPoe with static IP

      I also created an entry in the dns forwarder page as a entire domain forwarding:
      office.xx  192.168.115.1  SiteToSite-VPN

      and a static route like this:
      LAN  192.168.115.0/24  192.168.0.1  SiteToSite-VPN

      It worked as expected, so as I've easy-rsa running I'ld like to convert to cert's, the used cert's are working fine with OpenVPN-Roadwarrior's and even a testing Site-To-Site connection, with which I had pinging/routing prob's so I went over to IPsec...

      Now that I've put the certs in and changed the "my identifier" to "Domain Name" on the client side:

      Here are the config's of server + client:

      # This file is automatically generated. Do not edit
listen {
        adminsock "/var/run/racoon.sock" "root" "wheel" 0660;
}
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote anonymous {
        exchange_mode aggressive;
        my_identifier address "xxx.xxx.xxx.xxx";

        certificate_type x509 "server-mobile0-signed.pem" "server-mobile0-key.pem";
        initial_contact on;
        dpd_delay 120;                   # DPD poll every 120 seconds
        ike_frag on;
        passive on;
        generate_policy on;
        support_proxy on;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
                lifetime time 1200 secs;
        }
        lifetime time 1200 secs;
}

sainfo anonymous {
        encryption_algorithm 3des,blowfish,cast128,rijndael;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
        lifetime time 1200 secs;
}

      path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote xxx.xxx.xxx.xxx {
        exchange_mode aggressive;
        my_identifier fqdn "yyy.homelinux.org";
        certificate_type x509 "server1-signed.pem" "server1-key.pem";
        peers_identifier address xxx.xxx.xxx.xxx;
        initial_contact on;
        #dpd_delay 120;                   # DPD poll every 120 seconds
        ike_frag on;
        support_proxy on;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
                lifetime time 1200 secs;
        }
        lifetime time 1200 secs;
}

sainfo address 192.168.0.0/24 any address 192.168.115.0/24 any {
        encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
        lifetime time 1200 secs;
}

      Here's the client's log, the server log is empty:

      Aug 14 02:32:47 	racoon: ERROR: phase1 negotiation failed due to time up. d3bf98bf13e41ba2:0000000000000000
Aug 14 02:32:28 	racoon: INFO: delete phase 2 handler.
Aug 14 02:32:28 	racoon: [SiteToSite-VPN]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 217.91.96.41[0]->84.178.107.230[0]
Aug 14 02:31:57 	racoon: INFO: begin Aggressive mode.
Aug 14 02:31:57 	racoon: [SiteToSite-VPN]: INFO: initiate new phase 1 negotiation: 84.178.107.230[500]<=>217.91.96.41[500]
Aug 14 02:31:57 	racoon: [SiteToSite-VPN]: INFO: IPsec-SA request for 217.91.96.41 queued due to no phase1 found.
Aug 14 02:28:13 	racoon: ERROR: phase1 negotiation failed due to time up. b532220f1db62923:0000000000000000
Aug 14 02:27:53 	racoon: INFO: delete phase 2 handler.
Aug 14 02:27:53 	racoon: [SiteToSite-VPN]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 217.91.96.41[0]->84.178.107.230[0]
Aug 14 02:27:22 	racoon: INFO: begin Aggressive mode.
Aug 14 02:27:22 	racoon: [SiteToSite-VPN]: INFO: initiate new phase 1 negotiation: 84.178.107.230[500]<=>217.91.96.41[500]
Aug 14 02:27:22 	racoon: [SiteToSite-VPN]: INFO: IPsec-SA request for 217.91.96.41 queued due to no phase1 found.

      Any hints?

      1 Reply Last reply Reply Quote 0
      • M
        mircsicz
        last edited by

        Today after making not the slidest change I've that in my logs:

        Aug 14 12:01:06 	racoon: [SiteToSite-VPN]: INFO: phase2 sa deleted yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx
Aug 14 12:01:05 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Aug 14 12:01:05 	racoon: [SiteToSite-VPN]: INFO: phase2 sa expired yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx
Aug 14 12:01:04 	racoon: ERROR: no peer's CERT payload found.
Aug 14 12:01:04 	racoon: INFO: received Vendor ID: DPD
Aug 14 12:01:04 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Aug 14 12:01:04 	racoon: ERROR: failed to get subjectAltName
Aug 14 12:01:04 	racoon: ERROR:
Aug 14 12:01:03 	racoon: ERROR: no peer's CERT payload found.
Aug 14 12:01:03 	racoon: INFO: received Vendor ID: DPD
Aug 14 12:01:03 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Aug 14 12:01:03 	racoon: ERROR: failed to get subjectAltName
Aug 14 12:01:03 	racoon: ERROR:
Aug 14 12:00:54 	racoon: ERROR: no peer's CERT payload found.
Aug 14 12:00:54 	racoon: INFO: received Vendor ID: DPD
Aug 14 12:00:54 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Aug 14 12:00:54 	racoon: ERROR: failed to get subjectAltName
Aug 14 12:00:54 	racoon: ERROR:
Aug 14 12:00:53 	racoon: ERROR: no peer's CERT payload found.
Aug 14 12:00:53 	racoon: INFO: received Vendor ID: DPD
Aug 14 12:00:53 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Aug 14 12:00:53 	racoon: ERROR: failed to get subjectAltName
Aug 14 12:00:53 	racoon: ERROR:
Aug 14 12:00:45 	racoon: [SiteToSite-VPN]: INFO: phase2 sa deleted yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx
Aug 14 12:00:45 	racoon: ERROR: no peer's CERT payload found.
Aug 14 12:00:44 	racoon: INFO: received Vendor ID: DPD
Aug 14 12:00:44 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Aug 14 12:00:44 	racoon: ERROR: failed to get subjectAltName
Aug 14 12:00:44 	racoon: ERROR:
Aug 14 12:00:44 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Aug 14 12:00:44 	racoon: [SiteToSite-VPN]: INFO: phase2 sa expired yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx
Aug 14 12:00:44 	racoon: ERROR: no peer's CERT payload found.
Aug 14 12:00:43 	racoon: INFO: received Vendor ID: DPD
Aug 14 12:00:43 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Aug 14 12:00:43 	racoon: ERROR: failed to get subjectAltName
Aug 14 12:00:43 	racoon: ERROR:

        googling the first new error I found this posting:
        http://forum.pfsense.org/index.php?topic=5774.0

        As I'm using easy-rsa I don't know how to handle that circumstance

        On http://www.fefe.de/racoon.txt I found that discription:

        failed to get subjectAltName

        You forgot to set "my_identifier asn1dn;" in the remote section.

        But I've set my DynDNS Domain Name on the remote site as "My Identifier"

        Anyone a hint?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.