Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 1.2.3PRE <–--> pfSense 1.2.2 | IPSec Tunnel Simply Won't Work

    IPsec
    1
    1
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      geoff2010
      last edited by

      I am at my wits end here.  I can't seem to get my IPSec tunnel up and running between our office and our new colo facility.  I currently have a working tunnel between the same 1.2.3PRE and a 1.2 instance.  I am not sure what else to try.  I have ensured that all the settings are equal and properly configured.  I have tried rebooting both pfSense machines.  I have no idea what the next step is here.

      I have attached the relevant bits of the log file as well as my racoon.conf.  If anyone sees anything obvious here, please help me out.

      Thanks!
      Geoff

      This message is displayed on our central office pfSense server:

      
Aug 25 21:38:53 	racoon: ERROR: failed to get sainfo.
Aug 25 21:38:25 	last message repeated 3 times
Aug 25 21:37:55 	racoon: ERROR: couldn't find configuration.
Aug 25 21:37:48 	racoon: INFO: unsupported PF_KEY message REGISTER

      This message is displayed on our satellite collocation pfSense server:

      
Aug 25 20:38:16 	racoon: INFO: delete phase 2 handler.
Aug 25 20:38:16 	racoon: [Office VPN2]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 75.150.XX.XX[0]->208.93.XX.XX[0]
Aug 25 20:37:45 	racoon: INFO: begin Aggressive mode.
Aug 25 20:37:45 	racoon: [Office VPN2]: INFO: initiate new phase 1 negotiation: 208.93.XX.XX[500]<=>75.150.XX.XX[500]
Aug 25 20:37:45 	racoon: [Office VPN2]: INFO: IPsec-SA request for 75.150.XX.XX queued due to no phase1 found.

      This is the configuration of the central office pfSense server 1.2.3PRE (please note, one of the connections is working fine connected to a 1.2 pfSense):

      
# This file is automatically generated. Do not edit
listen {
	adminsock "/var/run/racoon.sock" "root" "wheel" 0660;
}
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 66.66.66.66 {
	exchange_mode aggressive;
	my_identifier fqdn "office.connectfirst.com";

	peers_identifier address 66.66.66.66;
	initial_contact on;
	#dpd_delay 120;                   # DPD poll every 120 seconds
	ike_frag on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo address 192.168.200.0/24 any address 10.2.0.0/16 any {
	encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
	pfs_group 2;
}

remote 77.77.77.77 {
	exchange_mode aggressive;
	my_identifier fqdn "office.connectfirst.com";

	peers_identifier address 77.77.77.77;
	initial_contact on;
	#dpd_delay 120;                   # DPD poll every 120 seconds
	ike_frag on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo address 192.168.200.0/24 any address 10.3.0.0/16 any {
	encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
	pfs_group 2;
}

      This is the configuration of the broken satellite collocation pfSense server 1.2.2:

      
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 55.55.55.55 {
	exchange_mode aggressive;
	my_identifier fqdn "55m.domain.com";

	peers_identifier address 55.55.55.55;
	initial_contact on;
	#dpd_delay 120;                   # DPD poll every 120 seconds
	ike_frag on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo address 10.3.0.0/16 any address 192.168.200.0/24 any {
	encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
	pfs_group 2;
}

      This is the configuration of the WORKING satellite collocation pfSense server:\

      
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 55.55.55.55 {
	exchange_mode aggressive;
	my_identifier fqdn "atl.domain.com";

	peers_identifier address 55.55.55.55;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo address 10.2.0.0/16 any address 192.168.200.0/24 any {
	encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate;
	pfs_group 2;
}

      If there is any other information I can provide, please let me know.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.