Ipsec tunnel pfsense 1.2.3.RC1 <-> ipcop 1.4.21 problems



  • I have a ipsec tunnel between a pfsense 1.2.3.RC1 and ipcop Vers. 1.4.21. Bouth have static ips. My settings are:

    pfsense side:

    DPD interval : 60 sec
    local subnet: lan subnet (192.168.0.0 / 24)
    remote subnet: 192.168.30.0/24
    remote gateway: the remote wan static IP.

    Phase 1

    negotiation mode: Main
    My identifier: My Ip address
    Encryption algorithm: Blowfish
    Hash algorithm: MD5
    DH key group: 2
    Lifetime: 28800
    Authentication method: Preshared key
    Pre-Shared Key: samekeyastheipcopesite

    Phase2

    Protocol: ESP
    Encryption algorithms: Blowfish
    Hash algorithms: MD5
    PFS key group: 2
    Lifetime:86400
    PFS key group:2
    Lifetime:86400

    IpCop side:

    Host IP: RED interface public IP
    Remote host: WAN public ip of pfsense
    Local Subnet: 192.168.30.0/255.255.255.0
    Remote Subnet: 192.168.0.0/255.255.255.0
    Local ID: Red interface public IP
    Remote ID: pfsense WAN public IP
    Shared key: sameasthepfsensesite

    Advanced settings:
    Encriptation IKE: Blowfish (256) & Blowfish (128)
    Ike Integrity: MD5
    IKE Group: MODP-1024
    IKE time: 8 Hrs
    Encriptation ESP: Blowfish (256) & Blowfish (128)
    ESP Integrity: MD5
    ESP Group: MODP-1024
    Lifetime ESP key: 24 hrs.

    Perfect Foward Secrecy (PFS): SET

    The "connection control & state" & the ipcop control pannel , shows the ipsec connection in green color and with a open indication.
    Also the pfsense ipsec status pannel shows the status with the green indication.

    At this point everything looks ok, but I have the following problem. If I restart the ipsec connection on the ipcop and at the same time
    I tray to ping from a local machine at the ipsec lan network (192.168.0.4 ubuntu linux box), a remote ip of the local ipcop net (192.168.30.10 linux box),
    I can observe a response from 192.168.30.10 for about 60 sec more or less , after that the response stop. I check
    this many times with always the same result.

    Taking a look at the pfsense ipsec logs I see the following:

    Sep 8 18:15:00 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP pfsense wan ip[500]->ipcop red ip[500] spi=2356322038(0x8c729ef6)
    Sep 8 18:15:00 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP pfsense wan ip[500]->ipcop red ip[500] spi=760439526(0x2d5362e6)

    I´m woking with this for about 3 days ,reading the forums and googling with no results. Any help or comment will be appreciate

    Marcos



  • Hi Marcos

    i am currently replacing 35 IPcops with pfsense. during the transition i have had to experiment with various configuration options.
    the best configuration i have come up with is to use the default  IPcop vpn settings with compressio off and PFS=yes.
    i went with 3DES and used lifetime settings of 3600 and 28800 respectively.

    I'm sure there are more optimal settings, but this works for me during the transition.

    gordon



  • Hi Gordon,

    Thank you for your answer. I will tray your settings and report here my results.

    Marcos



  • Just re-read my post.
    the 3600 & 28800 settings are on the pfSense end in case it was confusing.



  • Hi Gordon,

    Unfortunately this settings doesn't work. I have a green ok indication on both sides but after a minute the comunication is down. I can't understand why.  I already done another ipcops and pfsense  ipsec tunnel with no problems but with the pfsense 1.2.2 vers. I found in my ipsec logs (pfsense side) :

    Sep 9 11:09:45 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3607332516(0xd70386a4)
    Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3865395393(0xe66540c1)
    Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP IPCOP RED IP[0]->wan pfsense[0] spi=184063618(0xaf89682)
    Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: respond new phase 2 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
    Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: ISAKMP-SA established wan pfsense[500]-IPCOP RED IP[500] spi:dd3240523b1a178a:5edb221090fa00e5
    Sep 9 11:09:45 racoon: INFO: received Vendor ID: DPD
    Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Sep 9 11:09:45 racoon: INFO: received Vendor ID: RFC 3947
    Sep 9 11:09:45 racoon: INFO: begin Identity Protection mode.
    Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: respond new phase 1 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
    Sep 9 11:09:44 racoon: [vpn a cordoba]: INFO: ISAKMP-SA deleted wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
    Sep 9 11:09:43 racoon: [vpn a cordoba]: INFO: ISAKMP-SA expired wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
    Sep 9 11:09:12 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP wan pfsense[500]->IPCOP RED IP[500] spi=253583350(0xf1d5ff6)
    Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3607332516(0xd70386a4)
    Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP IPCOP RED IP[0]->wan pfsense[0] spi=55126245(0x34928e5)
    Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: respond new phase 2 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
    Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: ISAKMP-SA established wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
    Sep 9 11:09:11 racoon: INFO: received Vendor ID: DPD
    Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Sep 9 11:09:11 racoon: INFO: received Vendor ID: RFC 3947
    Sep 9 11:09:11 racoon: INFO: begin Identity Protection mode.
    Sep 9 11:09:11 racoon: [vpn a cordoba]: INFO: respond new phase 1 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
    Sep 9 11:09:10 racoon: [vpn a cordoba]: INFO: ISAKMP-SA deleted wan pfsense[500]-IPCOP RED IP[500] spi:854e2e340ea487c6:f5eda415ea8305a6
    Sep 9 11:09:09 racoon: [vpn a cordoba]: INFO: ISAKMP-SA expired wan pfsense[500]-IPCOP RED IP[500] spi:854e2e340ea487c6:f5eda415ea8305a6

    Any clues?

    Marcos


Log in to reply