Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec tunnel pfsense 1.2.3.RC1 <-> ipcop 1.4.21 problems

    IPsec
    2
    5
    6.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmarcosm
      last edited by

      I have a ipsec tunnel between a pfsense 1.2.3.RC1 and ipcop Vers. 1.4.21. Bouth have static ips. My settings are:

      pfsense side:

      DPD interval : 60 sec
      local subnet: lan subnet (192.168.0.0 / 24)
      remote subnet: 192.168.30.0/24
      remote gateway: the remote wan static IP.

      Phase 1

      negotiation mode: Main
      My identifier: My Ip address
      Encryption algorithm: Blowfish
      Hash algorithm: MD5
      DH key group: 2
      Lifetime: 28800
      Authentication method: Preshared key
      Pre-Shared Key: samekeyastheipcopesite

      Phase2

      Protocol: ESP
      Encryption algorithms: Blowfish
      Hash algorithms: MD5
      PFS key group: 2
      Lifetime:86400
      PFS key group:2
      Lifetime:86400

      IpCop side:

      Host IP: RED interface public IP
      Remote host: WAN public ip of pfsense
      Local Subnet: 192.168.30.0/255.255.255.0
      Remote Subnet: 192.168.0.0/255.255.255.0
      Local ID: Red interface public IP
      Remote ID: pfsense WAN public IP
      Shared key: sameasthepfsensesite

      Advanced settings:
      Encriptation IKE: Blowfish (256) & Blowfish (128)
      Ike Integrity: MD5
      IKE Group: MODP-1024
      IKE time: 8 Hrs
      Encriptation ESP: Blowfish (256) & Blowfish (128)
      ESP Integrity: MD5
      ESP Group: MODP-1024
      Lifetime ESP key: 24 hrs.

      Perfect Foward Secrecy (PFS): SET

      The "connection control & state" & the ipcop control pannel , shows the ipsec connection in green color and with a open indication.
      Also the pfsense ipsec status pannel shows the status with the green indication.

      At this point everything looks ok, but I have the following problem. If I restart the ipsec connection on the ipcop and at the same time
      I tray to ping from a local machine at the ipsec lan network (192.168.0.4 ubuntu linux box), a remote ip of the local ipcop net (192.168.30.10 linux box),
      I can observe a response from 192.168.30.10 for about 60 sec more or less , after that the response stop. I check
      this many times with always the same result.

      Taking a look at the pfsense ipsec logs I see the following:

      Sep 8 18:15:00 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP pfsense wan ip[500]->ipcop red ip[500] spi=2356322038(0x8c729ef6)
      Sep 8 18:15:00 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP pfsense wan ip[500]->ipcop red ip[500] spi=760439526(0x2d5362e6)

      I´m woking with this for about 3 days ,reading the forums and googling with no results. Any help or comment will be appreciate

      Marcos

      1 Reply Last reply Reply Quote 0
      • G
        Gob
        last edited by

        Hi Marcos

        i am currently replacing 35 IPcops with pfsense. during the transition i have had to experiment with various configuration options.
        the best configuration i have come up with is to use the default  IPcop vpn settings with compressio off and PFS=yes.
        i went with 3DES and used lifetime settings of 3600 and 28800 respectively.

        I'm sure there are more optimal settings, but this works for me during the transition.

        gordon

        If I fix one more thing than I break in a day, it's a good day!

        1 Reply Last reply Reply Quote 0
        • J
          jmarcosm
          last edited by

          Hi Gordon,

          Thank you for your answer. I will tray your settings and report here my results.

          Marcos

          1 Reply Last reply Reply Quote 0
          • G
            Gob
            last edited by

            Just re-read my post.
            the 3600 & 28800 settings are on the pfSense end in case it was confusing.

            If I fix one more thing than I break in a day, it's a good day!

            1 Reply Last reply Reply Quote 0
            • J
              jmarcosm
              last edited by

              Hi Gordon,

              Unfortunately this settings doesn't work. I have a green ok indication on both sides but after a minute the comunication is down. I can't understand why.  I already done another ipcops and pfsense  ipsec tunnel with no problems but with the pfsense 1.2.2 vers. I found in my ipsec logs (pfsense side) :

              Sep 9 11:09:45 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3607332516(0xd70386a4)
              Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3865395393(0xe66540c1)
              Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP IPCOP RED IP[0]->wan pfsense[0] spi=184063618(0xaf89682)
              Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: respond new phase 2 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
              Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: ISAKMP-SA established wan pfsense[500]-IPCOP RED IP[500] spi:dd3240523b1a178a:5edb221090fa00e5
              Sep 9 11:09:45 racoon: INFO: received Vendor ID: DPD
              Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
              Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
              Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
              Sep 9 11:09:45 racoon: INFO: received Vendor ID: RFC 3947
              Sep 9 11:09:45 racoon: INFO: begin Identity Protection mode.
              Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: respond new phase 1 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
              Sep 9 11:09:44 racoon: [vpn a cordoba]: INFO: ISAKMP-SA deleted wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
              Sep 9 11:09:43 racoon: [vpn a cordoba]: INFO: ISAKMP-SA expired wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
              Sep 9 11:09:12 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP wan pfsense[500]->IPCOP RED IP[500] spi=253583350(0xf1d5ff6)
              Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3607332516(0xd70386a4)
              Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP IPCOP RED IP[0]->wan pfsense[0] spi=55126245(0x34928e5)
              Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: respond new phase 2 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
              Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: ISAKMP-SA established wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
              Sep 9 11:09:11 racoon: INFO: received Vendor ID: DPD
              Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
              Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
              Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
              Sep 9 11:09:11 racoon: INFO: received Vendor ID: RFC 3947
              Sep 9 11:09:11 racoon: INFO: begin Identity Protection mode.
              Sep 9 11:09:11 racoon: [vpn a cordoba]: INFO: respond new phase 1 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
              Sep 9 11:09:10 racoon: [vpn a cordoba]: INFO: ISAKMP-SA deleted wan pfsense[500]-IPCOP RED IP[500] spi:854e2e340ea487c6:f5eda415ea8305a6
              Sep 9 11:09:09 racoon: [vpn a cordoba]: INFO: ISAKMP-SA expired wan pfsense[500]-IPCOP RED IP[500] spi:854e2e340ea487c6:f5eda415ea8305a6

              Any clues?

              Marcos

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.