Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ipsec tunnel pfsense 1.2.3.RC1 <-> ipcop 1.4.21 problems

    IPsec
    2
    5
    6138
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmarcosm last edited by

      I have a ipsec tunnel between a pfsense 1.2.3.RC1 and ipcop Vers. 1.4.21. Bouth have static ips. My settings are:

      pfsense side:

      DPD interval : 60 sec
      local subnet: lan subnet (192.168.0.0 / 24)
      remote subnet: 192.168.30.0/24
      remote gateway: the remote wan static IP.

      Phase 1

      negotiation mode: Main
      My identifier: My Ip address
      Encryption algorithm: Blowfish
      Hash algorithm: MD5
      DH key group: 2
      Lifetime: 28800
      Authentication method: Preshared key
      Pre-Shared Key: samekeyastheipcopesite

      Phase2

      Protocol: ESP
      Encryption algorithms: Blowfish
      Hash algorithms: MD5
      PFS key group: 2
      Lifetime:86400
      PFS key group:2
      Lifetime:86400

      IpCop side:

      Host IP: RED interface public IP
      Remote host: WAN public ip of pfsense
      Local Subnet: 192.168.30.0/255.255.255.0
      Remote Subnet: 192.168.0.0/255.255.255.0
      Local ID: Red interface public IP
      Remote ID: pfsense WAN public IP
      Shared key: sameasthepfsensesite

      Advanced settings:
      Encriptation IKE: Blowfish (256) & Blowfish (128)
      Ike Integrity: MD5
      IKE Group: MODP-1024
      IKE time: 8 Hrs
      Encriptation ESP: Blowfish (256) & Blowfish (128)
      ESP Integrity: MD5
      ESP Group: MODP-1024
      Lifetime ESP key: 24 hrs.

      Perfect Foward Secrecy (PFS): SET

      The "connection control & state" & the ipcop control pannel , shows the ipsec connection in green color and with a open indication.
      Also the pfsense ipsec status pannel shows the status with the green indication.

      At this point everything looks ok, but I have the following problem. If I restart the ipsec connection on the ipcop and at the same time
      I tray to ping from a local machine at the ipsec lan network (192.168.0.4 ubuntu linux box), a remote ip of the local ipcop net (192.168.30.10 linux box),
      I can observe a response from 192.168.30.10 for about 60 sec more or less , after that the response stop. I check
      this many times with always the same result.

      Taking a look at the pfsense ipsec logs I see the following:

      Sep 8 18:15:00 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP pfsense wan ip[500]->ipcop red ip[500] spi=2356322038(0x8c729ef6)
      Sep 8 18:15:00 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP pfsense wan ip[500]->ipcop red ip[500] spi=760439526(0x2d5362e6)

      I´m woking with this for about 3 days ,reading the forums and googling with no results. Any help or comment will be appreciate

      Marcos

      1 Reply Last reply Reply Quote 0
      • G
        Gob last edited by

        Hi Marcos

        i am currently replacing 35 IPcops with pfsense. during the transition i have had to experiment with various configuration options.
        the best configuration i have come up with is to use the default  IPcop vpn settings with compressio off and PFS=yes.
        i went with 3DES and used lifetime settings of 3600 and 28800 respectively.

        I'm sure there are more optimal settings, but this works for me during the transition.

        gordon

        1 Reply Last reply Reply Quote 0
        • J
          jmarcosm last edited by

          Hi Gordon,

          Thank you for your answer. I will tray your settings and report here my results.

          Marcos

          1 Reply Last reply Reply Quote 0
          • G
            Gob last edited by

            Just re-read my post.
            the 3600 & 28800 settings are on the pfSense end in case it was confusing.

            1 Reply Last reply Reply Quote 0
            • J
              jmarcosm last edited by

              Hi Gordon,

              Unfortunately this settings doesn't work. I have a green ok indication on both sides but after a minute the comunication is down. I can't understand why.  I already done another ipcops and pfsense  ipsec tunnel with no problems but with the pfsense 1.2.2 vers. I found in my ipsec logs (pfsense side) :

              Sep 9 11:09:45 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3607332516(0xd70386a4)
              Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3865395393(0xe66540c1)
              Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP IPCOP RED IP[0]->wan pfsense[0] spi=184063618(0xaf89682)
              Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: respond new phase 2 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
              Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: ISAKMP-SA established wan pfsense[500]-IPCOP RED IP[500] spi:dd3240523b1a178a:5edb221090fa00e5
              Sep 9 11:09:45 racoon: INFO: received Vendor ID: DPD
              Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
              Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
              Sep 9 11:09:45 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
              Sep 9 11:09:45 racoon: INFO: received Vendor ID: RFC 3947
              Sep 9 11:09:45 racoon: INFO: begin Identity Protection mode.
              Sep 9 11:09:45 racoon: [vpn a cordoba]: INFO: respond new phase 1 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
              Sep 9 11:09:44 racoon: [vpn a cordoba]: INFO: ISAKMP-SA deleted wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
              Sep 9 11:09:43 racoon: [vpn a cordoba]: INFO: ISAKMP-SA expired wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
              Sep 9 11:09:12 racoon: [vpn a cordoba]: ERROR: pfkey DELETE received: ESP wan pfsense[500]->IPCOP RED IP[500] spi=253583350(0xf1d5ff6)
              Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP wan pfsense[500]->IPCOP RED IP[500] spi=3607332516(0xd70386a4)
              Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: IPsec-SA established: ESP IPCOP RED IP[0]->wan pfsense[0] spi=55126245(0x34928e5)
              Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: respond new phase 2 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
              Sep 9 11:09:12 racoon: [vpn a cordoba]: INFO: ISAKMP-SA established wan pfsense[500]-IPCOP RED IP[500] spi:022ba8fc052bf43f:8d9b0dfde61e13d8
              Sep 9 11:09:11 racoon: INFO: received Vendor ID: DPD
              Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
              Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
              Sep 9 11:09:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
              Sep 9 11:09:11 racoon: INFO: received Vendor ID: RFC 3947
              Sep 9 11:09:11 racoon: INFO: begin Identity Protection mode.
              Sep 9 11:09:11 racoon: [vpn a cordoba]: INFO: respond new phase 1 negotiation: wan pfsense[500]<=>IPCOP RED IP[500]
              Sep 9 11:09:10 racoon: [vpn a cordoba]: INFO: ISAKMP-SA deleted wan pfsense[500]-IPCOP RED IP[500] spi:854e2e340ea487c6:f5eda415ea8305a6
              Sep 9 11:09:09 racoon: [vpn a cordoba]: INFO: ISAKMP-SA expired wan pfsense[500]-IPCOP RED IP[500] spi:854e2e340ea487c6:f5eda415ea8305a6

              Any clues?

              Marcos

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy