VPN Doesnt work



  • I Use Pfsense (1.2.2 built on Sat Jan 17 17:24:57 EST 2009  FreeBSD 7.0-RELEASE-p8 i386 )

    Error is below Can you help me please ! Service is work but tunnel is down

    Site One real IP : X.X.X.43

    Site Two real IP : X.X.X.34

    NOTE:

    I use to both site crosover cable and use same switch, it's distribute real IP  I make to site site

    racoon: ERROR: such policy already exists. anyway replace it: 10.0.1.0/24[0] 10.0.0.0/24[0] proto=any dir=in
        racoon: [Self]: INFO: X.X.166.34[500] used as isakmp port (fd=15)
        racoon: [Self]: INFO: 10.0.0.1[500] used as isakmp port (fd=14)
        racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
        racoon: WARNING: /var/etc/racoon.conf:3: "0660" admin port support not compiled in
        racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.0.1.0/24[0] proto=any dir=out
        racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.1/32[0] 10.0.0.0/24[0] proto=any dir=out
        racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.0.0.1/32[0] proto=any dir=in
        racoon: INFO: unsupported PF_KEY message REGISTER

    MY SETTINGS

    Site one
    Local IP network : 10.0.0.0 / 24
    public ipadres :X.X.X.34

    Site two
    Local IP network 10.0.1.0 / 24
    public ipadres:  X.X.X.43

    SITE ONE CONFIG IPSEC
    Interface WAN
    Localsubnet:    type Network
                          address 10.0.0.0 / 24
    Remote subnet: 10.0.1.0 / 24
    Remote Gateway: X.X.X.43

    Decription:    ipsec tunnel 1

    Negotiation mode:  aggressive
    My identifier:            My IP address
    Encryption algorithm:  Blowfish
    Hash algorithm:            MD5
    DH key group:            2
    lifetime:                        86400
    Authentication method:  Pre-shared key
    Pre-Shared Key:            WqertykLhJKLMDLkOYHBUHhfdRTYbn
    MDGEW

    Certificate:      NONE
    KEY:              NONE
    peer certificate  NONE

    Phase 2 proposal (SA/Key Exchange)
    protocol:  ESP
    Encryption algorithms: select Blowfish
    Hash algorithms: select MD5
    PFS key group:  2
    Lifetime:            86400
    Automatically ping host:  ipadres of server in 10.0.0.1 network

    SITE TWO CONFIG IPSEC

    Site one ipsec config
    Interface WAN
    Localsubnet:    type Network
                          address 10.0.1.0 / 24
    Remote subnet: 10.0.0.0 / 24
    Remote Gateway: X.X.X.34

    Decription:    ipsec tunnel 1

    Negotiation mode:  aggressive
    My identifier:            My IP address
    Encryption algorithm:  Blowfish
    Hash algorithm:            MD5
    DH key group:            2
    lifetime:                        86400
    Authentication method:  Pre-shared key
    Pre-Shared Key:            WqertykLhJKLMDLkOYHBUHhfdRTYbnMDGEW

    Certificate:      NONE
    KEY:              NONE
    peer certificate  NONE

    Phase 2 proposal (SA/Key Exchange)
    protocol:  ESP
    Encryption algorithms: select Blowfish
    Hash algorithms: select MD5
    PFS key group:  2
    Lifetime:            86400
    Automatically ping host:  ipadres of server in 10.0.1.1 ( WAN GATEWAY ) network

    ifconfig
    fxp0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=8 <vlan_mtu>ether 00:03:47:e3:f7:f3
            inet X.X.X.34 netmask 0xfffffe00 broadcast X.X.X.255
            inet6 fe80::203:47ff:fee3:f7f3%fxp0 prefixlen 64 scopeid 0x1
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    fxp1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=8 <vlan_mtu>ether 00:0d:61:2a:70:06
            inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
            inet6 fe80::20d:61ff:fe2a:7006%fxp1 prefixlen 64 scopeid 0x2
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500
    pflog0: flags=100 <promisc>metric 0 mtu 33204
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
    enc0: flags=41 <up,running>metric 0 mtu 1536
    pfsync0: flags=41 <up,running>metric 0 mtu 1460
            pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
    ng0: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500

    netstat -rn
    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            144.122.166.1      UGS        0  124052  fxp0
    10.0.0.0/24        link#2            UC          0        0  fxp1
    10.0.0.1          00:0d:61:2a:70:06  UHLW        1    3392    lo0
    10.0.0.40          00:0f:fe:70:e4:7d  UHLW        1    2145  fxp1    618
    10.0.0.52          00:15:60:52:b1:d4  UHLW        1        1  fxp1  1110
    10.0.0.53          00:15:60:52:b7:41  UHLW        1        1  fxp1    370
    10.0.0.54          00:0f:fe:70:d1:0b  UHLW        1        1  fxp1  1100
    10.0.0.56          00:12:79:61:95:ec  UHLW        1        1  fxp1    522
    10.0.0.57          00:0f:fe:70:ce:c4  UHLW        1        1  fxp1    373
    10.0.0.197        00:23:ae:6b:c4:1f  UHLW        1        1  fxp1    862
    10.0.0.200        00:23:ae:6c:2d:f5  UHLW        1      71  fxp1    156
    10.0.0.236        08:00:27:2a:a7:36  UHLW        1        1  fxp1    848
    127.0.0.1          127.0.0.1          UH          0        0    lo0
    X.X.X.0/23  link#1            UC          0        0  fxp0
    X.X.X.1      00:0e:83:ba:f8:c2  UHLW        2    9255  fxp0  1200
    X.X.X.22    00:02:44:03:22:12  UHLW        1        3  fxp0  1191
    X.X.X.36    00:03:ba:56:c8:4d  UHLW        1    11052  fxp0  1183
    X.X.X.53    00:03:ba:12:f0:2c  UHLW        1      646  fxp0  1167
    X.X.X.80    00:0b:cd:90:86:07  UHLW        1      46  fxp0  1148

    Internet6:
    Destination                      Gateway                      Flags      Netif                                          Expire
    ::1                              ::1                          UHL        lo0
    fe80::%fxp0/64                    link#1                        UC        fxp0
    fe80::203:47ff:fee3:f7f3%fxp0    00:03:47:e3:f7:f3            UHL        lo0
    fe80::%fxp1/64                    link#2                        UC        fxp1
    fe80::20d:61ff:fe2a:7006%fxp1    00:0d:61:2a:70:06            UHL        lo0
    fe80::%lo0/64                    fe80::1%lo0                  U          lo0
    fe80::1%lo0                      link#5                        UHL        lo0
    ff01:1::/32                      link#1                        UC        fxp0
    ff01:2::/32                      link#2                        UC        fxp1
    ff01:5::/32                      ::1                          UC          lo0
    ff02::%fxp0/32                    link#1                        UC        fxp0
    ff02::%fxp1/32                    link#2                        UC        fxp1
    ff02::%lo0/32                    ::1                          UC          lo0

    setkey -D -P
    10.0.0.0/24[any] 10.0.0.1[any] any
            in none
            spid=45 seq=3 pid=16793
            refcnt=1
    10.0.1.0/24[any] 10.0.0.0/24[any] any
            in ipsec
            esp/tunnel/X.X.X.43-X.X.X.34/unique#16412
            spid=48 seq=2 pid=16793
            refcnt=1
    10.0.0.1[any] 10.0.0.0/24[any] any
            out none
            spid=46 seq=1 pid=16793
            refcnt=1
    10.0.0.0/24[any] 10.0.1.0/24[any] any
            out ipsec
            esp/tunnel/X.X.X.34-X.X.X.43/unique#16411
            spid=47 seq=0 pid=16793
            refcnt=1



    </pointopoint,noarp,simplex,multicast></up,running></up,running></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast,needsgiant></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>


  • Rebel Alliance Developer Netgate

    It just looks like the tunnel hasn't tried to establish, as if no traffic has tried to enter the tunnel.

    The messages you are seeing are typical of a normal IPsec startup, but there are no messages in there about a tunnel negotiating.

    So either nothing has tried to pass on the tunnel, or the two systems cannot really reach one another one the WAN.


Log in to reply