VPN Doesnt work

insanadair

I Use Pfsense (1.2.2 built on Sat Jan 17 17:24:57 EST 2009  FreeBSD 7.0-RELEASE-p8 i386 )

Error is below Can you help me please ! Service is work but tunnel is down

Site One real IP : X.X.X.43

Site Two real IP : X.X.X.34

NOTE:

I use to both site crosover cable and use same switch, it's distribute real IP  I make to site site

racoon: ERROR: such policy already exists. anyway replace it: 10.0.1.0/24[0] 10.0.0.0/24[0] proto=any dir=in
    racoon: [Self]: INFO: X.X.166.34[500] used as isakmp port (fd=15)
    racoon: [Self]: INFO: 10.0.0.1[500] used as isakmp port (fd=14)
    racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    racoon: WARNING: /var/etc/racoon.conf:3: "0660" admin port support not compiled in
    racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.0.1.0/24[0] proto=any dir=out
    racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.1/32[0] 10.0.0.0/24[0] proto=any dir=out
    racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.0.0.1/32[0] proto=any dir=in
    racoon: INFO: unsupported PF_KEY message REGISTER

MY SETTINGS

Site one
Local IP network : 10.0.0.0 / 24
public ipadres :X.X.X.34

Site two
Local IP network 10.0.1.0 / 24
public ipadres:  X.X.X.43

SITE ONE CONFIG IPSEC
Interface WAN
Localsubnet:    type Network
                      address 10.0.0.0 / 24
Remote subnet: 10.0.1.0 / 24
Remote Gateway: X.X.X.43

Decription:    ipsec tunnel 1

Negotiation mode:  aggressive
My identifier:            My IP address
Encryption algorithm:  Blowfish
Hash algorithm:            MD5
DH key group:            2
lifetime:                        86400
Authentication method:  Pre-shared key
Pre-Shared Key:            WqertykLhJKLMDLkOYHBUHhfdRTYbn
MDGEW

Certificate:      NONE
KEY:              NONE
peer certificate  NONE

Phase 2 proposal (SA/Key Exchange)
protocol:  ESP
Encryption algorithms: select Blowfish
Hash algorithms: select MD5
PFS key group:  2
Lifetime:            86400
Automatically ping host:  ipadres of server in 10.0.0.1 network

SITE TWO CONFIG IPSEC

Site one ipsec config
Interface WAN
Localsubnet:    type Network
                      address 10.0.1.0 / 24
Remote subnet: 10.0.0.0 / 24
Remote Gateway: X.X.X.34

Decription:    ipsec tunnel 1

Negotiation mode:  aggressive
My identifier:            My IP address
Encryption algorithm:  Blowfish
Hash algorithm:            MD5
DH key group:            2
lifetime:                        86400
Authentication method:  Pre-shared key
Pre-Shared Key:            WqertykLhJKLMDLkOYHBUHhfdRTYbnMDGEW

Certificate:      NONE
KEY:              NONE
peer certificate  NONE

Phase 2 proposal (SA/Key Exchange)
protocol:  ESP
Encryption algorithms: select Blowfish
Hash algorithms: select MD5
PFS key group:  2
Lifetime:            86400
Automatically ping host:  ipadres of server in 10.0.1.1 ( WAN GATEWAY ) network

ifconfig
fxp0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 00:03:47:e3:f7:f3
        inet X.X.X.34 netmask 0xfffffe00 broadcast X.X.X.255
        inet6 fe80::203:47ff:fee3:f7f3%fxp0 prefixlen 64 scopeid 0x1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=8 <vlan_mtu>ether 00:0d:61:2a:70:06
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::20d:61ff:fe2a:7006%fxp1 prefixlen 64 scopeid 0x2
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500
pflog0: flags=100 <promisc>metric 0 mtu 33204
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
enc0: flags=41 <up,running>metric 0 mtu 1536
pfsync0: flags=41 <up,running>metric 0 mtu 1460
        pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
ng0: flags=8890 <pointopoint,noarp,simplex,multicast>metric 0 mtu 1500

netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            144.122.166.1      UGS        0  124052  fxp0
10.0.0.0/24        link#2            UC          0        0  fxp1
10.0.0.1          00:0d:61:2a:70:06  UHLW        1    3392    lo0
10.0.0.40          00:0f:fe:70:e4:7d  UHLW        1    2145  fxp1    618
10.0.0.52          00:15:60:52:b1:d4  UHLW        1        1  fxp1  1110
10.0.0.53          00:15:60:52:b7:41  UHLW        1        1  fxp1    370
10.0.0.54          00:0f:fe:70:d1:0b  UHLW        1        1  fxp1  1100
10.0.0.56          00:12:79:61:95:ec  UHLW        1        1  fxp1    522
10.0.0.57          00:0f:fe:70:ce:c4  UHLW        1        1  fxp1    373
10.0.0.197        00:23:ae:6b:c4:1f  UHLW        1        1  fxp1    862
10.0.0.200        00:23:ae:6c:2d:f5  UHLW        1      71  fxp1    156
10.0.0.236        08:00:27:2a:a7:36  UHLW        1        1  fxp1    848
127.0.0.1          127.0.0.1          UH          0        0    lo0
X.X.X.0/23  link#1            UC          0        0  fxp0
X.X.X.1      00:0e:83:ba:f8:c2  UHLW        2    9255  fxp0  1200
X.X.X.22    00:02:44:03:22:12  UHLW        1        3  fxp0  1191
X.X.X.36    00:03:ba:56:c8:4d  UHLW        1    11052  fxp0  1183
X.X.X.53    00:03:ba:12:f0:2c  UHLW        1      646  fxp0  1167
X.X.X.80    00:0b:cd:90:86:07  UHLW        1      46  fxp0  1148

Internet6:
Destination                      Gateway                      Flags      Netif                                          Expire
::1                              ::1                          UHL        lo0
fe80::%fxp0/64                    link#1                        UC        fxp0
fe80::203:47ff:fee3:f7f3%fxp0    00:03:47:e3:f7:f3            UHL        lo0
fe80::%fxp1/64                    link#2                        UC        fxp1
fe80::20d:61ff:fe2a:7006%fxp1    00:0d:61:2a:70:06            UHL        lo0
fe80::%lo0/64                    fe80::1%lo0                  U          lo0
fe80::1%lo0                      link#5                        UHL        lo0
ff01:1::/32                      link#1                        UC        fxp0
ff01:2::/32                      link#2                        UC        fxp1
ff01:5::/32                      ::1                          UC          lo0
ff02::%fxp0/32                    link#1                        UC        fxp0
ff02::%fxp1/32                    link#2                        UC        fxp1
ff02::%lo0/32                    ::1                          UC          lo0

setkey -D -P
10.0.0.0/24[any] 10.0.0.1[any] any
        in none
        spid=45 seq=3 pid=16793
        refcnt=1
10.0.1.0/24[any] 10.0.0.0/24[any] any
        in ipsec
        esp/tunnel/X.X.X.43-X.X.X.34/unique#16412
        spid=48 seq=2 pid=16793
        refcnt=1
10.0.0.1[any] 10.0.0.0/24[any] any
        out none
        spid=46 seq=1 pid=16793
        refcnt=1
10.0.0.0/24[any] 10.0.1.0/24[any] any
        out ipsec
        esp/tunnel/X.X.X.34-X.X.X.43/unique#16411
        spid=47 seq=0 pid=16793
        refcnt=1



</pointopoint,noarp,simplex,multicast></up,running></up,running></up,loopback,running,multicast></promisc></pointopoint,simplex,multicast,needsgiant></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>

jimp

It just looks like the tunnel hasn't tried to establish, as if no traffic has tried to enter the tunnel.

The messages you are seeing are typical of a normal IPsec startup, but there are no messages in there about a tunnel negotiating.

So either nothing has tried to pass on the tunnel, or the two systems cannot really reach one another one the WAN.