IPSec roadwarrior, no traffic through tunnel?



  • Hi all,

    Doing some testing on an IPSec VPN Roadwarrior setup with PfSense v2.0, we are planning to use this in production. I am able to get the tunnel up but I cannot get any data through it, I went through this again and again and I might be missing something very silly but it just refuses to pass data. When looking at the IPSec status page it shows the tunnel but the icon is yellow instead of green. Firewall rules allow everything to pass, all protocols all sources all destinations on all interfaces. No ICMP packets are being dropped.

    Testing with Mutual PSK + Xauth and Shrew Soft VPN Client. Setup as follows:

    LAN(192.168.0.0/24) –> PFSENSE2.0b <-- WAN(10.0.0.0/24)

    I have 1 client in LAN and 1 client in wan and I'm trying to connect the WAN client to VPN and make it ping the LAN client.

    Tunnels:

    Phase1:

    Phase2:

    Mobile clients:

    IPSec log after connecting to VPN, attempting a ping to the LAN side (which did not reply) and disconnecting:

    
    Jan 26 07:18:06 	racoon: [TEST]: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
    Jan 26 07:18:06 	racoon: [TEST]: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
    Jan 26 07:18:06 	racoon: [TEST]: INFO: Reading configuration from "/var/etc/racoon.conf"
    Jan 26 07:18:06 	racoon: [TEST]: INFO: Resize address pool from 0 to 253
    Jan 26 07:18:06 	racoon: [TEST]: WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Protocol not available
    Jan 26 07:18:06 	racoon: [TEST]: INFO: 10.0.0.1[4500] used as isakmp port (fd=13)
    Jan 26 07:18:07 	racoon: [TEST]: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Protocol not available
    Jan 26 07:18:07 	racoon: [TEST]: INFO: 10.0.0.1[500] used as isakmp port (fd=14)
    Jan 26 07:18:07 	racoon: [TEST]: INFO: unsupported PF_KEY message REGISTER
    Jan 26 07:19:37 	racoon: [TEST]: INFO: respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.20[500]
    Jan 26 07:19:37 	racoon: [TEST]: INFO: begin Aggressive mode.
    Jan 26 07:19:37 	racoon: [TEST]: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jan 26 07:19:37 	racoon: [TEST]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Jan 26 07:19:37 	racoon: [TEST]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Jan 26 07:19:37 	racoon: [TEST]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jan 26 07:19:37 	racoon: [TEST]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jan 26 07:19:37 	racoon: [TEST]: INFO: received Vendor ID: RFC 3947
    Jan 26 07:19:37 	racoon: [TEST]: INFO: received broken Microsoft ID: FRAGMENTATION
    Jan 26 07:19:37 	racoon: [TEST]: INFO: received Vendor ID: DPD
    Jan 26 07:19:37 	racoon: [TEST]: INFO: received Vendor ID: CISCO-UNITY
    Jan 26 07:19:37 	racoon: [TEST]: INFO: Adding xauth VID payload.
    Jan 26 07:19:37 	racoon: [TEST]: INFO: Sending Xauth request
    Jan 26 07:19:37 	racoon: [TEST]: INFO: ISAKMP-SA established 10.0.0.1[500]-10.0.0.20[500] spi:e1a84acb33a9bd29:da0d53c7064470ac
    Jan 26 07:19:37 	racoon: [TEST]: INFO: received INITIAL-CONTACT
    Jan 26 07:19:37 	racoon: [TEST]: INFO: Using port 0
    Jan 26 07:19:37 	racoon: [TEST]: INFO: login succeeded for user "pakjebakmeel"
    Jan 26 07:19:37 	racoon: [TEST]: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Jan 26 07:19:45 	racoon: [TEST]: INFO: respond new phase 2 negotiation: 10.0.0.1[500]<=>10.0.0.20[500]
    Jan 26 07:19:45 	racoon: [TEST]: INFO: no policy found, try to generate the policy : 192.168.200.2/32[0] 192.168.1.0/24[0] proto=any dir=in
    Jan 26 07:19:45 	racoon: [TEST]: INFO: IPsec-SA established: ESP 10.0.0.1[500]->10.0.0.20[500] spi=52245415(0x31d33a7)
    Jan 26 07:19:45 	racoon: [TEST]: INFO: IPsec-SA established: ESP 10.0.0.1[500]->10.0.0.20[500] spi=705601606(0x2a0ea046)
    Jan 26 07:19:45 	racoon: [TEST]: ERROR: such policy does not already exist: "192.168.200.2/32[0] 192.168.1.0/24[0] proto=any dir=in"
    Jan 26 07:19:45 	racoon: [TEST]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.200.2/32[0] proto=any dir=out"
    Jan 26 07:19:47 	racoon: [TEST]: INFO: initiate new phase 2 negotiation: 10.0.0.1[500]<=>10.0.0.20[500]
    Jan 26 07:19:47 	racoon: [TEST]: WARNING: attribute has been modified.
    Jan 26 07:19:47 	racoon: [TEST]: INFO: IPsec-SA established: ESP 10.0.0.1[500]->10.0.0.20[500] spi=190180669(0xb55ed3d)
    Jan 26 07:19:47 	racoon: [TEST]: INFO: IPsec-SA established: ESP 10.0.0.1[500]->10.0.0.20[500] spi=2280451856(0x87ecef10)
    Jan 26 07:19:56 	racoon: [TEST]: INFO: generated policy, deleting it.
    Jan 26 07:19:56 	racoon: [TEST]: INFO: purged IPsec-SA proto_id=ESP spi=705601606.
    Jan 26 07:19:56 	racoon: [TEST]: INFO: purged IPsec-SA proto_id=ESP spi=2280451856.
    Jan 26 07:19:56 	racoon: [TEST]: INFO: ISAKMP-SA expired 10.0.0.1[500]-10.0.0.20[500] spi:e1a84acb33a9bd29:da0d53c7064470ac
    Jan 26 07:19:57 	racoon: [TEST]: INFO: ISAKMP-SA deleted 10.0.0.1[500]-10.0.0.20[500] spi:e1a84acb33a9bd29:da0d53c7064470ac
    Jan 26 07:19:57 	racoon: [TEST]: INFO: Released port 0
    
    


  • hey,

    Anyone got IPSEC Roadwarrior running in 2.0B? Is it supposed to be working at all?
    I can't seem to get it running.

    Anyone who has got this working?



  • sorry, the same question, I don't know how to solve.
    in 1.23 or m0n0wall, ipsec roadwarrior work fine!


  • Rebel Alliance Developer Netgate

    pfSense 2.0 is still in beta. This is one area that still needs work. There are already some tickets open about it.


Log in to reply