Help Cant Get Site to Site Working *With Pictures*



  • Guys,

    I have spent all day trying to get site to site up ipsec with pfsense and I dieing for some help. We scaled back to do preshared key to see if we have it right.

    Network 1:
    public    75.66.8.58
    modem    10.1.10.1
    outside ip 10.1.10.254
    inside ip 192.168.10.1

    Network 2
    Public 98.249.136.7
    internal 192.168.20.0/25

    Below is the pictures of my setups:

    Please point me on what Im doing wrong.



  • I think the problem is that Network1 is behind a NATing router.
    In my experience, pfSense likes a public IP on it's WAN interface when using IPSec.

    If you have more than 1 public IP address available, you could disable NAT on your modem/router and put a public IP on pfSense.
    If you only have the one, are you able to set the router as a bridging modem instead?

    I believe openVPN might deal with a NATing router better than IPsec, but I am not familiar with that.

    Gordon



  • dpd interval is blank
    local subnet is blank
    for remote subnet its a /25, are you doing CIDR?, if not it should be a /24



  • You might want to remove/sanitize those public IPs from the data you're sharing here. Use something like A.A.A.A and B.B.B.B instead. Just a suggestion….



  • Ok I got a static Ip for myself to make this work. I am using pfsense and he is using vyatta for our site to site. He has successfully setup 3 site to site connections for vyatta but I cant get pfsense to work with it.

    Please help

    Here is the current log:

    May 8 16:51:00 racoon: [Self]: INFO: MyIP[500] used as isakmp port (fd=16)
    May 8 16:51:00 racoon: [Self]: INFO: 192.168.10.1[500] used as isakmp port (fd=15)
    May 8 16:51:00 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    May 8 16:51:00 racoon: INFO: unsupported PF_KEY message REGISTER
    May 8 16:48:40 racoon: INFO: delete phase 2 handler.
    May 8 16:48:40 racoon: [Dario Network]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP OtherSiteIp[0]->MyIP[0]
    May 8 16:48:33 racoon: ERROR: phase1 negotiation failed due to time up. 6c99e90f8fdf6d8c:0000000000000000
    May 8 16:48:10 racoon: [Dario Network]: INFO: phase2 sa deleted MyIP-OtherSiteIp
    May 8 16:48:09 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    May 8 16:48:09 racoon: [Dario Network]: INFO: phase2 sa expired MyIP-OtherSiteIp
    May 8 16:47:43 racoon: INFO: begin Identity Protection mode.
    May 8 16:47:43 racoon: [Dario Network]: INFO: initiate new phase 1 negotiation: MyIP[500]<=>OtherSiteIp[500]
    May 8 16:47:43 racoon: [Dario Network]: INFO: IPsec-SA request for OtherSiteIp queued due to no phase1 found.
    May 8 16:46:19 racoon: [Self]: INFO: MyIP[500] used as isakmp port (fd=16)
    May 8 16:46:19 racoon: [Self]: INFO: 192.168.10.1[500] used as isakmp port (fd=15)
    May 8 16:46:19 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    May 8 16:46:19 racoon: INFO: unsupported PF_KEY message REGISTER



  • i will assume that at the other end of the vpn, the vpn device there is working, heres what i do when i know a vpn should be up but isnt(i usually get errors similar to yours in the ipsec log):

    1. go to vpn->ipsec
    2. click the edit button
    3. click save
    4. it takes you back to the main ipsec screen, click apply, then click save on that same screen.

    if that doesnt fix it delete and redo (i did this and it fixed my problem)

    by removing ips, focalguy meant to edit your pictures that you posted (they have the actual ips) and remove the ips.


Locked