Ipsec roadwarrior



  • Hi,

    I am tryint to setup ipsec but have a problem setting it up … If it is even possible ...

    On the site where the pfsense box is we have te following setup ...

    wan ip of pfsense is : 172.16.1.1 for example

    the gateway: 172.16.1.2

    the gateway is a cisco and it forwards everything to the pfsense box...

    But in the examples we need to setup pfsense with my ip adress ( and this is not a public address ) in our cases since it is 172.16. ...

    Tried setting in ther the wan address ( 80....) but that still doesn't seem to work ..

    Any ideas ...


  • Rebel Alliance Developer Netgate

    We'll need some specific error messages or log entries to help much at all. Unfortunately your report is a bit vague.

    You might try setting the "My Identifier" setting on the pfSense side to the public IP on the Cisco.

    Other than that, check that you are using something close to this setup:
    http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To



  • Hi,

    I was following that manual but, i can get a connection now but i am unable to ping the other side. I guess i am missing a rule somewhere ..

    The ipsec logs gives me the following

    May 21 15:00:31 	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 172.173.174.2[500]<=>83.101.6.59[500]
    May 21 15:00:31 	racoon: INFO: begin Aggressive mode.
    May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    May 21 15:00:31 	racoon: INFO: received Vendor ID: RFC 3947
    May 21 15:00:31 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    May 21 15:00:31 	racoon: INFO: received Vendor ID: DPD
    May 21 15:00:31 	racoon: INFO: received Vendor ID: CISCO-UNITY
    May 21 15:00:31 	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 172.173.174.2[500]-83.101.6.59[500] spi:1f36d6eb702ecc0e:1f0936865820e155
    May 21 15:00:39 	racoon: INFO: respond new phase 2 negotiation: 172.173.174.2[0]<=>83.101.6.59[0]
    May 21 15:00:39 	racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.20.1/32[0] 200.0.0.0/24[0] proto=any dir=in
    May 21 15:00:39 	racoon: INFO: IPsec-SA established: ESP 83.101.6.59[0]->172.173.174.2[0] spi=249236646(0xedb0ca6)
    May 21 15:00:39 	racoon: INFO: IPsec-SA established: ESP 172.173.174.2[0]->83.101.6.59[0] spi=2850468686(0xa9e6b34e)
    May 21 15:00:39 	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.20.1/32[0] 200.0.0.0/24[0] proto=any dir=in"
    May 21 15:00:39 	racoon: ERROR: such policy does not already exist: "200.0.0.0/24[0] 192.168.20.1/32[0] proto=any dir=out"
    

    under ipsec firewall rules i have:

    proto source port destination port gateway


    under wan i have:

    proto source port destination port gateway
    udp * * * 500(ISAKMP) *


  • Rebel Alliance Developer Netgate

    What are you trying to ping from the mobile client? another PC or server on the LAN side?

    Have you tried connecting to something using a different service and not ping?

    Sometimes the windows firewall or other software firewalls will block services like ping from off of your native subnet.



  • Hi,

    I tried it from another location and that works like a charm … But from home it doesn't work ...

    It's probably because of the double  nat ...

    I am at home behind a pfsense box which forward it's packets to another router ...



  • It works from behind the pfsense box also now, esp protocol was still blocked.

    thanks for the help and have a nice weekend !!!


Locked