Ipsec roadwarrior

conehead

Hi,

I am tryint to setup ipsec but have a problem setting it up … If it is even possible ...

On the site where the pfsense box is we have te following setup ...

wan ip of pfsense is : 172.16.1.1 for example

the gateway: 172.16.1.2

the gateway is a cisco and it forwards everything to the pfsense box...

But in the examples we need to setup pfsense with my ip adress ( and this is not a public address ) in our cases since it is 172.16. ...

Tried setting in ther the wan address ( 80....) but that still doesn't seem to work ..

Any ideas ...

jimp

We'll need some specific error messages or log entries to help much at all. Unfortunately your report is a bit vague.

You might try setting the "My Identifier" setting on the pfSense side to the public IP on the Cisco.

Other than that, check that you are using something close to this setup:
http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

conehead

Hi,

I was following that manual but, i can get a connection now but i am unable to ping the other side. I guess i am missing a rule somewhere ..

The ipsec logs gives me the following

May 21 15:00:31 	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 172.173.174.2[500]<=>83.101.6.59[500]
May 21 15:00:31 	racoon: INFO: begin Aggressive mode.
May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
May 21 15:00:31 	racoon: INFO: received Vendor ID: RFC 3947
May 21 15:00:31 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 21 15:00:31 	racoon: INFO: received Vendor ID: DPD
May 21 15:00:31 	racoon: INFO: received Vendor ID: CISCO-UNITY
May 21 15:00:31 	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 172.173.174.2[500]-83.101.6.59[500] spi:1f36d6eb702ecc0e:1f0936865820e155
May 21 15:00:39 	racoon: INFO: respond new phase 2 negotiation: 172.173.174.2[0]<=>83.101.6.59[0]
May 21 15:00:39 	racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.20.1/32[0] 200.0.0.0/24[0] proto=any dir=in
May 21 15:00:39 	racoon: INFO: IPsec-SA established: ESP 83.101.6.59[0]->172.173.174.2[0] spi=249236646(0xedb0ca6)
May 21 15:00:39 	racoon: INFO: IPsec-SA established: ESP 172.173.174.2[0]->83.101.6.59[0] spi=2850468686(0xa9e6b34e)
May 21 15:00:39 	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.20.1/32[0] 200.0.0.0/24[0] proto=any dir=in"
May 21 15:00:39 	racoon: ERROR: such policy does not already exist: "200.0.0.0/24[0] 192.168.20.1/32[0] proto=any dir=out"

under ipsec firewall rules i have:

proto source port destination port gateway

---

under wan i have:

proto source port destination port gateway
udp * * * 500(ISAKMP) *

jimp

What are you trying to ping from the mobile client? another PC or server on the LAN side?

Have you tried connecting to something using a different service and not ping?

Sometimes the windows firewall or other software firewalls will block services like ping from off of your native subnet.

conehead

Hi,

I tried it from another location and that works like a charm … But from home it doesn't work ...

It's probably because of the double  nat ...

I am at home behind a pfsense box which forward it's packets to another router ...

conehead

It works from behind the pfsense box also now, esp protocol was still blocked.

thanks for the help and have a nice weekend !!!