Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ipsec roadwarrior

    IPsec
    2
    6
    2699
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      conehead last edited by

      Hi,

      I am tryint to setup ipsec but have a problem setting it up … If it is even possible ...

      On the site where the pfsense box is we have te following setup ...

      wan ip of pfsense is : 172.16.1.1 for example

      the gateway: 172.16.1.2

      the gateway is a cisco and it forwards everything to the pfsense box...

      But in the examples we need to setup pfsense with my ip adress ( and this is not a public address ) in our cases since it is 172.16. ...

      Tried setting in ther the wan address ( 80....) but that still doesn't seem to work ..

      Any ideas ...

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        We'll need some specific error messages or log entries to help much at all. Unfortunately your report is a bit vague.

        You might try setting the "My Identifier" setting on the pfSense side to the public IP on the Cisco.

        Other than that, check that you are using something close to this setup:
        http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          conehead last edited by

          Hi,

          I was following that manual but, i can get a connection now but i am unable to ping the other side. I guess i am missing a rule somewhere ..

          The ipsec logs gives me the following

          May 21 15:00:31 	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 172.173.174.2[500]<=>83.101.6.59[500]
          May 21 15:00:31 	racoon: INFO: begin Aggressive mode.
          May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
          May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
          May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
          May 21 15:00:31 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
          May 21 15:00:31 	racoon: INFO: received Vendor ID: RFC 3947
          May 21 15:00:31 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
          May 21 15:00:31 	racoon: INFO: received Vendor ID: DPD
          May 21 15:00:31 	racoon: INFO: received Vendor ID: CISCO-UNITY
          May 21 15:00:31 	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 172.173.174.2[500]-83.101.6.59[500] spi:1f36d6eb702ecc0e:1f0936865820e155
          May 21 15:00:39 	racoon: INFO: respond new phase 2 negotiation: 172.173.174.2[0]<=>83.101.6.59[0]
          May 21 15:00:39 	racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.20.1/32[0] 200.0.0.0/24[0] proto=any dir=in
          May 21 15:00:39 	racoon: INFO: IPsec-SA established: ESP 83.101.6.59[0]->172.173.174.2[0] spi=249236646(0xedb0ca6)
          May 21 15:00:39 	racoon: INFO: IPsec-SA established: ESP 172.173.174.2[0]->83.101.6.59[0] spi=2850468686(0xa9e6b34e)
          May 21 15:00:39 	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.20.1/32[0] 200.0.0.0/24[0] proto=any dir=in"
          May 21 15:00:39 	racoon: ERROR: such policy does not already exist: "200.0.0.0/24[0] 192.168.20.1/32[0] proto=any dir=out"
          

          under ipsec firewall rules i have:

          proto source port destination port gateway


          under wan i have:

          proto source port destination port gateway
          udp * * * 500(ISAKMP) *

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            What are you trying to ping from the mobile client? another PC or server on the LAN side?

            Have you tried connecting to something using a different service and not ping?

            Sometimes the windows firewall or other software firewalls will block services like ping from off of your native subnet.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              conehead last edited by

              Hi,

              I tried it from another location and that works like a charm … But from home it doesn't work ...

              It's probably because of the double  nat ...

              I am at home behind a pfsense box which forward it's packets to another router ...

              1 Reply Last reply Reply Quote 0
              • C
                conehead last edited by

                It works from behind the pfsense box also now, esp protocol was still blocked.

                thanks for the help and have a nice weekend !!!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post