IPSec troubles (solved)



  • Hello I have been trying for a while now to get ipsec working between 2 pfsense machines and I just can't figure it out why it won't work. Although I don't have a lot of experience whit VPN connections so it might be something really silly.

    Background info

    PFsense 1 (whit loadbalancer)
    ip Wan1 81.161.x.x (DHCP Static ip)
    ip Wan2 Not connected atm
    ip lan 172.16.1.136/24
    Version: 1.2.3-RC1

    PFsense 2 (whit loadbalancer all settings are cloned from pfsense 1)
    ip Wan1 Not connected atm
    ip Wan2 62.194.x.x (DHCP dynamic ip for test purposes only)
    ip lan 172.16.2.136/24
    version: 1.2.3-RELEASE

    Something weird also seems to happen when I go to Status:IPsec there are no rules/tunnels there, it just says: No IPsec security associations.

    VPN Config PFSense 1

    - <ipsec>
       <preferredoldsa>- <tunnel>
      <interface>wan</interface> 
       <natt>- <local-subnet>
      <network>lan</network> 
      </local-subnet>
      <remote-subnet>172.16.2.0/24</remote-subnet> 
      <remote-gateway>62.194.X.X</remote-gateway> 
      <dpddelay>60</dpddelay> 
    - <p1>
      <mode>aggressive</mode> 
    - <myident>
    
    <address>83.161.X.X</address>
    
      </myident>
      <encryption-algorithm>3des</encryption-algorithm> 
      <hash-algorithm>sha1</hash-algorithm> 
      <dhgroup>2</dhgroup> 
      <lifetime>28800</lifetime> 
      <pre-shared-key>S0m3w3rdkey</pre-shared-key> 
       <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
    - <p2>
      <protocol>esp</protocol> 
      <encryption-algorithm-option>3des</encryption-algorithm-option> 
      <encryption-algorithm-option>blowfish</encryption-algorithm-option> 
      <encryption-algorithm-option>cast128</encryption-algorithm-option> 
      <encryption-algorithm-option>rijndael</encryption-algorithm-option> 
      <encryption-algorithm-option>rijndael 256</encryption-algorithm-option> 
      <hash-algorithm-option>hmac_sha1</hash-algorithm-option> 
      <hash-algorithm-option>hmac_md5</hash-algorithm-option> 
      <pfsgroup>0</pfsgroup> 
      <lifetime>86400</lifetime> 
      </p2>
      <descr>Test Tunnel</descr></natt></tunnel>
    - <mobilekey>
      <ident>62.194.X.X</ident> 
      <pre-shared-key>S0m3w3rdkey</pre-shared-key> 
      </mobilekey></preferredoldsa></ipsec>
    

    VPN Config PFSense 2

    - <ipsec>
       <preferredoldsa>- <tunnel>
      <interface>opt1</interface> 
    - <local-subnet>
      <network>lan</network> 
      </local-subnet>
      <remote-subnet>172.16.1.0/24</remote-subnet> 
      <remote-gateway>83.161.X.X</remote-gateway> 
      <dpddelay>60</dpddelay> 
    - <p1>
      <mode>aggressive</mode> 
    - <myident>
    
    <address>62.194.X.X</address>
    
      </myident>
      <encryption-algorithm>3des</encryption-algorithm> 
      <hash-algorithm>sha1</hash-algorithm> 
      <dhgroup>2</dhgroup> 
      <lifetime>28800</lifetime> 
      <pre-shared-key>S0m3w3rdkey</pre-shared-key> 
       <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
    - <p2>
      <protocol>esp</protocol> 
      <encryption-algorithm-option>3des</encryption-algorithm-option> 
      <encryption-algorithm-option>blowfish</encryption-algorithm-option> 
      <encryption-algorithm-option>cast128</encryption-algorithm-option> 
      <encryption-algorithm-option>rijndael</encryption-algorithm-option> 
      <encryption-algorithm-option>aes 256</encryption-algorithm-option> 
      <hash-algorithm-option>hmac_sha1</hash-algorithm-option> 
      <hash-algorithm-option>hmac_md5</hash-algorithm-option> 
      <pfsgroup>0</pfsgroup> 
      <lifetime>86400</lifetime> 
      </p2>
      <descr>Test Tunnel</descr> 
      </tunnel>
    - <mobilekey>
      <ident>83.161.X.X</ident> 
      <pre-shared-key>S0m3w3rdkey</pre-shared-key> 
      </mobilekey></preferredoldsa></ipsec>
    


  • After some more debugging and trying to make it work the log showed me this

    May 23 12:38:11 racoon: ERROR: phase1 negotiation failed due to time up. af7b8f8f50116a1a:0000000000000000
    May 23 12:37:52 racoon: INFO: delete phase 2 handler.
    May 23 12:37:52 racoon: [Test Tunnel]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 62.194.X.X[0]->83.161.X.X[0]
    May 23 12:37:21 racoon: INFO: begin Aggressive mode.
    May 23 12:37:21 racoon: [Test Tunnel]: INFO: initiate new phase 1 negotiation: 83.161.X.X[500]<=>62.194..X.X[500]
    May 23 12:37:21 racoon: [Test Tunnel]: INFO: IPsec-SA request for 62.194.X.X queued due to no phase1 found.

    Really beginning to wonder what the problem is, Checked if the isp was blocking port 500 but that wasn't the case.



  • Solved my problem

    PFsense 1 still had his second connection cached (now used for pfsense2) There for expected the wrong ip

    Also ran into not being able to ping but that was simple adding ICMP rule. Hope this might help some one else out


Locked