Site to site ipsec



  • Hello All,

    site to site ipsec vpn
    pfSense 1.2.3   x 2 machines
    static public ip's at both pfsense boxes.
    pre-shared key - admin@mydomain.net -on both machines

    Went by the tutorial of setting up an ipsec vpn on pfsense site here. Have double checked all my settings on both pfSense1.2.3 machines. Everything appears to be correct,and 'enabled'. When I look at the ipsec vpn log all i ever see on both machines is many lines of the following ,similar.:
    –------------------------------------------------------------------------------------------------
    racoon: [Self]: INFO: 172.28.8.2[500] used as isakmp port (fd=23)
    racoon: [Self]: INFO: AAA.AAA.AA.AAA[500] used as isakmp port (fd=23)
    –------------------------------------------------------------------------------------------------
    These are the only lines i see in ipsec vpn log.

    1. I have not rebooted either pfSense machine( since I have setup and enabled) as I am not able to go to either site as of now,and I do not want to attempt a reboot without being at one or the other as both sites needs internet and I don't want to kill it,just as a precautionary measure.( I will do this Tues.)
    2. The tutorial does not mention of any firewall rules setup. Do I need to add at least a couple firewall accept rules for the ipsec vpn to start?
      Does one or both pfSense machines need to be rebooted for the ipsec vpn to activate?
      If not why am I not seeing 'attempts to connect' in the ipsec vpn log?
      On the ipsec:status page there is obviously no 'associations' listed.
      I can ping the opposite pfsense machines public ip from the ping utility in the web-ui.

    I have not delt with ipsec vpn's before,obviously.
    Any ideas appreciated.

    Take Care,
    BC



  • Hello All,

    pfsense 1.2.3  X  2

    I wanted to post my /var/etc/racoon.conf file. These are identical on both pf boxes. It appears not all ipsec information is getting generated to the racoon.conf file. I have clicked  save>.apply several times in the web-ui, FYI.

    racoon.conf
    –-------------------------------------------------------------------------------------

    This file is automatically generated. Do not edit

    listen {
    adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    }
    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    Anyone, any ideas what I am missing?

    Thank You,
    Barry



  • OK,,, My Bad!!

    I had the 'disable this tunnel" checked in the ipsec vpn setup page. ( I wondered why the settings were shadowed out,on both pfsense boxes?,,now I know!).
    I got tripped up a bit as I had the "Enable ipsec" checked on the visible part of the ipsec page,but forgot when I done the initial configuring of ipsec I had checked on the setup page "disable this tunnel "on this part until I knew I had all the settings correct.. I know,it is confusing without seeing the actual ipsec setup. There are two actual possible places to disable the ipsec service from starting  and I am sure there is a reason for this.
    As soon as i unchecked this> save >apply, the tunnel came right up,and I can ping the opposite sites internal IP's!

    Thanks again,
    Barry



  • There are two actual possible places to disable the ipsec service from starting  and I am sure there is a reason for this.

    The general one disables IPsec completely for all tunnels. The disable checkbox that you had checked in the config for the actual tunnels is to disable one tunnel while leaving others enabled.


Log in to reply