Auto Start IPSEC VPN
-
Hi Everyone,
We have an IPSEC VPN set up between 2 pfsense machines. One machine is running a BETA2 snapshot (network A) of pfsense, the other is running 1.2.3 RELEASE (network B).
The IPSEC VPN won't start automatically. What we have to do is ping a host on network B from network A before the VPN starts (but vice-versa doesn't work).
The main problem is that network A is a co-located network a few hundred miles away(!)
Any help is appreciated, as I think this is a common problem.
Many Thanks
-
Hi,
it seems only Site A can initiate Tunnel.
Plz go on firewall rules on Site A…there will be some bocked events on port 500 isakmp (if logging for default block rule is activated) ;)
U should also find some Phase 1 time ups on Pfsense 1.2.3 IPSEC log.On ur Pfsense 2.0 create 2 Rules on WAN Interface:
1. Create rule to allow incoming traffic on port udp 500 (isakmp) ( + maybe udp 4500 NAT-t for mobiles) from ur WAN Ip Site B (source) to Pfsense Site A WAN-adress (destination).
2. Create rule to allow incoming ESP traffic from Site B WAn IP(source) to site A WAN IP (destination).It seems Pfsense 2.0 doesnt create rules for VPN traffic automatically!!!
Cya
-
Hi There,
I currently have an "allow all" rule from Site B's WAN IP address.
Shouldn't this be enough? It's still not working with this :(
Any help is appreciated
Thanks
-
Hi,
what about firewall and ipsec logs an pfsense 2.0 ???
post some logs and take picture of allow rule.
What protokoll is set on allow rule?
cya
-
If you fill in the "keep alive" box on the IPsec setup on both ends (put in a LAN IP on the remote side) it will start automatically.
-
Hi Everyone,
Ok so I got this issue sorted (Not sure what was wrong, but I think upgrading to the latest snampshot helped).
I do have a new problem though, after about an hour, the VPN drops (says expired in the logs). In the logs, it appears as if the VPN re-connects, however no traffic can be passed. The only way I can fix this is by disabling, then enabling the IPSEC service on network B.
What I don't understand, is that the pfsense box on network A is also connected via IPSEC to a 3rd pfsense box at another location (let's call this network C). This pfsense runs the exact same build as network B, however it seems to cope 100%
network B and network C also have an IPSEC tunnel between each other and this is ok as well.
I'm really confused. Can you think of anything I'm missing? The keep-alive is filled in on both ends
Thanks
-
Folks,
I found the answer to this problem!!
I didn't have the timezone set properly on pfsense A, so the key validity times would have been wrong.
Cheers
P.S. Found a small bug with the latest snapshot - the timezone isn't updated on the dashboard unless you reboot (However I think the time still changes though)
-
That isn't a bug. The time zone will never take full effect system-wide until you reboot.
-
That isn't a bug. The time zone will never take full effect system-wide until you reboot.
No problem jimp
Cheers