Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Auto Start IPSEC VPN

    IPsec
    3
    9
    9057
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonnytabpni last edited by

      Hi Everyone,

      We have an IPSEC VPN set up between 2 pfsense machines. One machine is running a BETA2 snapshot (network A) of pfsense, the other is running 1.2.3 RELEASE (network B).

      The IPSEC VPN won't start automatically. What we have to do is ping a host on network B from network A before the VPN starts (but vice-versa doesn't work).

      The main problem is that network A is a co-located network a few hundred miles away(!)

      Any help is appreciated, as I think this is a common problem.

      Many Thanks

      1 Reply Last reply Reply Quote 0
      • S
        spiritbreaker last edited by

        Hi,

        it seems only Site A can initiate Tunnel.

        Plz go on firewall rules on Site A…there will be some bocked events on port 500 isakmp (if logging for default block rule is activated)  ;)
        U should also find some Phase 1 time ups on Pfsense 1.2.3 IPSEC log.

        On ur Pfsense 2.0 create 2 Rules on WAN Interface:
        1. Create rule to allow incoming traffic on port udp 500 (isakmp) ( + maybe udp 4500 NAT-t for mobiles) from ur WAN Ip Site B (source) to Pfsense Site A WAN-adress (destination).
        2. Create rule to allow incoming ESP traffic from Site B WAn IP(source)  to site A WAN IP (destination).

        It seems Pfsense 2.0 doesnt create rules for VPN traffic automatically!!!

        Cya

        1 Reply Last reply Reply Quote 0
        • J
          jonnytabpni last edited by

          Hi There,

          I currently have an "allow all" rule from Site B's WAN IP address.

          Shouldn't this be enough? It's still not working with this :(

          Any help is appreciated

          Thanks

          1 Reply Last reply Reply Quote 0
          • S
            spiritbreaker last edited by

            Hi,

            what about firewall and ipsec logs an pfsense 2.0 ???

            post some logs and take picture of allow rule.

            What protokoll is set on allow rule?

            cya

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              If you fill in the "keep alive" box on the IPsec setup on both ends (put in a LAN IP on the remote side) it will start automatically.

              1 Reply Last reply Reply Quote 0
              • J
                jonnytabpni last edited by

                Hi Everyone,

                Ok so I got this issue sorted (Not sure what was wrong, but I think upgrading to the latest snampshot helped).

                I do have a new problem though, after about an hour, the VPN drops (says expired in the logs). In the logs, it appears as if the VPN re-connects, however no traffic can be passed. The only way I can fix this is by disabling, then enabling the IPSEC service on network B.

                What I don't understand, is that the pfsense box on network A is also connected via IPSEC to a 3rd pfsense box at another location (let's call this network C). This pfsense runs the exact same build as network B, however it seems to cope 100%

                network B and network C also have an IPSEC tunnel between each other and this is ok as well.

                I'm really confused. Can you think of anything I'm missing? The keep-alive is filled in on both ends

                Thanks

                1 Reply Last reply Reply Quote 0
                • J
                  jonnytabpni last edited by

                  Folks,

                  I found the answer to this problem!!

                  I didn't have the timezone set properly on pfsense A, so the key validity times would have been wrong.

                  Cheers

                  P.S. Found a small bug with the latest snapshot - the timezone isn't updated on the dashboard unless you reboot (However I think the time still changes though)

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    That isn't a bug. The time zone will never take full effect system-wide until you reboot.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jonnytabpni last edited by

                      @jimp:

                      That isn't a bug. The time zone will never take full effect system-wide until you reboot.

                      No problem jimp

                      Cheers

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense Plus
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy