Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connection to non pfSense remote network.

    Scheduled Pinned Locked Moved IPsec
    4 Posts 1 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jrapp
      last edited by

      I have a colo server, the guest is running Ubuntu and a variety of VMs, using a host only network on RFC1918 space (which does not conflict with any in-office ranges)

      I'd like to set up an IPsec tunnel from the Ubuntu host to the Office pfSense box (1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009) to allow us to access this private subnet from the office.

      However, I can't figure out what I need to do.
      There is a single shared secret on the pfSense IPSec pages, but ipsec_tools.conf expects one in each direction - this is just the first of a few things which have pickled my brain.  Does anyone have a similar setup, and or some other sensible resource to point me at?

      Cheers,

      John

      1 Reply Last reply Reply Quote 0
      • J
        jrapp
        last edited by

        OK - Figuring out more about pfSense helped some…

        Stage 1 seems OK, but...

        I'm now getting the following in syslog on the Colo box:

        
        Aug 25 06:24:59 Colo racoon: INFO: respond new phase 2 negotiation: ColoIP[500]<=>pFsenseIP[500]
        Aug 25 06:24:59 Colo racoon: ERROR: failed to get sainfo.
        Aug 25 06:24:59 Colo racoon: ERROR: failed to get sainfo.
        Aug 25 06:24:59 Colo racoon: ERROR: failed to pre-process packet.
        
        

        and the following from the pfSense box:

        
        Aug 25 06:25:09 pfSense racoon: ERROR: ColoIP give up to get IPsec-SA due to time up to wait.
        Aug 25 06:25:13 pfSense racoon: INFO: initiate new phase 2 negotiation: pFsenseIP[0]<=>ColoIP[0]
        
        

        Both units have 'proper' public IPs, and unfiltered (as far as I know) connections.

        Config is as follows:
        Colo:

        path pre_shared_key "/etc/racoon/psk.txt";
        path certificate "/etc/racoon/certs";
        
        remote pfSenseIP {
                exchange_mode main;
                proposal {
                        encryption_algorithm 3des;
                        hash_algorithm sha1;
                        authentication_method pre_shared_key;
                        dh_group modp1024;
                        lifetime time 28800 secs;
                }
        #        generate_policy off;                                                                          
        }
        
        sainfo address 192.168.128.0/24 any address 192.168.1.0/24 any {
                encryption_algorithm 3des;
                authentication_algorithm hmac_md5;
        	compression_algorithm deflate;
                pfs_group modp768;
                lifetime time 86400 secs;
        }
        
        

        pfSense:

        
        # This file is automatically generated. Do not edit
        listen {
        	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
        }
        path pre_shared_key "/var/etc/psk.txt";
        
        path certificate  "/var/etc";
        
        remote ColoIP {
        	exchange_mode main;
        	my_identifier address "pfSenseIP";
        
        	peers_identifier address ColoIP;
        	initial_contact on;
        	dpd_delay 30;
        	ike_frag on;
        	support_proxy on;
        	proposal_check obey;
        
        	proposal {
        		encryption_algorithm 3des;
        		hash_algorithm sha1;
        		authentication_method pre_shared_key;
        		dh_group 2;
        		lifetime time 28800 secs;
        	}
        	lifetime time 28800 secs;
        }
        
        sainfo address 192.168.1.0/24 any address 192.168.128.0/24 any {
        	encryption_algorithm 3des;
        	authentication_algorithm hmac_md5;
        	compression_algorithm deflate;
        	pfs_group 1;
        	lifetime time 86400 secs;
        }
        
        

        Generated from the following on the interface on pfSense:

        
         * Disabled (no)
         * Interface WAN
         * DPD interval 30
         * Local subnet LAN subnet (192.168.1.0/24)
         * Remote gateway ColoIP
        Phase1:
         * Negotiation main
         * My ID My IP (pfSenseIP)
         * Crypto 3DES
         * Hash SHA1
         * DH key group 2 (1024 bit)
         * Lifetime 28800
         * Auth Preshared key
         * Key - pasted to file on Colo box
        Phase2:
         * Protocol ESP
         * Crypto 3DES
         * Hash MD5
         * PFS key 1 (768 bit)
         * Lifetime 86400
        Keepalive:
         * Ping - private IP of Colo
        
        

        And I've reached the limit of my IPSec knowhow :(

        Any pointers? (also known as "What did I screw up?")

        Cheers,

        John

        1 Reply Last reply Reply Quote 0
        • J
          jrapp
          last edited by

          More syslog from the colo box:

          Sep  2 13:25:34 Colo racoon: DEBUG: configuration found for 94.125.134.209.
          Sep  2 13:25:34 Colo racoon: DEBUG: getsainfo params: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='pfSenseIP', id=0
          Sep  2 13:25:34 Colo racoon: DEBUG: getsainfo pass #1
          Sep  2 13:25:34 Colo racoon: DEBUG: evaluating sainfo: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='ANY', id=0
          Sep  2 13:25:34 Colo racoon: DEBUG: getsainfo pass #2
          Sep  2 13:25:34 Colo racoon: DEBUG: evaluating sainfo: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='ANY', id=0
          Sep  2 13:25:34 Colo racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
          Sep  2 13:25:34 Colo racoon: DEBUG: cmpid target: '192.168.128.0/24'
          Sep  2 13:25:34 Colo racoon: DEBUG: cmpid source: '192.168.128.0/24'
          Sep  2 13:25:34 Colo racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
          Sep  2 13:25:34 Colo racoon: DEBUG: cmpid target: '192.168.1.0/24'
          Sep  2 13:25:34 Colo racoon: DEBUG: cmpid source: '192.168.1.0/24'
          Sep  2 13:25:34 Colo racoon: DEBUG: selected sainfo: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='ANY', id=0
          Sep  2 13:25:34 Colo racoon: DEBUG: get a src address from ID payload 192.168.1.0[0] prefixlen=24 ul_proto=255
          Sep  2 13:25:34 Colo racoon: DEBUG: get dst address from ID payload 192.168.128.0[0] prefixlen=24 ul_proto=255
          Sep  2 13:25:34 Colo racoon: ERROR: no policy found: 192.168.1.0/24[0] 192.168.128.0/24[0] proto=any dir=in
          Sep  2 13:25:34 Colo racoon: ERROR: failed to get proposal for responder.
          Sep  2 13:25:34 Colo racoon: ERROR: failed to pre-process packet.
          Sep  2 13:25:34 Colo racoon: DEBUG: IV freed
          
          

          ??? ??? ???

          1 Reply Last reply Reply Quote 0
          • J
            jrapp
            last edited by

            OK - finally got it working…

            First - I had no "generate_policy" command
            Then - I had various firewall issues on the pfSense end (it would make sense to have some indication that the IPsec connection will be pointless until explicitly openned)
            Then - I had firewall issues on the other end
            Then - I had routing issues on the other end (masquerading got done before IPsec got a look in)

            My head hurts.

            I'm going for a lie down.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.