Connection to non pfSense remote network.



  • I have a colo server, the guest is running Ubuntu and a variety of VMs, using a host only network on RFC1918 space (which does not conflict with any in-office ranges)

    I'd like to set up an IPsec tunnel from the Ubuntu host to the Office pfSense box (1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009) to allow us to access this private subnet from the office.

    However, I can't figure out what I need to do.
    There is a single shared secret on the pfSense IPSec pages, but ipsec_tools.conf expects one in each direction - this is just the first of a few things which have pickled my brain.  Does anyone have a similar setup, and or some other sensible resource to point me at?

    Cheers,

    John



  • OK - Figuring out more about pfSense helped some…

    Stage 1 seems OK, but...

    I'm now getting the following in syslog on the Colo box:

    
    Aug 25 06:24:59 Colo racoon: INFO: respond new phase 2 negotiation: ColoIP[500]<=>pFsenseIP[500]
    Aug 25 06:24:59 Colo racoon: ERROR: failed to get sainfo.
    Aug 25 06:24:59 Colo racoon: ERROR: failed to get sainfo.
    Aug 25 06:24:59 Colo racoon: ERROR: failed to pre-process packet.
    
    

    and the following from the pfSense box:

    
    Aug 25 06:25:09 pfSense racoon: ERROR: ColoIP give up to get IPsec-SA due to time up to wait.
    Aug 25 06:25:13 pfSense racoon: INFO: initiate new phase 2 negotiation: pFsenseIP[0]<=>ColoIP[0]
    
    

    Both units have 'proper' public IPs, and unfiltered (as far as I know) connections.

    Config is as follows:
    Colo:

    path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/etc/racoon/certs";
    
    remote pfSenseIP {
            exchange_mode main;
            proposal {
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    authentication_method pre_shared_key;
                    dh_group modp1024;
                    lifetime time 28800 secs;
            }
    #        generate_policy off;                                                                          
    }
    
    sainfo address 192.168.128.0/24 any address 192.168.1.0/24 any {
            encryption_algorithm 3des;
            authentication_algorithm hmac_md5;
    	compression_algorithm deflate;
            pfs_group modp768;
            lifetime time 86400 secs;
    }
    
    

    pfSense:

    
    # This file is automatically generated. Do not edit
    listen {
    	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    }
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    remote ColoIP {
    	exchange_mode main;
    	my_identifier address "pfSenseIP";
    
    	peers_identifier address ColoIP;
    	initial_contact on;
    	dpd_delay 30;
    	ike_frag on;
    	support_proxy on;
    	proposal_check obey;
    
    	proposal {
    		encryption_algorithm 3des;
    		hash_algorithm sha1;
    		authentication_method pre_shared_key;
    		dh_group 2;
    		lifetime time 28800 secs;
    	}
    	lifetime time 28800 secs;
    }
    
    sainfo address 192.168.1.0/24 any address 192.168.128.0/24 any {
    	encryption_algorithm 3des;
    	authentication_algorithm hmac_md5;
    	compression_algorithm deflate;
    	pfs_group 1;
    	lifetime time 86400 secs;
    }
    
    

    Generated from the following on the interface on pfSense:

    
     * Disabled (no)
     * Interface WAN
     * DPD interval 30
     * Local subnet LAN subnet (192.168.1.0/24)
     * Remote gateway ColoIP
    Phase1:
     * Negotiation main
     * My ID My IP (pfSenseIP)
     * Crypto 3DES
     * Hash SHA1
     * DH key group 2 (1024 bit)
     * Lifetime 28800
     * Auth Preshared key
     * Key - pasted to file on Colo box
    Phase2:
     * Protocol ESP
     * Crypto 3DES
     * Hash MD5
     * PFS key 1 (768 bit)
     * Lifetime 86400
    Keepalive:
     * Ping - private IP of Colo
    
    

    And I've reached the limit of my IPSec knowhow :(

    Any pointers? (also known as "What did I screw up?")

    Cheers,

    John



  • More syslog from the colo box:

    Sep  2 13:25:34 Colo racoon: DEBUG: configuration found for 94.125.134.209.
    Sep  2 13:25:34 Colo racoon: DEBUG: getsainfo params: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='pfSenseIP', id=0
    Sep  2 13:25:34 Colo racoon: DEBUG: getsainfo pass #1
    Sep  2 13:25:34 Colo racoon: DEBUG: evaluating sainfo: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='ANY', id=0
    Sep  2 13:25:34 Colo racoon: DEBUG: getsainfo pass #2
    Sep  2 13:25:34 Colo racoon: DEBUG: evaluating sainfo: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='ANY', id=0
    Sep  2 13:25:34 Colo racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
    Sep  2 13:25:34 Colo racoon: DEBUG: cmpid target: '192.168.128.0/24'
    Sep  2 13:25:34 Colo racoon: DEBUG: cmpid source: '192.168.128.0/24'
    Sep  2 13:25:34 Colo racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
    Sep  2 13:25:34 Colo racoon: DEBUG: cmpid target: '192.168.1.0/24'
    Sep  2 13:25:34 Colo racoon: DEBUG: cmpid source: '192.168.1.0/24'
    Sep  2 13:25:34 Colo racoon: DEBUG: selected sainfo: loc='192.168.128.0/24', rmt='192.168.1.0/24', peer='ANY', id=0
    Sep  2 13:25:34 Colo racoon: DEBUG: get a src address from ID payload 192.168.1.0[0] prefixlen=24 ul_proto=255
    Sep  2 13:25:34 Colo racoon: DEBUG: get dst address from ID payload 192.168.128.0[0] prefixlen=24 ul_proto=255
    Sep  2 13:25:34 Colo racoon: ERROR: no policy found: 192.168.1.0/24[0] 192.168.128.0/24[0] proto=any dir=in
    Sep  2 13:25:34 Colo racoon: ERROR: failed to get proposal for responder.
    Sep  2 13:25:34 Colo racoon: ERROR: failed to pre-process packet.
    Sep  2 13:25:34 Colo racoon: DEBUG: IV freed
    
    

    ??? ??? ???



  • OK - finally got it working…

    First - I had no "generate_policy" command
    Then - I had various firewall issues on the pfSense end (it would make sense to have some indication that the IPsec connection will be pointless until explicitly openned)
    Then - I had firewall issues on the other end
    Then - I had routing issues on the other end (masquerading got done before IPsec got a look in)

    My head hurts.

    I'm going for a lie down.


Log in to reply