Initiate the tunnel from the pfSense



  • I have IPSec VPN tunel between pfSense 1.2.3-RELEASE (192.168.1.0/24) and Netasq UTM (192.168.10.0/24).
    My network is this with pfSense.

    When I try to ping from my network same ip from netasq network no VPN tunel is up. 
    Diagnostics: System logs: IPSEC VPN is empty

    But when a person in the Netasq network try to ping ip 192.168.1.254 all is ok and the VPN tunel is made up.

    The problem is because I have to initiate the tunnel from the pfSense.

    Best regards,

    Daniel


  • Rebel Alliance Developer Netgate

    Fill in a Keep-Alive IP address inside of the remote subnet, then it will try to initiate the tunnel when the Keep-Alive ping is sent.

    See also here:
    http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F



  • @jimp:

    Fill in a Keep-Alive IP address inside of the remote subnet, then it will try to initiate the tunnel when the Keep-Alive ping is sent.

    Hi,

    My network is 192.168.1.0/24 and IP of pfsense is 192.168.1.254
    Remote Network with Netasq is 192.168.10.0/24 and Netasq local IP is 192.168.10.254

    In my  pfsense configuration in VPN tunel I have :
    Keep alive Automatically ping host : 192.168.10.254 (IP of Netasq in the second network)

    In the System - Static Routes I have :

    Interface: LAN
    Network: 192.168.10.0/24  (Remote Network with Netasq)
    Gateway: 192.168.1.254  (my pfsense ip)

    Unfortunately, I still can not initiate IPSec tunel from my network.

    Best regards,

    Daniel


  • Rebel Alliance Developer Netgate

    If that is the case, but they can initiate a tunnel to you, then the Netasq side might be blocking inbound IPsec so your initiation request never gets all the way there.

    You can look at the IPsec log to confirm this, it is probably trying but timing out.

    pfSense (by default) allows inbound IPsec from the remote peer when you add a tunnel. I'm not sure if the Netasq device would do the same.



  • When I made ping from my network to 192.168.10.254 in pfsense Diagnostics: System logs: IPSEC VPN  log is empty.
    No information about IPSec.

    Best regards,

    Daniel


  • Rebel Alliance Developer Netgate

    Post screenshots of your IPsec tunnel configuration.



  • @jimp:

    Post screenshots of your IPsec tunnel configuration.









  • Rebel Alliance Developer Netgate

    Looks normal.

    Can you clear the IPsec logs, then go to Status > Services, restart racoon, then try to ping and post the contents of the IPsec log after trying.



  • @jimp:

    Looks normal.

    Can you clear the IPsec logs, then go to Status > Services, restart racoon, then try to ping and post the contents of the IPsec log after trying.

    After restart racoon in log is :

    Last 50 IPSEC log entries
    Sep 29 16:14:43 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
    Sep 29 16:14:43 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Sep 29 16:14:43 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Sep 29 16:14:43 racoon: [Self]: INFO: 192.168.2.254[500] used as isakmp port (fd=14)
    Sep 29 16:14:43 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Sep 29 16:14:43 racoon: [Self]: INFO: 89.77.51.111[500] used as isakmp port (fd=16)
    Sep 29 16:14:43 racoon: [Self]: INFO: 192.168.1.254[500] used as isakmp port (fd=17)
    Sep 29 16:14:43 racoon: INFO: unsupported PF_KEY message REGISTER
    Sep 29 16:14:43 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in
    Sep 29 16:14:43 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
    Sep 29 16:14:44 racoon: [Self]: INFO: 192.168.2.254[500] used as isakmp port (fd=14)
    Sep 29 16:14:44 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Sep 29 16:14:44 racoon: [Self]: INFO: 89.77.51.111[500] used as isakmp port (fd=16)
    Sep 29 16:14:44 racoon: [Self]: INFO: 192.168.1.254[500] used as isakmp port (fd=17)
    Sep 29 16:14:51 racoon: [Self]: INFO: 192.168.2.254[500] used as isakmp port (fd=14)
    Sep 29 16:14:51 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Sep 29 16:14:51 racoon: [Self]: INFO: 89.77.51.111[500] used as isakmp port (fd=16)
    Sep 29 16:14:51 racoon: [Self]: INFO: 192.168.1.254[500] used as isakmp port (fd=17)

    But after ping I have no new positions in this log.

    Ping is :

    C:>ping 192.168.10.254

    Badanie 192.168.10.254 z 32 bajtami danych:
    Odpowiedź z 192.168.1.254: Limit czasu wygaśnięcia (TTL) upłynął podczas tranzytu.
    Odpowiedź z 192.168.1.254: Limit czasu wygaśnięcia (TTL) upłynął podczas tranzytu.
    Odpowiedź z 192.168.1.254: Limit czasu wygaśnięcia (TTL) upłynął podczas tranzytu.
    Odpowiedź z 192.168.1.254: Limit czasu wygaśnięcia (TTL) upłynął podczas tranzytu.

    Statystyka badania ping dla 192.168.10.254:
        Pakiety: Wysłane = 4, Odebrane = 4, Utracone = 0 (0% straty),

    Limit czasu wygaśnięcia (TTL) upłynął podczas tranzytu. = Time Limit (TTL) expired in transit.

    Regards,

    Daniel


  • Rebel Alliance Developer Netgate

    And pfSense is the gateway for the workstation you are pinging from?

    What if you try to ping from the web interface (Diagnostics > Ping) with the LAN interface selected?



  • @jimp:

    And pfSense is the gateway for the workstation you are pinging from?

    What if you try to ping from the web interface (Diagnostics > Ping) with the LAN interface selected?

    Yes is the gateway.
    ipconfig :
    Konfiguracja IP systemu Windows
    Karta Ethernet Połączenie lokalne:

    Sufiks DNS konkretnego połączenia : local
      Adres IPv6 połączenia lokalnego . : fe80::140c:40e9:35df:1d6%13
      Adres IPv4. . . . . . . . . . . . . : 192.168.1.140
      Maska podsieci. . . . . . . . . . : 255.255.255.0
      Brama domyślna. . . . . . . . . . : 192.168.1.254  !!!

    ping result is in txt file

    ping-from-webgui.txt


Log in to reply