Initiate the tunnel from the pfSense

danielobs

I have IPSec VPN tunel between pfSense 1.2.3-RELEASE (192.168.1.0/24) and Netasq UTM (192.168.10.0/24).
My network is this with pfSense.

When I try to ping from my network same ip from netasq network no VPN tunel is up.
Diagnostics: System logs: IPSEC VPN is empty

But when a person in the Netasq network try to ping ip 192.168.1.254 all is ok and the VPN tunel is made up.

The problem is because I have to initiate the tunnel from the pfSense.

Best regards,

Daniel

jimp

Fill in a Keep-Alive IP address inside of the remote subnet, then it will try to initiate the tunnel when the Keep-Alive ping is sent.

See also here:
http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

danielobs

@jimp:

Fill in a Keep-Alive IP address inside of the remote subnet, then it will try to initiate the tunnel when the Keep-Alive ping is sent.

Hi,

My network is 192.168.1.0/24 and IP of pfsense is 192.168.1.254
Remote Network with Netasq is 192.168.10.0/24 and Netasq local IP is 192.168.10.254

In my pfsense configuration in VPN tunel I have :
Keep alive Automatically ping host : 192.168.10.254 (IP of Netasq in the second network)

In the System - Static Routes I have :

Interface: LAN
Network: 192.168.10.0/24 (Remote Network with Netasq)
Gateway: 192.168.1.254 (my pfsense ip)

Unfortunately, I still can not initiate IPSec tunel from my network.

Best regards,

Daniel

jimp

If that is the case, but they can initiate a tunnel to you, then the Netasq side might be blocking inbound IPsec so your initiation request never gets all the way there.

You can look at the IPsec log to confirm this, it is probably trying but timing out.

pfSense (by default) allows inbound IPsec from the remote peer when you add a tunnel. I'm not sure if the Netasq device would do the same.

danielobs

When I made ping from my network to 192.168.10.254 in pfsense Diagnostics: System logs: IPSEC VPN log is empty.
No information about IPSec.

Best regards,

Daniel

jimp

Post screenshots of your IPsec tunnel configuration.

danielobs

@jimp:

Post screenshots of your IPsec tunnel configuration.

ipsec-1.jpg_thumb

ipsec-2.jpg_thumb

ipsec-3.jpg_thumb

ipsec-4.jpg_thumb

jimp

Looks normal.

Can you clear the IPsec logs, then go to Status > Services, restart racoon, then try to ping and post the contents of the IPsec log after trying.

danielobs

@jimp:

Looks normal.

Can you clear the IPsec logs, then go to Status > Services, restart racoon, then try to ping and post the contents of the IPsec log after trying.

After restart racoon in log is :

Last 50 IPSEC log entries
Sep 29 16:14:43 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Sep 29 16:14:43 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Sep 29 16:14:43 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Sep 29 16:14:43 racoon: [Self]: INFO: 192.168.2.254[500] used as isakmp port (fd=14)
Sep 29 16:14:43 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Sep 29 16:14:43 racoon: [Self]: INFO: 89.77.51.111[500] used as isakmp port (fd=16)
Sep 29 16:14:43 racoon: [Self]: INFO: 192.168.1.254[500] used as isakmp port (fd=17)
Sep 29 16:14:43 racoon: INFO: unsupported PF_KEY message REGISTER
Sep 29 16:14:43 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in
Sep 29 16:14:43 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
Sep 29 16:14:44 racoon: [Self]: INFO: 192.168.2.254[500] used as isakmp port (fd=14)
Sep 29 16:14:44 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Sep 29 16:14:44 racoon: [Self]: INFO: 89.77.51.111[500] used as isakmp port (fd=16)
Sep 29 16:14:44 racoon: [Self]: INFO: 192.168.1.254[500] used as isakmp port (fd=17)
Sep 29 16:14:51 racoon: [Self]: INFO: 192.168.2.254[500] used as isakmp port (fd=14)
Sep 29 16:14:51 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Sep 29 16:14:51 racoon: [Self]: INFO: 89.77.51.111[500] used as isakmp port (fd=16)
Sep 29 16:14:51 racoon: [Self]: INFO: 192.168.1.254[500] used as isakmp port (fd=17)

But after ping I have no new positions in this log.

Ping is :

C:>ping 192.168.10.254

Badanie 192.168.10.254 z 32 bajtami danych:
Odpowiedź z 192.168.1.254: Limit czasu wygaśnięcia (TTL) upłynął podczas tranzytu.
Odpowiedź z 192.168.1.254: Limit czasu wygaśnięcia (TTL) upłynął podczas tranzytu.
Odpowiedź z 192.168.1.254: Limit czasu wygaśnięcia (TTL) upłynął podczas tranzytu.
Odpowiedź z 192.168.1.254: Limit czasu wygaśnięcia (TTL) upłynął podczas tranzytu.

Statystyka badania ping dla 192.168.10.254:
Pakiety: Wysłane = 4, Odebrane = 4, Utracone = 0 (0% straty),

Limit czasu wygaśnięcia (TTL) upłynął podczas tranzytu. = Time Limit (TTL) expired in transit.

Regards,

Daniel

jimp

And pfSense is the gateway for the workstation you are pinging from?

What if you try to ping from the web interface (Diagnostics > Ping) with the LAN interface selected?

danielobs

@jimp:

And pfSense is the gateway for the workstation you are pinging from?

What if you try to ping from the web interface (Diagnostics > Ping) with the LAN interface selected?

Yes is the gateway.
ipconfig :
Konfiguracja IP systemu Windows
Karta Ethernet Połączenie lokalne:

Sufiks DNS konkretnego połączenia : local
Adres IPv6 połączenia lokalnego . : fe80::140c:40e9:35df:1d6%13
Adres IPv4. . . . . . . . . . . . . : 192.168.1.140
Maska podsieci. . . . . . . . . . : 255.255.255.0
Brama domyślna. . . . . . . . . . : 192.168.1.254 !!!

ping result is in txt file

ping-from-webgui.txt