Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Between 2 pfSense, Comcast SMC in between. SA established then lost.

    Scheduled Pinned Locked Moved IPsec
    7 Posts 3 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kruzen
      last edited by

      Hi Everyone,

      I am trying to set up IPSEC between our offices and our datacenter.

      Currently our configuration is like this

      Office (Tunnel IP 10.1.1.5)
      Comcast SMC8014 (Set to allow all traffic through, confirmed by comcast to be the closet thing to bridged possible) - > pfSense (1.2-RELEASE )

      Data Center (Tunnel IP 10.1.1.6)
      Uplink - > pfSense (1.2.3-RELEASE)

      What is Known:

      UDP 4500 for Nat-T is open on both ends and confirmed via probe
      UDP 500 is open on both ends and confirmed via probe
      ANY traffic is allowed through both ends of the tunnel.
      TCP 51 is open on both ends.

      x.x.x.x = Office WAN IP
      y.y.y.y = DataCenter WAN IP

      DataCenter racoon.conf

      
      $ cat /var/etc/racoon.conf
      # This file is automatically generated. Do not edit
      listen {
      	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
      }
      path pre_shared_key "/var/etc/psk.txt";
      
      path certificate  "/var/etc";
      
      remote x.x.x.x {
      	exchange_mode main;
      	my_identifier address "y.y.y.y";
      
      	peers_identifier address x.x.x.x;
      	initial_contact on;
      
      	ike_frag on;
      	support_proxy on;
      	proposal_check obey;
      
      	proposal {
      		encryption_algorithm 3des;
      		hash_algorithm sha1;
      		authentication_method pre_shared_key;
      		dh_group 2;
      		lifetime time 28800 secs;
      	}
      	lifetime time 28800 secs;
      }
      
      sainfo address 172.26.0.0/24 any address 10.1.1.5/30 any {
      	encryption_algorithm 3des;
      	authentication_algorithm hmac_sha1;
      	compression_algorithm deflate;
      	pfs_group 2;
      	lifetime time 3600 secs;
      }
      
      

      Office racoon.conf

      
      $ cat /var/etc/racoon.conf
      path pre_shared_key "/var/etc/psk.txt";
      
      path certificate  "/var/etc";
      
      remote y.y.y.y {
      	exchange_mode main;
      	my_identifier address "x.x.x.x";
      
      	peers_identifier address y.y.y.y;
      	initial_contact on;
      	support_proxy on;
      	proposal_check obey;
      
      	proposal {
      		encryption_algorithm 3des;
      		hash_algorithm sha1;
      		authentication_method pre_shared_key;
      		dh_group 2;
      		lifetime time 28800 secs;
      	}
      	lifetime time 28800 secs;
      }
      
      sainfo address 192.168.168.0/24 any address 10.1.1.6/30 any {
      	encryption_algorithm 3des;
      	authentication_algorithm hmac_sha1;
      	compression_algorithm deflate;
      	pfs_group 2;
      	lifetime time 3600 secs;
      }
      
      

      Ping from DataCenter LAN to 10.1.1.5 (Office tunnel IP)

      
      2011-01-05 11:27:21: DEBUG: 292 bytes message received from y.y.y.y[500] to x.x.x.x[500]
      2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: compute IV for phase2
      2011-01-05 11:27:21: DEBUG: phase1 last IV:
      2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: hash(sha1)
      2011-01-05 11:27:21: DEBUG: encryption(3des)
      2011-01-05 11:27:21: DEBUG: phase2 IV computed:
      2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: ===
      2011-01-05 11:27:21: INFO: respond new phase 2 negotiation: x.x.x.x[0]<=>y.y.y.y[0]
      2011-01-05 11:27:21: DEBUG: begin decryption.
      2011-01-05 11:27:21: DEBUG: encryption(3des)
      2011-01-05 11:27:21: DEBUG: IV was saved for next processing:
      2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: encryption(3des)
      2011-01-05 11:27:21: DEBUG: with key:
      2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: decrypted payload by IV:
      2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: decrypted payload, but not trimed.
      2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: padding len=4
      2011-01-05 11:27:21: DEBUG: skip to trim padding.
      2011-01-05 11:27:21: DEBUG: decrypted.
      2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: begin.
      2011-01-05 11:27:21: DEBUG: seen nptype=8(hash)
      2011-01-05 11:27:21: DEBUG: seen nptype=1(sa)
      2011-01-05 11:27:21: DEBUG: seen nptype=10(nonce)
      2011-01-05 11:27:21: DEBUG: seen nptype=4(ke)
      2011-01-05 11:27:21: DEBUG: seen nptype=5(id)
      2011-01-05 11:27:21: DEBUG: seen nptype=5(id)
      2011-01-05 11:27:21: DEBUG: succeed.
      2011-01-05 11:27:21: DEBUG: received IDci2:2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: received IDcr2:2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: HASH(1) validate:2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: HASH with:
      2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: hmac(hmac_sha1)
      2011-01-05 11:27:21: DEBUG: HASH computed:
      2011-01-05 11:27:21: DEBUG:
      ****HASH****
      2011-01-05 11:27:21: DEBUG: configuration found for y.y.y.y.
      2011-01-05 11:27:21: DEBUG: getsainfo params: loc='10.1.1.5/30' rmt='172.26.0.0/24' peer='y.y.y.y' client='y.y.y.y' id=0
      2011-01-05 11:27:21: DEBUG: evaluating sainfo: loc='192.168.168.0/24', rmt='10.1.1.6/30', peer='ANY', id=0
      2011-01-05 11:27:21: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
      2011-01-05 11:27:21: DEBUG: cmpid target: '10.1.1.5/30'
      2011-01-05 11:27:21: DEBUG: cmpid source: '192.168.168.0/24'
      2011-01-05 11:27:21: ERROR: failed to get sainfo.
      2011-01-05 11:27:21: ERROR: failed to get sainfo.
      2011-01-05 11:27:21: ERROR: failed to pre-process packet.
      2011-01-05 11:27:21: DEBUG: IV freed
      
      

      Ping from Office LAN to DC Tunnel (10.1.1.6)

      Jan 5 11:30:03	racoon: ERROR: failed to pre-process packet.
      Jan 5 11:30:03	racoon: ERROR: failed to get sainfo.
      Jan 5 11:30:03	racoon: ERROR: failed to get sainfo.
      Jan 5 11:30:03	racoon: [tunnel to gig harbor]: INFO: respond new phase 2 negotiation: y.y.y.y[0]<=>x.x.x.x[0]
      Jan 5 11:30:03	racoon: INFO: received Vendor ID: DPD
      Jan 5 11:30:03	racoon: INFO: begin Identity Protection mode.
      Jan 5 11:30:03	racoon: [tunnel to gig harbor]: INFO: respond new phase 1 negotiation: y.y.y.y[500]<=>x.x.x.x[500]
      

      The above would be as verbose as the other but for reasons unknown to me racoon -F -dd -f /var/etc/racoon.conf stops running after spitting out this at the data center.

      
      #: racoon -F -dd -f /var/etc/racoon.conf
      Foreground mode.
      2011-01-05 11:03:29: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
      2011-01-05 11:03:29: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
      2011-01-05 11:03:29: INFO: Reading configuration from "/var/etc/racoon.conf"
      2011-01-05 11:03:29: DEBUG: call pfkey_send_register for AH
      2011-01-05 11:03:29: DEBUG: call pfkey_send_register for ESP
      2011-01-05 11:03:29: DEBUG: call pfkey_send_register for IPCOMP
      2011-01-05 11:03:29: DEBUG: reading config file /var/etc/racoon.conf
      2011-01-05 11:03:29: DEBUG2: lifetime = 28800
      2011-01-05 11:03:29: DEBUG2: lifebyte = 0
      2011-01-05 11:03:29: DEBUG2: encklen=0
      2011-01-05 11:03:29: DEBUG2: p:1 t:1
      2011-01-05 11:03:29: DEBUG2: 3DES-CBC(5)
      2011-01-05 11:03:29: DEBUG2: SHA(2)
      2011-01-05 11:03:29: DEBUG2: 1024-bit MODP group(2)
      2011-01-05 11:03:29: DEBUG2: pre-shared key(1)
      2011-01-05 11:03:29: DEBUG2:
      2011-01-05 11:03:29: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
      2011-01-05 11:03:29: DEBUG: getsainfo params: loc='172.26.0.0/24', rmt='10.1.1.5/30', peer='NULL', id=0
      2011-01-05 11:03:29: DEBUG: getsainfo pass #2
      2011-01-05 11:03:29: DEBUG2: parse successed.
      2011-01-05 11:03:29: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
      2011-01-05 11:03:29: DEBUG: my interface: y.y.y.y (vr0)
      2011-01-05 11:03:29: DEBUG: my interface: 172.26.0.254 (vr1)
      2011-01-05 11:03:29: DEBUG: my interface: 127.0.0.1 (lo0)
      2011-01-05 11:03:29: DEBUG: configuring default isakmp port.
      2011-01-05 11:03:29: DEBUG: 3 addrs are configured successfully
      2011-01-05 11:03:29: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use).
      2011-01-05 11:03:29: ERROR: failed to bind to address 172.26.0.254[500] (Address already in use).
      2011-01-05 11:03:29: ERROR: failed to bind to address y.y.y.y[500] (Address already in use).
      2011-01-05 11:03:29: ERROR: no address could be bound.
      
      

      Any help is much appreciated.. Been working on this for almost two weeks now trying to nail down all the possible problems..

      1 Reply Last reply Reply Quote 0
      • K
        Kruzen
        last edited by

        I turned on Packet Logging for those as well and ISAKMP[500] packets are successfully getting a PASS when pining from office to datacenter as well as datacenter to office.

        1 Reply Last reply Reply Quote 0
        • B
          brcisna
          last edited by

          Kruzen,

          I just thought I would post this "how to" on IPsec vpn setup in case you never seen this in the "how to's" on the pfSense docs. I followed this to the tee and had two vpn's working the first time I connected each of the three pfSense boxes at each building. May help you see something you possibly overlooked.

          http://doc.pfsense.org/index.php/VPN_Capability_IPsec

          Also, Question, is the one pfSense,in fact pfSense-1.2-RELEASE as you have listed in your  original post ( and not pfSense-1.2.3-RELEASE) ? I wonder if there may be a descrepency between the two versions if in fact you are using two different versions of pfSense. It would seem they should play together,but just a thought?

          Barry

          1 Reply Last reply Reply Quote 0
          • K
            Kruzen
            last edited by

            There is a discrepency between the two versions of pfsense, however I did not consider it to be a substantial issue considering ipsec should work cross-platform, let alone between different firmware versions..

            Hopefully I'm right, but I am running out of options and maybe be headed down that path now.

            1 Reply Last reply Reply Quote 0
            • K
              Kruzen
              last edited by

              Really wish I could find some answers on this :(

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                You got that last racoon error (address already in use) most likely because racoon was already running and needed to be killed first.

                However this may be the real issue:

                2011-01-05 11:27:21: DEBUG: getsainfo params: loc='10.1.1.5/30' rmt='172.26.0.0/24' peer='y.y.y.y' client='y.y.y.y' id=0
                2011-01-05 11:27:21: DEBUG: evaluating sainfo: loc='192.168.168.0/24', rmt='10.1.1.6/30', peer='ANY', id=0
                2011-01-05 11:27:21: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
                2011-01-05 11:27:21: DEBUG: cmpid target: '10.1.1.5/30'
                2011-01-05 11:27:21: DEBUG: cmpid source: '192.168.168.0/24'
                

                The phase 2 subnets do not match between the peers

                Normally the phase 2 subnets are mirrors of each other, such as:

                Site A:

                sainfo address 192.168.254.0/24 any address 192.168.10.0/24 any {
                        encryption_algorithm 3des;
                        authentication_algorithm hmac_sha1;
                        compression_algorithm deflate;
                        lifetime time 3600 secs;
                }
                

                Site B:

                sainfo address 192.168.10.0/24 any address 192.168.254.0/24 any {
                        encryption_algorithm 3des;
                        authentication_algorithm hmac_sha1;
                        compression_algorithm deflate;
                        lifetime time 3600 secs;
                }
                

                IPsec tunnels have no address themselves.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • K
                  Kruzen
                  last edited by

                  @jimp:

                  You got that last racoon error (address already in use) most likely because racoon was already running and needed to be killed first.

                  However this may be the real issue:

                  2011-01-05 11:27:21: DEBUG: getsainfo params: loc='10.1.1.5/30' rmt='172.26.0.0/24' peer='y.y.y.y' client='y.y.y.y' id=0
                  2011-01-05 11:27:21: DEBUG: evaluating sainfo: loc='192.168.168.0/24', rmt='10.1.1.6/30', peer='ANY', id=0
                  2011-01-05 11:27:21: DEBUG: check and compare ids : valu mismatch (IPv4_subnet)
                  2011-01-05 11:27:21: DEBUG: cmpid target: '10.1.1.5/30'
                  2011-01-05 11:27:21: DEBUG: cmpid source: '192.168.168.0/24'
                  

                  The phase 2 subnets do not match between the peers

                  Normally the phase 2 subnets are mirrors of each other, such as:

                  Site A:

                  sainfo address 192.168.254.0/24 any address 192.168.10.0/24 any {
                          encryption_algorithm 3des;
                          authentication_algorithm hmac_sha1;
                          compression_algorithm deflate;
                          lifetime time 3600 secs;
                  }
                  

                  Site B:

                  sainfo address 192.168.10.0/24 any address 192.168.254.0/24 any {
                          encryption_algorithm 3des;
                          authentication_algorithm hmac_sha1;
                          compression_algorithm deflate;
                          lifetime time 3600 secs;
                  }
                  

                  IPsec tunnels have no address themselves.

                  Wow! This fixed it for me. Outstanding my friend. I was working under the understanding that ipsec tunnels had a 'gateway ip'. Everything is working now :)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.