Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec from behind an uncontrolled NAT device

    Scheduled Pinned Locked Moved IPsec
    9 Posts 2 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jp7189
      last edited by

      Trying to connect 2 pfSense 2.0 beta 5 firewalls with an IPSec tunnel.  1 of the pfSense boxes is behind another firewall that I don't control.  I can't make any inbound rules/forwards to that box, but the other pfSense has a public IP.  When pinging from Site 1, I can see the tunnel begin phase 1, but there is NOTHING at all logged at Site 2.  Not in the IPSec log, not in the firewall log.  I've double checked that the remote gateway IP is correct, rebooted both pfSenses, restart racoon as was indicated by another post…

      1 Reply Last reply Reply Quote 0
      • J
        jp7189
        last edited by

        Site 1 - behind NAT firewall
        Feb 17 14:17:45 racoon: INFO: begin Aggressive mode.
        Feb 17 14:17:45 racoon: ERROR: sendto (No route to host)
        Feb 17 14:17:45 racoon: ERROR: sendfromto failed
        Feb 17 14:17:45 racoon: ERROR: phase1 negotiation failed due to send error. ef85822e0f718a1f:0000000000000000
        Feb 17 14:17:45 racoon: ERROR: failed to begin ipsec sa negotication.
        Feb 17 14:18:08 racoon: [HS3 Colo]: INFO: IPsec-SA request for x.x.x.x queued due to no phase1 found.
        Feb 17 14:18:08 racoon: [HS3 Colo]: INFO: initiate new phase 1 negotiation: y.y.y.y[500]<=>x.x.x.x[500]
        Feb 17 14:18:08 racoon: INFO: begin Aggressive mode.
        Feb 17 14:18:08 racoon: ERROR: sendto (No route to host)
        Feb 17 14:18:08 racoon: ERROR: sendfromto failed
        Feb 17 14:18:08 racoon: ERROR: phase1 negotiation failed due to send error. a936ec3bc428c860:0000000000000000
        Feb 17 14:18:08 racoon: ERROR: failed to begin ipsec sa negotication.
        Feb 17 14:18:31 racoon: [HS3 Colo]: INFO: IPsec-SA request for x.x.x.x queued due to no phase1 found.
        Feb 17 14:18:31 racoon: [HS3 Colo]: INFO: initiate new phase 1 negotiation: y.y.y.y[500]<=>x.x.x.x[500]
        Feb 17 14:18:31 racoon: INFO: begin Aggressive mode.
        Feb 17 14:18:31 racoon: ERROR: sendto (No route to host)
        Feb 17 14:18:31 racoon: ERROR: sendfromto failed
        Feb 17 14:18:31 racoon: ERROR: phase1 negotiation failed due to send error. 6ca3082f600a86a7:0000000000000000
        Feb 17 14:18:31 racoon: ERROR: failed to begin ipsec sa negotication.

        1 Reply Last reply Reply Quote 0
        • J
          jp7189
          last edited by

          Site 2 - Public IP
          Feb 17 14:18:51 racoon: INFO: @(#)ipsec-tools 0.8.0.beta3 (http://ipsec-tools.sourceforge.net)
          Feb 17 14:18:51 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
          Feb 17 14:18:51 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
          Feb 17 14:18:51 racoon: [Unknown Gateway/Dynamic]: INFO: x.x.x.x[4500] used for NAT-T
          Feb 17 14:18:51 racoon: [Self]: INFO: x.x.x.x[4500] used as isakmp port (fd=16)
          Feb 17 14:18:51 racoon: INFO: x.x.x.x[500] used for NAT-T
          Feb 17 14:18:51 racoon: [Self]: INFO: x.x.x.x[500] used as isakmp port (fd=17)

          This is the entire log.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Try to force NAT-T on both ends.

            Actually if they're both 2.0 and you control both of them, I'd ditch IPsec and go for OpenVPN. It wouldn't have any issues in this situation.

            Just make the side that can accept connections the server, and the side behind the firewall you don't control the client.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              jp7189
              last edited by

              Thanks for the reply.  Both sides do have NAT-T turned on (actually the reason I went with 2.0).

              I'll give OpenVPN a try.  Is it SSL based?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                It's ssl-based, yes. With a site-to-site setup it's fairly easy to make a shared key setup and be up in very little time.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • J
                  jp7189
                  last edited by

                  I setup OpenVPN.  Quite easy.  However, the server end still sees no connection attempts, and the client times out.  Nothing in the firewall log.  Just for grins, I opened ICMP, and I can ping the server from the client.  Logs to follow.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jp7189
                    last edited by

                    Site 1 client behind NAT firewall:

                    Mar 3 19:41:52 openvpn[7686]: event_wait : Interrupted system call (code=4)
                    Mar 3 19:41:52 openvpn[7686]: /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1560 init
                    Mar 3 19:41:52 openvpn[7686]: SIGTERM[hard,] received, process exiting
                    Mar 3 19:41:53 openvpn[46080]: OpenVPN testing-cee388313521 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Feb 21 2011
                    Mar 3 19:41:53 openvpn[46080]: [DEPRECATED FEATURE ENABLED: random-resolv] Resolving hostnames will use randomisation if more than one IP address is found
                    Mar 3 19:41:53 openvpn[46080]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                    Mar 3 19:41:53 openvpn[46080]: TUN/TAP device /dev/tun1 opened
                    Mar 3 19:41:53 openvpn[46080]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1560 init
                    Mar 3 19:41:53 openvpn[46776]: UDPv4 link local (bound): [AF_INET]x.x.x.x
                    Mar 3 19:41:53 openvpn[46776]: UDPv4 link remote: [AF_INET]y.y.y.y:1194
                    Mar 3 19:42:53 openvpn[46776]: Inactivity timeout (–ping-restart), restarting
                    Mar 3 19:42:53 openvpn[46776]: SIGUSR1[soft,ping-restart] received, process restarting
                    Mar 3 19:42:55 openvpn[46776]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                    Mar 3 19:42:55 openvpn[46776]: Re-using pre-shared static key
                    Mar 3 19:42:55 openvpn[46776]: Preserving previous TUN/TAP instance: ovpnc1
                    Mar 3 19:42:55 openvpn[46776]: UDPv4 link local (bound): [AF_INET]x.x.x.x
                    Mar 3 19:42:55 openvpn[46776]: UDPv4 link remote: [AF_INET]y.y.y.y:1194
                    Mar 3 19:43:55 openvpn[46776]: Inactivity timeout (–ping-restart), restarting
                    Mar 3 19:43:55 openvpn[46776]: SIGUSR1[soft,ping-restart] received, process restarting
                    Mar 3 19:43:57 openvpn[46776]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                    Mar 3 19:43:57 openvpn[46776]: Re-using pre-shared static key
                    Mar 3 19:43:57 openvpn[46776]: Preserving previous TUN/TAP instance: ovpnc1
                    Mar 3 19:43:57 openvpn[46776]: UDPv4 link local (bound): [AF_INET]x.x.x.x
                    Mar 3 19:43:57 openvpn[46776]: UDPv4 link remote: [AF_INET]y.y.y.y:1194
                    Mar 3 19:44:57 openvpn[46776]: Inactivity timeout (–ping-restart), restarting
                    Mar 3 19:44:57 openvpn[46776]: SIGUSR1[soft,ping-restart] received, process restarting
                    Mar 3 19:44:59 openvpn[46776]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                    Mar 3 19:44:59 openvpn[46776]: Re-using pre-shared static key
                    Mar 3 19:44:59 openvpn[46776]: Preserving previous TUN/TAP instance: ovpnc1
                    Mar 3 19:44:59 openvpn[46776]: UDPv4 link local (bound): [AF_INET]x.x.x.x
                    Mar 3 19:44:59 openvpn[46776]: UDPv4 link remote: [AF_INET]y.y.y.y:1194
                    Mar 3 19:45:59 openvpn[46776]: Inactivity timeout (–ping-restart), restarting
                    Mar 3 19:45:59 openvpn[46776]: SIGUSR1[soft,ping-restart] received, process restarting
                    Mar 3 19:46:01 openvpn[46776]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                    Mar 3 19:46:01 openvpn[46776]: Re-using pre-shared static key
                    Mar 3 19:46:01 openvpn[46776]: Preserving previous TUN/TAP instance: ovpnc1
                    Mar 3 19:46:01 openvpn[46776]: UDPv4 link local (bound): [AF_INET]x.x.x.x
                    Mar 3 19:46:01 openvpn[46776]: UDPv4 link remote: [AF_INET]y.y.y.y:1194

                    1 Reply Last reply Reply Quote 0
                    • J
                      jp7189
                      last edited by

                      Site 2 server with Public IP:

                      Mar 3 19:41:35 openvpn[56496]: event_wait : Interrupted system call (code=4)
                      Mar 3 19:41:35 openvpn[56496]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1560 10.0.8.1 10.0.8.2 init
                      Mar 3 19:41:35 openvpn[56496]: SIGTERM[hard,] received, process exiting
                      Mar 3 19:41:36 openvpn[45557]: OpenVPN testing-cee388313521 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20100307-1] built on Feb 22 2011
                      Mar 3 19:41:36 openvpn[45557]: [DEPRECATED FEATURE ENABLED: random-resolv] Resolving hostnames will use randomisation if more than one IP address is found
                      Mar 3 19:41:36 openvpn[45557]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
                      Mar 3 19:41:36 openvpn[45557]: TUN/TAP device /dev/tun1 opened
                      Mar 3 19:41:36 openvpn[45557]: do_ifconfig, tt->ipv6=0
                      Mar 3 19:41:36 openvpn[45557]: /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
                      Mar 3 19:41:36 openvpn[45557]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1560 10.0.8.1 10.0.8.2 init
                      Mar 3 19:41:36 openvpn[46329]: UDPv4 link local (bound): [AF_INET]y.y.y.y:1194
                      Mar 3 19:41:36 openvpn[46329]: UDPv4 link remote: [undef]

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.