PFSense 2.0-RC1: IPsec complex setup. Help needed!!!



  • Hi all,

    I've got the following setup.

    local network: 192.168.0.0/24 (yes, it is 24…it has been setup like that...and i don't know why...way to complex to re-ip this network)
    remote network: 192.168.10.0/16

    we are trying to do NAT the following way:

    192.168.0.0/16 --(nat)---> 10.252.100.0/16  --- (tunnel)---> 10.250.100.0/16 --(nat)--> 192.168.10.0/16

    Things do not work. And this is what i get:

    Apr 11 08:31:14 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 11 08:31:10 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 11 08:31:10 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 11 08:29:40 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 11 08:29:38 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 11 08:24:33 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 11 08:24:25 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 11 08:24:13 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/16[0] 192.168.0.1/32[0] proto=any dir=in
    Apr 11 08:24:13 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.1/32[0] 192.168.0.0/16[0] proto=any dir=out
    Apr 11 08:24:13 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 11 08:24:13 racoon: [Self]: INFO: WAN_IP[500] used as isakmp port (fd=18)
    Apr 11 08:24:13 racoon: [Self]: INFO: WAN_IP[500] used for NAT-T
    Apr 11 08:24:13 racoon: [Self]: INFO: WAN_IP[4500] used as isakmp port (fd=17)
    Apr 11 08:24:13 racoon: [Self]: INFO: WAN_IP[4500] used for NAT-T
    Apr 11 08:24:13 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Apr 11 08:24:13 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
    Apr 11 08:24:13 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)

    This is my config:
    NAT:

    IPsec   192.168.0.0/24 * 10.250.0.0/16 * 10.252.100.0/16 * NO

    IPsec SPD:
    10.250.100.0/24 10.252.100.0/24 ESP Remote_IP -> WAN_IP
    10.252.100.0/24 10.250.100.0/24 ESP WAN_IP -> Remote_IP

    Please help!!!



  • "ERROR: such policy already exists. anyway replace it:" is a hard error to trouble shoot.  I noticed a couple things cause that error in pfsense 2.0 R1.  1st removing and re-adding the phase-2 entries  sometimes leaves values in the  /var/etc/spd.conf file.  If this happens I would suggest disabling the ipsec tunnel from the VPN->IPsec page.  Then manual removing the bad entries with vi.  Once you saved the changes you can restart the ipsec service.  Pinging a remote ip normally will help activate the tunnel.

    The second reason I consistently see this error is from restarting the ipsec service from anywhere but the VPN->IPsec page.  I would "NOT" use Status->Services page to restart the ipsec service.

    g/l



  • That's not actually an error, it's informational (HEAD of ipsec-tools has finally changed that to show as INFO in the future). You don't have any indication of any real errors there. It's perfectly fine to restart racoon under Status>Services.

    Your remote and local networks are overlapping (the /16 includes the /24, the /16 side should really be /24), you can't route between those two subnets as the /16 end sees the remote end as being local, hence will never touch the firewall to route over the VPN.


Locked