PFSense 2.0-RC1: IPsec complex setup. Help needed!!!

solvman

Hi all,

I've got the following setup.

local network: 192.168.0.0/24 (yes, it is 24…it has been setup like that...and i don't know why...way to complex to re-ip this network)
remote network: 192.168.10.0/16

we are trying to do NAT the following way:

192.168.0.0/16 --(nat)---> 10.252.100.0/16  --- (tunnel)---> 10.250.100.0/16 --(nat)--> 192.168.10.0/16

Things do not work. And this is what i get:

Apr 11 08:31:14 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 11 08:31:10 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 11 08:31:10 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 11 08:29:40 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 11 08:29:38 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 11 08:24:33 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 11 08:24:25 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 11 08:24:13 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/16[0] 192.168.0.1/32[0] proto=any dir=in
Apr 11 08:24:13 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.1/32[0] 192.168.0.0/16[0] proto=any dir=out
Apr 11 08:24:13 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 11 08:24:13 racoon: [Self]: INFO: WAN_IP[500] used as isakmp port (fd=18)
Apr 11 08:24:13 racoon: [Self]: INFO: WAN_IP[500] used for NAT-T
Apr 11 08:24:13 racoon: [Self]: INFO: WAN_IP[4500] used as isakmp port (fd=17)
Apr 11 08:24:13 racoon: [Self]: INFO: WAN_IP[4500] used for NAT-T
Apr 11 08:24:13 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Apr 11 08:24:13 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Apr 11 08:24:13 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)

This is my config:
NAT:

IPsec   192.168.0.0/24 * 10.250.0.0/16 * 10.252.100.0/16 * NO

IPsec SPD:
10.250.100.0/24 10.252.100.0/24 ESP Remote_IP -> WAN_IP
10.252.100.0/24 10.250.100.0/24 ESP WAN_IP -> Remote_IP

Please help!!!

statilus

"ERROR: such policy already exists. anyway replace it:" is a hard error to trouble shoot.  I noticed a couple things cause that error in pfsense 2.0 R1.  1st removing and re-adding the phase-2 entries  sometimes leaves values in the  /var/etc/spd.conf file.  If this happens I would suggest disabling the ipsec tunnel from the VPN->IPsec page.  Then manual removing the bad entries with vi.  Once you saved the changes you can restart the ipsec service.  Pinging a remote ip normally will help activate the tunnel.

The second reason I consistently see this error is from restarting the ipsec service from anywhere but the VPN->IPsec page.  I would "NOT" use Status->Services page to restart the ipsec service.

g/l

cmb

That's not actually an error, it's informational (HEAD of ipsec-tools has finally changed that to show as INFO in the future). You don't have any indication of any real errors there. It's perfectly fine to restart racoon under Status>Services.

Your remote and local networks are overlapping (the /16 includes the /24, the /16 side should really be /24), you can't route between those two subnets as the /16 end sees the remote end as being local, hence will never touch the firewall to route over the VPN.