Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Newbie - Will the following work (Voadfone 3G Natted IP)

    Scheduled Pinned Locked Moved IPsec
    20 Posts 2 Posters 8.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      frank451
      last edited by

      Hi All

      Hope someone can help with this one.

      I need to create vpn tunnels from mobile 3G (natted IP on connection from Vodafone UK) Sarian/DIGI routers which will have IP devices connected to it.

      I have pfsense up and running (although behind a SKY broadband connection on a netgear dg834g) default DMZ is enabled to the PFsense server and DYNdns on pfsense enabled with my dynamic SKY WAN IP

      I believe aggressive mode and NAT-T must be used for this configuration which is available on the sarian and pfsense2.0.

      If it will work is there any guides available specifically for this sort of enviroment.

      Basic layout upto now

      SKY WAN IP –----> NETGEARDG834G (192.168.1.1)---- DMZ Enabled ----->PFSENSE WAN(192.168.1.250)

      PFSENSE LAN (192.168.5.254) -------MONITORING DEVICE (192.168.5.200)

      The other thing i think i should add is that all devices on the 192.168.1.x range are bridged from the wireless side of the DG834 so all connected devices in the 834 show the same MAC address will this cause problems?

      Also how can i remote access the PFSENSE webgui from the WAN side

      Thanks for reading

      1 Reply Last reply Reply Quote 0
      • F
        frank451
        last edited by

        …....Could somebody please decipher this log for me and tell me whats going on

        thanks

        aaron


        Jun 18 23:32:29 racoon: INFO: begin Aggressive mode.
        Jun 18 23:32:29 racoon: INFO: received Vendor ID: DPD
        Jun 18 23:32:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
        Jun 18 23:32:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Jun 18 23:32:29 racoon: INFO: received Vendor ID: CISCO-UNITY
        Jun 18 23:32:29 racoon: [212.183.128.111] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
        Jun 18 23:32:29 racoon: INFO: Adding remote and local NAT-D payloads.
        Jun 18 23:32:29 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[28444] with algo #2
        Jun 18 23:32:29 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
        Jun 18 23:32:30 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.111[50421]<->192.168.1.16[4500]
        Jun 18 23:32:30 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
        Jun 18 23:32:30 racoon: INFO: NAT-D payload #0 doesn't match
        Jun 18 23:32:30 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[50421] with algo #2
        Jun 18 23:32:30 racoon: INFO: NAT-D payload #1 doesn't match
        Jun 18 23:32:30 racoon: INFO: NAT detected: ME PEER
        Jun 18 23:32:30 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.111[50421] spi:13badf3600251bd6:31d53ca9c320ccc3
        Jun 18 23:32:30 racoon: [212.183.128.111] ERROR: delete payload with invalid doi:0.
        Jun 18 23:32:30 racoon: INFO: purging ISAKMP-SA spi=13badf3600251bd6:31d53ca9c320ccc3.
        Jun 18 23:32:30 racoon: INFO: purged ISAKMP-SA spi=13badf3600251bd6:31d53ca9c320ccc3.
        Jun 18 23:32:31 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.111[50421] spi:13badf3600251bd6:31d53ca9c320ccc3
        Jun 18 23:32:40 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.111[28444]
        Jun 18 23:32:40 racoon: INFO: begin Aggressive mode.
        Jun 18 23:32:40 racoon: INFO: received Vendor ID: DPD
        Jun 18 23:32:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
        Jun 18 23:32:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Jun 18 23:32:40 racoon: INFO: received Vendor ID: CISCO-UNITY
        Jun 18 23:32:40 racoon: [212.183.128.111] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
        Jun 18 23:32:40 racoon: INFO: Adding remote and local NAT-D payloads.
        Jun 18 23:32:40 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[28444] with algo #2
        Jun 18 23:32:40 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
        Jun 18 23:32:41 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.111[50421]<->192.168.1.16[4500]
        Jun 18 23:32:41 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
        Jun 18 23:32:41 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
        Jun 18 23:32:41 racoon: INFO: NAT-D payload #0 doesn't match
        Jun 18 23:32:41 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[50421] with algo #2
        Jun 18 23:32:41 racoon: INFO: NAT-D payload #1 doesn't match
        Jun 18 23:32:41 racoon: INFO: NAT detected: ME PEER
        Jun 18 23:32:41 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.111[50421] spi:f0d9c600ac9fd1db:071b7be39ed28be6
        Jun 18 23:32:50 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.111[28444]
        Jun 18 23:32:50 racoon: INFO: begin Aggressive mode.
        Jun 18 23:32:50 racoon: INFO: received Vendor ID: DPD
        Jun 18 23:32:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
        Jun 18 23:32:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
        Jun 18 23:32:50 racoon: INFO: received Vendor ID: CISCO-UNITY
        Jun 18 23:32:50 racoon: [212.183.128.111] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
        Jun 18 23:32:50 racoon: INFO: Adding remote and local NAT-D payloads.
        Jun 18 23:32:50 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[28444] with algo #2
        Jun 18 23:32:50 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2

        1 Reply Last reply Reply Quote 0
        • S
          spiritbreaker
          last edited by

          Hi frank,

          im not sure i understand ur setup.

          1. why u do not replace netgear with pfsense?

          DMZ is enabled to the PFsense server and DYNdns on pfsense enabled with my dynamic SKY WAN IP

          I recommend u not to use dynamic ips with IPSEC, u will get problems…tunnels sometimes not getting up after IP change (Site to Site).
          Depending on ur Produkt u can order fixed ip from provider.

          3.

          I need to create vpn tunnels from mobile 3G (natted IP on connection from Vodafone UK) Sarian/DIGI routers which will have IP devices connected to it.

          Roadwarrior connections are possible but site to site dont work (tested with Vodafone Germany).

          4.

          [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.111[28444]

          I still dont know what u doing…more detail plz.

          sarian Router -----internet-----> Netgear ----> pfsense

          Is this correct? U wanna create VPN between sarian and pfsense?

          I believe aggressive mode and NAT-T must be used for this configuration which is available on the sarian and pfsense2.0.

          Remember u will have no luck with site to site config! Vodafone UMTS networks are not reachable from external networks.

          The sarian router need to act as a mobile client (i know its possible with Cisco devices).
          I googled for some sarian howtos and it seems there is only Site to Site possible.

          Cya

          Pfsense running at 11 Locations
          -mobile OPENVPN and IPSEC
          -multiwan failover
          -filtering proxy(squidguard) in bridgemode with ntop monitoring

          1 Reply Last reply Reply Quote 0
          • F
            frank451
            last edited by

            Hi thanks for the reply

            My current test setup is on SKY Broadband UK - they only supply a dynamic IP (The finial installation will be on a Staic IP from another provider)

            Basically we want to have IP CCTV cameras out in the field and let the sarian 3g router initiate the tunnel to the pfsense host
            I have spoken to Sarian and they said any VPN Server supporting NAT-T and aggresive mode should respond to the NATted Vodafone IP.

            Im wondering looking at the logs i posted it seems the pfsense (WAN IP 192.168.1.16)is getting stuck going back out through the netgear router 192.168.1.1 even though DMZ is enabled on it. Is this correct??  I was looking at getting a router that supports bridge mode which i can go straight into the pfsense and let it do the DHCP/NAT etc.

            Any further help would be appreciated cheers

            1 Reply Last reply Reply Quote 0
            • S
              spiritbreaker
              last edited by

              Hi,

              I have spoken to Sarian and they said any VPN Server supporting NAT-T and aggressive mode should respond to the NATted Vodafone IP.

              hmm i ll test it tomorrow with 2 pfsense boxes (1 with adsl and 1 with umts). I never tested with aggressive mode.
              But i think u cant use site to site on pfsense because u need an valid remote peer ip address otherwise phase 1 will always fail.

              Im wondering looking at the logs i posted it seems the pfsense (WAN IP 192.168.1.16)is getting stuck going back out through the netgear router 192.168.1.1 even though DMZ is enabled on it. Is this correct??

              U still need a real portforward. Be careful with netgear…look at documentation what "dmz on netgear" really means.

              I was looking at getting a router that supports bridge mode which i can go straight into the pfsense and let it do the DHCP/NAT etc.

              Search for pppoe passthrough on netgear.

              The easyest way is to get the netgear in "modem mode". Activate pppoe passthrough mode and set up the pppoe connection on pfsense.

              We dont need to analyse ipsec logs if we dont know if ur dmz setup works.

              U posted logs…what is ur ipsec config on pfsense?

              cya

              Pfsense running at 11 Locations
              -mobile OPENVPN and IPSEC
              -multiwan failover
              -filtering proxy(squidguard) in bridgemode with ntop monitoring

              1 Reply Last reply Reply Quote 0
              • F
                frank451
                last edited by

                Cheers spiritbreaker

                Another log for you to look at :)

                I have now got the sarian router VPN tunnel up but cant ping any remote clients etc.  The log shows Phase 2 failed i have tried googling the error messages but no luck with any good answers.

                Jun 19 17:30:13 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.9[11637]
                Jun 19 17:30:13 racoon: INFO: begin Aggressive mode.
                Jun 19 17:30:13 racoon: INFO: received Vendor ID: DPD
                Jun 19 17:30:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
                Jun 19 17:30:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
                Jun 19 17:30:13 racoon: INFO: received Vendor ID: CISCO-UNITY
                Jun 19 17:30:13 racoon: [212.183.128.9] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
                Jun 19 17:30:13 racoon: INFO: Adding remote and local NAT-D payloads.
                Jun 19 17:30:13 racoon: [212.183.128.9] INFO: Hashing 212.183.128.9[11637] with algo #1
                Jun 19 17:30:13 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #1
                Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.9[22383]<->192.168.1.16[4500]
                Jun 19 17:30:14 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #1
                Jun 19 17:30:14 racoon: INFO: NAT-D payload #0 doesn't match
                Jun 19 17:30:14 racoon: [212.183.128.9] INFO: Hashing 212.183.128.9[22383] with algo #1
                Jun 19 17:30:14 racoon: INFO: NAT-D payload #1 doesn't match
                Jun 19 17:30:14 racoon: INFO: NAT detected: ME PEER
                Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.9[22383] spi:7f414c4ae95afd07:9c1ca4e1693af978
                Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.9[22383]
                Jun 19 17:30:14 racoon: [212.183.128.9] INFO: received INITIAL-CONTACT
                Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
                Jun 19 17:30:14 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
                Jun 19 17:30:14 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
                Jun 19 17:30:34 racoon: ERROR: libipsec failed send update (No algorithm specified)
                Jun 19 17:30:34 racoon: ERROR: pfkey update failed.
                Jun 19 17:30:34 racoon: [212.183.128.9] ERROR: failed to process ph2 packet (side: 1, status: 8).
                Jun 19 17:30:34 racoon: [212.183.128.9] ERROR: phase2 negotiation failed.
                Jun 19 17:39:30 racoon: [212.183.128.9] ERROR: Wrong DPD sequence number (3743; last_ack=3743, seq=3743).

                Thanks for your time

                1 Reply Last reply Reply Quote 0
                • S
                  spiritbreaker
                  last edited by

                  Hi,

                  last try.. plz post ur ipsec parameters. What remote peer u define on pfsense site?

                  Use 3DES / Sha1 for best compatibility in phase 2

                  cya

                  Pfsense running at 11 Locations
                  -mobile OPENVPN and IPSEC
                  -multiwan failover
                  -filtering proxy(squidguard) in bridgemode with ntop monitoring

                  1 Reply Last reply Reply Quote 0
                  • F
                    frank451
                    last edited by

                    Sorry  ;)

                    Screenshots attached

                    cheers

                    ![pfsense ipsec overview.jpg](/public/imported_attachments/1/pfsense ipsec overview.jpg)
                    ![pfsense ipsec overview.jpg_thumb](/public/imported_attachments/1/pfsense ipsec overview.jpg_thumb)
                    ![pfsense phase2.jpg](/public/imported_attachments/1/pfsense phase2.jpg)
                    ![pfsense phase2.jpg_thumb](/public/imported_attachments/1/pfsense phase2.jpg_thumb)
                    ![pfsense Tunnel Page1.jpg](/public/imported_attachments/1/pfsense Tunnel Page1.jpg)
                    ![pfsense Tunnel Page1.jpg_thumb](/public/imported_attachments/1/pfsense Tunnel Page1.jpg_thumb)
                    ![pfsense tunnel page2.jpg](/public/imported_attachments/1/pfsense tunnel page2.jpg)
                    ![pfsense tunnel page2.jpg_thumb](/public/imported_attachments/1/pfsense tunnel page2.jpg_thumb)

                    1 Reply Last reply Reply Quote 0
                    • F
                      frank451
                      last edited by

                      Sarian Screenshots

                      ![sarian ike config.JPG](/public/imported_attachments/1/sarian ike config.JPG)
                      ![sarian ike config.JPG_thumb](/public/imported_attachments/1/sarian ike config.JPG_thumb)
                      ![sarian ipsec page1.JPG](/public/imported_attachments/1/sarian ipsec page1.JPG)
                      ![sarian ipsec page1.JPG_thumb](/public/imported_attachments/1/sarian ipsec page1.JPG_thumb)
                      ![sarian ipsec page2.JPG](/public/imported_attachments/1/sarian ipsec page2.JPG)
                      ![sarian ipsec page2.JPG_thumb](/public/imported_attachments/1/sarian ipsec page2.JPG_thumb)
                      ![sarian ipsec status.JPG](/public/imported_attachments/1/sarian ipsec status.JPG)
                      ![sarian ipsec status.JPG_thumb](/public/imported_attachments/1/sarian ipsec status.JPG_thumb)

                      1 Reply Last reply Reply Quote 0
                      • S
                        spiritbreaker
                        last edited by

                        Hi,

                        u need to create a remote user on pfsense.

                        goto System -> usermanager

                        create user eg: sarian3g with ipsec key, effective previleges: assign to all groups with "USER - xxxxx"

                        pfsense + sarian switch to ESP

                        pfsense p1:
                        mode: aggressive
                        my identifier: distinguished name: pfsense
                        3DES/Sha1
                        lifetime: 28800
                        play with proposal checking option

                        pfsense p2:
                        mode tunnel
                        protocoll ESP
                        3DES/Sha1
                        lifetime 3600

                        goto advanced-> Miscellaneous -> uncheck " prefer oder sa" and check racoon debug mode
                        goto Status: System logs: Settings change number of logentries to >= 500

                        sarian:

                        change p1 and p2 parameters like pfsense
                        peer id: pfsense
                        our id: sarian3g
                        send our id as FQDN: yes
                        u need to define preshared key of sarian3g in ur config
                        change duration (kb) to 0
                        local subnet adress: 192.168.0.0/255.255.255.0
                        remote subnet: 192.168.5.0/255.255.255.0

                        cya

                        Pfsense running at 11 Locations
                        -mobile OPENVPN and IPSEC
                        -multiwan failover
                        -filtering proxy(squidguard) in bridgemode with ntop monitoring

                        1 Reply Last reply Reply Quote 0
                        • F
                          frank451
                          last edited by

                          Thanks will give it all a try - i do have users already setup but wil double check there settings

                          thanks again

                          1 Reply Last reply Reply Quote 0
                          • F
                            frank451
                            last edited by

                            Hi Mate

                            done all your settings tunnel is coming up but still no pinging from either side of lan/wan port

                            logs below

                            un 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.40[6005] spi:b429387f02bef23c:7a681eab5df9de76
                            Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.40[6005]<->192.168.1.16[4500]
                            Jun 19 22:03:57 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
                            Jun 19 22:03:57 racoon: INFO: NAT-D payload #0 doesn't match
                            Jun 19 22:03:57 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[6005] with algo #2
                            Jun 19 22:03:57 racoon: INFO: NAT-D payload #1 doesn't match
                            Jun 19 22:03:57 racoon: INFO: NAT detected: ME PEER
                            Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.40[6005] spi:f53921c972bc9d6e:ea90a881ec3f5a8c
                            Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.40[6005]
                            Jun 19 22:03:57 racoon: [212.183.128.40] INFO: received INITIAL-CONTACT
                            Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
                            Jun 19 22:03:57 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
                            Jun 19 22:03:57 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
                            Jun 19 22:03:57 racoon: ERROR: libipsec failed send update (No algorithm specified)
                            Jun 19 22:03:57 racoon: ERROR: pfkey update failed.
                            Jun 19 22:03:57 racoon: [212.183.128.40] ERROR: failed to process ph2 packet (side: 1, status: 8).
                            Jun 19 22:03:57 racoon: [212.183.128.40] ERROR: phase2 negotiation failed.
                            Jun 19 22:03:58 racoon: [212.183.128.40] ERROR: delete payload with invalid doi:0.
                            Jun 19 22:03:58 racoon: INFO: purging ISAKMP-SA spi=f53921c972bc9d6e:ea90a881ec3f5a8c.
                            Jun 19 22:03:58 racoon: INFO: purged ISAKMP-SA spi=f53921c972bc9d6e:ea90a881ec3f5a8c.
                            Jun 19 22:03:59 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.40[6005] spi:f53921c972bc9d6e:ea90a881ec3f5a8c
                            Jun 19 22:05:18 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.40[24061]
                            Jun 19 22:05:18 racoon: INFO: begin Aggressive mode.
                            Jun 19 22:05:18 racoon: INFO: received Vendor ID: DPD
                            Jun 19 22:05:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
                            Jun 19 22:05:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
                            Jun 19 22:05:18 racoon: INFO: received Vendor ID: CISCO-UNITY
                            Jun 19 22:05:18 racoon: [212.183.128.40] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
                            Jun 19 22:05:18 racoon: INFO: Adding remote and local NAT-D payloads.
                            Jun 19 22:05:18 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[24061] with algo #2
                            Jun 19 22:05:18 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
                            Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.40[60021]<->192.168.1.16[4500]
                            Jun 19 22:05:20 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
                            Jun 19 22:05:20 racoon: INFO: NAT-D payload #0 doesn't match
                            Jun 19 22:05:20 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[60021] with algo #2
                            Jun 19 22:05:20 racoon: INFO: NAT-D payload #1 doesn't match
                            Jun 19 22:05:20 racoon: INFO: NAT detected: ME PEER
                            Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.40[60021] spi:bb1ef0750c603600:79bf16d2d4d3203b
                            Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.40[60021]
                            Jun 19 22:05:20 racoon: [212.183.128.40] INFO: received INITIAL-CONTACT
                            Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
                            Jun 19 22:05:20 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
                            Jun 19 22:05:20 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
                            Jun 19 22:05:21 racoon: ERROR: libipsec failed send update (No algorithm specified)
                            Jun 19 22:05:21 racoon: ERROR: pfkey update failed.
                            Jun 19 22:05:21 racoon: [212.183.128.40] ERROR: failed to process ph2 packet (side: 1, status: 8).
                            Jun 19 22:05:21 racoon: [212.183.128.40] ERROR: phase2 negotiation failed.

                            1 Reply Last reply Reply Quote 0
                            • F
                              frank451
                              last edited by

                              One other thing i should mention in the sarian ESP Encryption level s either off or null cant choose 3des etc

                              1 Reply Last reply Reply Quote 0
                              • F
                                frank451
                                last edited by

                                Update

                                Got 3des esp encryption enabled on the sarian, tunnel is up and works.

                                Only thing is i can ping and bring up devices on the sarian from the pfsense lan but cant connect/ping to any devices from the sarian lan to the pfsense lan

                                Any ideas??

                                Thanks

                                1 Reply Last reply Reply Quote 0
                                • S
                                  spiritbreaker
                                  last edited by

                                  hi,

                                  u create ipsec rule on pfsense?

                                  Are there any blocking events on enc0?

                                  cya

                                  Pfsense running at 11 Locations
                                  -mobile OPENVPN and IPSEC
                                  -multiwan failover
                                  -filtering proxy(squidguard) in bridgemode with ntop monitoring

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    frank451
                                    last edited by

                                    Hi SB

                                    Thanks fro reply and help again.

                                    Sorry might be a daft ? what is enc0? :-[

                                    IPSec rules created subnets are PFS 192.168.5.0 sarian 192.168.0.0 should the gateways be set the same ie pfs 192.168.5.254 sarian 0.254 (this is now the ip of the sarian LAN port/config port)

                                    Thanks again

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      spiritbreaker
                                      last edited by

                                      Hi,

                                      enc0 is the pfsense internal ipsec adapter. if incoming vpn traffig get blocked u see firewall blocking events on enc0 interface.

                                      ur IPsec rule looks like:

                                      Proto      Source                  Port      Destination                            Port          Gateway      Queue
                                      *          192.168.5.0/24      *              LAN net (192.168.0.0/24)          *                  *            none

                                      Only thing is i can ping and bring up devices on the sarian from the pfsense lan but cant connect/ping to any devices from the sarian lan to the pfsense lan

                                      Too much for me :D

                                      is this right?

                                      When tunnel comes up you..

                                      sarian site

                                      ..cant ping pfsense lan ip
                                      ..cant ping device in pfsense network

                                      pfsense site:

                                      …can ping sarian lan ip
                                      ...can ping device in sarian network

                                      plz post racoon ipsec-sa establishment.. is there something similar on sarian?

                                      cya

                                      Pfsense running at 11 Locations
                                      -mobile OPENVPN and IPSEC
                                      -multiwan failover
                                      -filtering proxy(squidguard) in bridgemode with ntop monitoring

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        frank451
                                        last edited by

                                        apologies for being a pain  ;D

                                        Sorted it now - checked firewall logs pings being denied from sarian to pfsense added easy rule works a dream.

                                        I'll get there in the end :)

                                        thanks again

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          frank451
                                          last edited by

                                          Hi Folks

                                          Struggling again :)

                                          Having got multiple mobile clients running with the sarian 3g routers, and i can see devices from sarian A to PFSense and vice versa same for sarian B and C.  What i cant do is talk from Sarian A - B, A - C, C - B etc the routers are on 192.168.6.0, 7.0, and 8.0 pfsense is 192.168.5.0

                                          Checked firewall logs nothing comes through when i try and ping sarian to sarian

                                          Any help again appreciated

                                          Cheers

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            spiritbreaker
                                            last edited by

                                            Hi,

                                            this is by design^^ u cant route IPSEC.

                                            What u have to do is to create multiple phase 2 entrys on Pfsense and sarians.

                                            Have a look at this example:

                                            Each Sarian has a IPSEC Tunnel to ur central pfsense. Sarian A cant reach Sarian B network because there is no route.

                                            pfsense
                                                          192.168.5.0
                                                            |           |
                                                            |           |
                                                            |           |
                                                     Sarian A      Sarian B
                                                 192.168.6.0     192.168.7.0

                                            Solution:
                                            IPSEC Tunnel Pfsense <-> sarian A

                                            Pfsense:
                                            add phase 2 like this:

                                            localnet: 192.168.7.0/24
                                            remotenet: 192.168.6.0/24
                                            use same encryption as ur first phase 2 entry.

                                            Sarian A:

                                            i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.

                                            localnet: 192.168.6.0/24
                                            remotenet: 192.168.7.0/24

                                            IPSEC Tunnel Pfsense <-> sarian B

                                            Pfsense:
                                            add phase 2 like this:

                                            localnet: 192.168.6.0/24
                                            remotenet: 192.168.7.0/24
                                            use same encryption as ur first phase 2 entry.

                                            Sarian B:

                                            i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.

                                            localnet: 192.168.7.0/24
                                            remotenet: 192.168.6.0/24

                                            At the end create fireweallrules on pfsense to allow traffic between sarian A und B and vice versa...thats it.

                                            If u have many sarians to connect each other u need to combine networks to minimize phase 2 entries otherwise there is much to configure.

                                            good luck

                                            cya

                                            Pfsense running at 11 Locations
                                            -mobile OPENVPN and IPSEC
                                            -multiwan failover
                                            -filtering proxy(squidguard) in bridgemode with ntop monitoring

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.