Newbie - Will the following work (Voadfone 3G Natted IP)
-
Hi All
Hope someone can help with this one.
I need to create vpn tunnels from mobile 3G (natted IP on connection from Vodafone UK) Sarian/DIGI routers which will have IP devices connected to it.
I have pfsense up and running (although behind a SKY broadband connection on a netgear dg834g) default DMZ is enabled to the PFsense server and DYNdns on pfsense enabled with my dynamic SKY WAN IP
I believe aggressive mode and NAT-T must be used for this configuration which is available on the sarian and pfsense2.0.
If it will work is there any guides available specifically for this sort of enviroment.
Basic layout upto now
SKY WAN IP –----> NETGEARDG834G (192.168.1.1)---- DMZ Enabled ----->PFSENSE WAN(192.168.1.250)
PFSENSE LAN (192.168.5.254) -------MONITORING DEVICE (192.168.5.200)
The other thing i think i should add is that all devices on the 192.168.1.x range are bridged from the wireless side of the DG834 so all connected devices in the 834 show the same MAC address will this cause problems?
Also how can i remote access the PFSENSE webgui from the WAN side
Thanks for reading
-
…....Could somebody please decipher this log for me and tell me whats going on
thanks
aaron
Jun 18 23:32:29 racoon: INFO: begin Aggressive mode.
Jun 18 23:32:29 racoon: INFO: received Vendor ID: DPD
Jun 18 23:32:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 18 23:32:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 18 23:32:29 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 18 23:32:29 racoon: [212.183.128.111] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jun 18 23:32:29 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 18 23:32:29 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[28444] with algo #2
Jun 18 23:32:29 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
Jun 18 23:32:30 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.111[50421]<->192.168.1.16[4500]
Jun 18 23:32:30 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
Jun 18 23:32:30 racoon: INFO: NAT-D payload #0 doesn't match
Jun 18 23:32:30 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[50421] with algo #2
Jun 18 23:32:30 racoon: INFO: NAT-D payload #1 doesn't match
Jun 18 23:32:30 racoon: INFO: NAT detected: ME PEER
Jun 18 23:32:30 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.111[50421] spi:13badf3600251bd6:31d53ca9c320ccc3
Jun 18 23:32:30 racoon: [212.183.128.111] ERROR: delete payload with invalid doi:0.
Jun 18 23:32:30 racoon: INFO: purging ISAKMP-SA spi=13badf3600251bd6:31d53ca9c320ccc3.
Jun 18 23:32:30 racoon: INFO: purged ISAKMP-SA spi=13badf3600251bd6:31d53ca9c320ccc3.
Jun 18 23:32:31 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.111[50421] spi:13badf3600251bd6:31d53ca9c320ccc3
Jun 18 23:32:40 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.111[28444]
Jun 18 23:32:40 racoon: INFO: begin Aggressive mode.
Jun 18 23:32:40 racoon: INFO: received Vendor ID: DPD
Jun 18 23:32:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 18 23:32:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 18 23:32:40 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 18 23:32:40 racoon: [212.183.128.111] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jun 18 23:32:40 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 18 23:32:40 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[28444] with algo #2
Jun 18 23:32:40 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
Jun 18 23:32:41 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.111[50421]<->192.168.1.16[4500]
Jun 18 23:32:41 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
Jun 18 23:32:41 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
Jun 18 23:32:41 racoon: INFO: NAT-D payload #0 doesn't match
Jun 18 23:32:41 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[50421] with algo #2
Jun 18 23:32:41 racoon: INFO: NAT-D payload #1 doesn't match
Jun 18 23:32:41 racoon: INFO: NAT detected: ME PEER
Jun 18 23:32:41 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.111[50421] spi:f0d9c600ac9fd1db:071b7be39ed28be6
Jun 18 23:32:50 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.111[28444]
Jun 18 23:32:50 racoon: INFO: begin Aggressive mode.
Jun 18 23:32:50 racoon: INFO: received Vendor ID: DPD
Jun 18 23:32:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 18 23:32:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 18 23:32:50 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 18 23:32:50 racoon: [212.183.128.111] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jun 18 23:32:50 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 18 23:32:50 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[28444] with algo #2
Jun 18 23:32:50 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
-
Hi frank,
im not sure i understand ur setup.
1. why u do not replace netgear with pfsense?
DMZ is enabled to the PFsense server and DYNdns on pfsense enabled with my dynamic SKY WAN IP
I recommend u not to use dynamic ips with IPSEC, u will get problems…tunnels sometimes not getting up after IP change (Site to Site).
Depending on ur Produkt u can order fixed ip from provider.3.
I need to create vpn tunnels from mobile 3G (natted IP on connection from Vodafone UK) Sarian/DIGI routers which will have IP devices connected to it.
Roadwarrior connections are possible but site to site dont work (tested with Vodafone Germany).
4.
[Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.111[28444]
I still dont know what u doing…more detail plz.
sarian Router -----internet-----> Netgear ----> pfsense
Is this correct? U wanna create VPN between sarian and pfsense?
I believe aggressive mode and NAT-T must be used for this configuration which is available on the sarian and pfsense2.0.
Remember u will have no luck with site to site config! Vodafone UMTS networks are not reachable from external networks.
The sarian router need to act as a mobile client (i know its possible with Cisco devices).
I googled for some sarian howtos and it seems there is only Site to Site possible.Cya
-
Hi thanks for the reply
My current test setup is on SKY Broadband UK - they only supply a dynamic IP (The finial installation will be on a Staic IP from another provider)
Basically we want to have IP CCTV cameras out in the field and let the sarian 3g router initiate the tunnel to the pfsense host
I have spoken to Sarian and they said any VPN Server supporting NAT-T and aggresive mode should respond to the NATted Vodafone IP.Im wondering looking at the logs i posted it seems the pfsense (WAN IP 192.168.1.16)is getting stuck going back out through the netgear router 192.168.1.1 even though DMZ is enabled on it. Is this correct?? I was looking at getting a router that supports bridge mode which i can go straight into the pfsense and let it do the DHCP/NAT etc.
Any further help would be appreciated cheers
-
Hi,
I have spoken to Sarian and they said any VPN Server supporting NAT-T and aggressive mode should respond to the NATted Vodafone IP.
hmm i ll test it tomorrow with 2 pfsense boxes (1 with adsl and 1 with umts). I never tested with aggressive mode.
But i think u cant use site to site on pfsense because u need an valid remote peer ip address otherwise phase 1 will always fail.Im wondering looking at the logs i posted it seems the pfsense (WAN IP 192.168.1.16)is getting stuck going back out through the netgear router 192.168.1.1 even though DMZ is enabled on it. Is this correct??
U still need a real portforward. Be careful with netgear…look at documentation what "dmz on netgear" really means.
I was looking at getting a router that supports bridge mode which i can go straight into the pfsense and let it do the DHCP/NAT etc.
Search for pppoe passthrough on netgear.
The easyest way is to get the netgear in "modem mode". Activate pppoe passthrough mode and set up the pppoe connection on pfsense.
We dont need to analyse ipsec logs if we dont know if ur dmz setup works.
U posted logs…what is ur ipsec config on pfsense?
cya
-
Cheers spiritbreaker
Another log for you to look at :)
I have now got the sarian router VPN tunnel up but cant ping any remote clients etc. The log shows Phase 2 failed i have tried googling the error messages but no luck with any good answers.
Jun 19 17:30:13 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.9[11637]
Jun 19 17:30:13 racoon: INFO: begin Aggressive mode.
Jun 19 17:30:13 racoon: INFO: received Vendor ID: DPD
Jun 19 17:30:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 19 17:30:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 19 17:30:13 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 19 17:30:13 racoon: [212.183.128.9] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jun 19 17:30:13 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 19 17:30:13 racoon: [212.183.128.9] INFO: Hashing 212.183.128.9[11637] with algo #1
Jun 19 17:30:13 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #1
Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.9[22383]<->192.168.1.16[4500]
Jun 19 17:30:14 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #1
Jun 19 17:30:14 racoon: INFO: NAT-D payload #0 doesn't match
Jun 19 17:30:14 racoon: [212.183.128.9] INFO: Hashing 212.183.128.9[22383] with algo #1
Jun 19 17:30:14 racoon: INFO: NAT-D payload #1 doesn't match
Jun 19 17:30:14 racoon: INFO: NAT detected: ME PEER
Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.9[22383] spi:7f414c4ae95afd07:9c1ca4e1693af978
Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.9[22383]
Jun 19 17:30:14 racoon: [212.183.128.9] INFO: received INITIAL-CONTACT
Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
Jun 19 17:30:14 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 19 17:30:14 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Jun 19 17:30:34 racoon: ERROR: libipsec failed send update (No algorithm specified)
Jun 19 17:30:34 racoon: ERROR: pfkey update failed.
Jun 19 17:30:34 racoon: [212.183.128.9] ERROR: failed to process ph2 packet (side: 1, status: 8).
Jun 19 17:30:34 racoon: [212.183.128.9] ERROR: phase2 negotiation failed.
Jun 19 17:39:30 racoon: [212.183.128.9] ERROR: Wrong DPD sequence number (3743; last_ack=3743, seq=3743).Thanks for your time
-
Hi,
last try.. plz post ur ipsec parameters. What remote peer u define on pfsense site?
Use 3DES / Sha1 for best compatibility in phase 2
cya
-
Sorry ;)
Screenshots attached
cheers
-
Sarian Screenshots
-
Hi,
u need to create a remote user on pfsense.
goto System -> usermanager
create user eg: sarian3g with ipsec key, effective previleges: assign to all groups with "USER - xxxxx"
pfsense + sarian switch to ESP
pfsense p1:
mode: aggressive
my identifier: distinguished name: pfsense
3DES/Sha1
lifetime: 28800
play with proposal checking optionpfsense p2:
mode tunnel
protocoll ESP
3DES/Sha1
lifetime 3600goto advanced-> Miscellaneous -> uncheck " prefer oder sa" and check racoon debug mode
goto Status: System logs: Settings change number of logentries to >= 500sarian:
change p1 and p2 parameters like pfsense
peer id: pfsense
our id: sarian3g
send our id as FQDN: yes
u need to define preshared key of sarian3g in ur config
change duration (kb) to 0
local subnet adress: 192.168.0.0/255.255.255.0
remote subnet: 192.168.5.0/255.255.255.0cya
-
Thanks will give it all a try - i do have users already setup but wil double check there settings
thanks again
-
Hi Mate
done all your settings tunnel is coming up but still no pinging from either side of lan/wan port
logs below
un 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.40[6005] spi:b429387f02bef23c:7a681eab5df9de76
Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.40[6005]<->192.168.1.16[4500]
Jun 19 22:03:57 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
Jun 19 22:03:57 racoon: INFO: NAT-D payload #0 doesn't match
Jun 19 22:03:57 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[6005] with algo #2
Jun 19 22:03:57 racoon: INFO: NAT-D payload #1 doesn't match
Jun 19 22:03:57 racoon: INFO: NAT detected: ME PEER
Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.40[6005] spi:f53921c972bc9d6e:ea90a881ec3f5a8c
Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.40[6005]
Jun 19 22:03:57 racoon: [212.183.128.40] INFO: received INITIAL-CONTACT
Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
Jun 19 22:03:57 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 19 22:03:57 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Jun 19 22:03:57 racoon: ERROR: libipsec failed send update (No algorithm specified)
Jun 19 22:03:57 racoon: ERROR: pfkey update failed.
Jun 19 22:03:57 racoon: [212.183.128.40] ERROR: failed to process ph2 packet (side: 1, status: 8).
Jun 19 22:03:57 racoon: [212.183.128.40] ERROR: phase2 negotiation failed.
Jun 19 22:03:58 racoon: [212.183.128.40] ERROR: delete payload with invalid doi:0.
Jun 19 22:03:58 racoon: INFO: purging ISAKMP-SA spi=f53921c972bc9d6e:ea90a881ec3f5a8c.
Jun 19 22:03:58 racoon: INFO: purged ISAKMP-SA spi=f53921c972bc9d6e:ea90a881ec3f5a8c.
Jun 19 22:03:59 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.40[6005] spi:f53921c972bc9d6e:ea90a881ec3f5a8c
Jun 19 22:05:18 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.40[24061]
Jun 19 22:05:18 racoon: INFO: begin Aggressive mode.
Jun 19 22:05:18 racoon: INFO: received Vendor ID: DPD
Jun 19 22:05:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 19 22:05:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 19 22:05:18 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 19 22:05:18 racoon: [212.183.128.40] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jun 19 22:05:18 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 19 22:05:18 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[24061] with algo #2
Jun 19 22:05:18 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.40[60021]<->192.168.1.16[4500]
Jun 19 22:05:20 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
Jun 19 22:05:20 racoon: INFO: NAT-D payload #0 doesn't match
Jun 19 22:05:20 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[60021] with algo #2
Jun 19 22:05:20 racoon: INFO: NAT-D payload #1 doesn't match
Jun 19 22:05:20 racoon: INFO: NAT detected: ME PEER
Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.40[60021] spi:bb1ef0750c603600:79bf16d2d4d3203b
Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.40[60021]
Jun 19 22:05:20 racoon: [212.183.128.40] INFO: received INITIAL-CONTACT
Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
Jun 19 22:05:20 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 19 22:05:20 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Jun 19 22:05:21 racoon: ERROR: libipsec failed send update (No algorithm specified)
Jun 19 22:05:21 racoon: ERROR: pfkey update failed.
Jun 19 22:05:21 racoon: [212.183.128.40] ERROR: failed to process ph2 packet (side: 1, status: 8).
Jun 19 22:05:21 racoon: [212.183.128.40] ERROR: phase2 negotiation failed.
-
One other thing i should mention in the sarian ESP Encryption level s either off or null cant choose 3des etc
-
Update
Got 3des esp encryption enabled on the sarian, tunnel is up and works.
Only thing is i can ping and bring up devices on the sarian from the pfsense lan but cant connect/ping to any devices from the sarian lan to the pfsense lan
Any ideas??
Thanks
-
hi,
u create ipsec rule on pfsense?
Are there any blocking events on enc0?
cya
-
Hi SB
Thanks fro reply and help again.
Sorry might be a daft ? what is enc0? :-[
IPSec rules created subnets are PFS 192.168.5.0 sarian 192.168.0.0 should the gateways be set the same ie pfs 192.168.5.254 sarian 0.254 (this is now the ip of the sarian LAN port/config port)
Thanks again
-
Hi,
enc0 is the pfsense internal ipsec adapter. if incoming vpn traffig get blocked u see firewall blocking events on enc0 interface.
ur IPsec rule looks like:
Proto Source Port Destination Port Gateway Queue
* 192.168.5.0/24 * LAN net (192.168.0.0/24) * * noneOnly thing is i can ping and bring up devices on the sarian from the pfsense lan but cant connect/ping to any devices from the sarian lan to the pfsense lan
Too much for me :D
is this right?
When tunnel comes up you..
sarian site
..cant ping pfsense lan ip
..cant ping device in pfsense networkpfsense site:
…can ping sarian lan ip
...can ping device in sarian networkplz post racoon ipsec-sa establishment.. is there something similar on sarian?
cya
-
apologies for being a pain ;D
Sorted it now - checked firewall logs pings being denied from sarian to pfsense added easy rule works a dream.
I'll get there in the end :)
thanks again
-
Hi Folks
Struggling again :)
Having got multiple mobile clients running with the sarian 3g routers, and i can see devices from sarian A to PFSense and vice versa same for sarian B and C. What i cant do is talk from Sarian A - B, A - C, C - B etc the routers are on 192.168.6.0, 7.0, and 8.0 pfsense is 192.168.5.0
Checked firewall logs nothing comes through when i try and ping sarian to sarian
Any help again appreciated
Cheers
-
Hi,
this is by design^^ u cant route IPSEC.
What u have to do is to create multiple phase 2 entrys on Pfsense and sarians.
Have a look at this example:
Each Sarian has a IPSEC Tunnel to ur central pfsense. Sarian A cant reach Sarian B network because there is no route.
pfsense
192.168.5.0
| |
| |
| |
Sarian A Sarian B
192.168.6.0 192.168.7.0Solution:
IPSEC Tunnel Pfsense <-> sarian APfsense:
add phase 2 like this:localnet: 192.168.7.0/24
remotenet: 192.168.6.0/24
use same encryption as ur first phase 2 entry.Sarian A:
i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.
localnet: 192.168.6.0/24
remotenet: 192.168.7.0/24IPSEC Tunnel Pfsense <-> sarian B
Pfsense:
add phase 2 like this:localnet: 192.168.6.0/24
remotenet: 192.168.7.0/24
use same encryption as ur first phase 2 entry.Sarian B:
i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.
localnet: 192.168.7.0/24
remotenet: 192.168.6.0/24At the end create fireweallrules on pfsense to allow traffic between sarian A und B and vice versa...thats it.
If u have many sarians to connect each other u need to combine networks to minimize phase 2 entries otherwise there is much to configure.
good luck
cya