Newbie - Will the following work (Voadfone 3G Natted IP)

spiritbreaker

Hi,

u need to create a remote user on pfsense.

goto System -> usermanager

create user eg: sarian3g with ipsec key, effective previleges: assign to all groups with "USER - xxxxx"

pfsense + sarian switch to ESP

pfsense p1:
mode: aggressive
my identifier: distinguished name: pfsense
3DES/Sha1
lifetime: 28800
play with proposal checking option

pfsense p2:
mode tunnel
protocoll ESP
3DES/Sha1
lifetime 3600

goto advanced-> Miscellaneous -> uncheck " prefer oder sa" and check racoon debug mode
goto Status: System logs: Settings change number of logentries to >= 500

sarian:

change p1 and p2 parameters like pfsense
peer id: pfsense
our id: sarian3g
send our id as FQDN: yes
u need to define preshared key of sarian3g in ur config
change duration (kb) to 0
local subnet adress: 192.168.0.0/255.255.255.0
remote subnet: 192.168.5.0/255.255.255.0

cya

frank451

Thanks will give it all a try - i do have users already setup but wil double check there settings

thanks again

frank451

Hi Mate

done all your settings tunnel is coming up but still no pinging from either side of lan/wan port

logs below

un 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.40[6005] spi:b429387f02bef23c:7a681eab5df9de76
Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.40[6005]<->192.168.1.16[4500]
Jun 19 22:03:57 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
Jun 19 22:03:57 racoon: INFO: NAT-D payload #0 doesn't match
Jun 19 22:03:57 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[6005] with algo #2
Jun 19 22:03:57 racoon: INFO: NAT-D payload #1 doesn't match
Jun 19 22:03:57 racoon: INFO: NAT detected: ME PEER
Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.40[6005] spi:f53921c972bc9d6e:ea90a881ec3f5a8c
Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.40[6005]
Jun 19 22:03:57 racoon: [212.183.128.40] INFO: received INITIAL-CONTACT
Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
Jun 19 22:03:57 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 19 22:03:57 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Jun 19 22:03:57 racoon: ERROR: libipsec failed send update (No algorithm specified)
Jun 19 22:03:57 racoon: ERROR: pfkey update failed.
Jun 19 22:03:57 racoon: [212.183.128.40] ERROR: failed to process ph2 packet (side: 1, status: 8).
Jun 19 22:03:57 racoon: [212.183.128.40] ERROR: phase2 negotiation failed.
Jun 19 22:03:58 racoon: [212.183.128.40] ERROR: delete payload with invalid doi:0.
Jun 19 22:03:58 racoon: INFO: purging ISAKMP-SA spi=f53921c972bc9d6e:ea90a881ec3f5a8c.
Jun 19 22:03:58 racoon: INFO: purged ISAKMP-SA spi=f53921c972bc9d6e:ea90a881ec3f5a8c.
Jun 19 22:03:59 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.40[6005] spi:f53921c972bc9d6e:ea90a881ec3f5a8c
Jun 19 22:05:18 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.40[24061]
Jun 19 22:05:18 racoon: INFO: begin Aggressive mode.
Jun 19 22:05:18 racoon: INFO: received Vendor ID: DPD
Jun 19 22:05:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 19 22:05:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 19 22:05:18 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 19 22:05:18 racoon: [212.183.128.40] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jun 19 22:05:18 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 19 22:05:18 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[24061] with algo #2
Jun 19 22:05:18 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.40[60021]<->192.168.1.16[4500]
Jun 19 22:05:20 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
Jun 19 22:05:20 racoon: INFO: NAT-D payload #0 doesn't match
Jun 19 22:05:20 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[60021] with algo #2
Jun 19 22:05:20 racoon: INFO: NAT-D payload #1 doesn't match
Jun 19 22:05:20 racoon: INFO: NAT detected: ME PEER
Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.40[60021] spi:bb1ef0750c603600:79bf16d2d4d3203b
Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.40[60021]
Jun 19 22:05:20 racoon: [212.183.128.40] INFO: received INITIAL-CONTACT
Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
Jun 19 22:05:20 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 19 22:05:20 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Jun 19 22:05:21 racoon: ERROR: libipsec failed send update (No algorithm specified)
Jun 19 22:05:21 racoon: ERROR: pfkey update failed.
Jun 19 22:05:21 racoon: [212.183.128.40] ERROR: failed to process ph2 packet (side: 1, status: 8).
Jun 19 22:05:21 racoon: [212.183.128.40] ERROR: phase2 negotiation failed.

frank451

One other thing i should mention in the sarian ESP Encryption level s either off or null cant choose 3des etc

frank451

Update

Got 3des esp encryption enabled on the sarian, tunnel is up and works.

Only thing is i can ping and bring up devices on the sarian from the pfsense lan but cant connect/ping to any devices from the sarian lan to the pfsense lan

Any ideas??

Thanks

spiritbreaker

hi,

u create ipsec rule on pfsense?

Are there any blocking events on enc0?

cya

frank451

Hi SB

Thanks fro reply and help again.

Sorry might be a daft ? what is enc0? :-[

IPSec rules created subnets are PFS 192.168.5.0 sarian 192.168.0.0 should the gateways be set the same ie pfs 192.168.5.254 sarian 0.254 (this is now the ip of the sarian LAN port/config port)

Thanks again

spiritbreaker

Hi,

enc0 is the pfsense internal ipsec adapter. if incoming vpn traffig get blocked u see firewall blocking events on enc0 interface.

ur IPsec rule looks like:

Proto      Source                  Port      Destination                            Port          Gateway      Queue
*          192.168.5.0/24      *              LAN net (192.168.0.0/24)          *                  *            none

Only thing is i can ping and bring up devices on the sarian from the pfsense lan but cant connect/ping to any devices from the sarian lan to the pfsense lan

Too much for me :D

is this right?

When tunnel comes up you..

sarian site

..cant ping pfsense lan ip
..cant ping device in pfsense network

pfsense site:

…can ping sarian lan ip
...can ping device in sarian network

plz post racoon ipsec-sa establishment.. is there something similar on sarian?

cya

frank451

apologies for being a pain  ;D

Sorted it now - checked firewall logs pings being denied from sarian to pfsense added easy rule works a dream.

I'll get there in the end :)

thanks again

frank451

Hi Folks

Struggling again :)

Having got multiple mobile clients running with the sarian 3g routers, and i can see devices from sarian A to PFSense and vice versa same for sarian B and C.  What i cant do is talk from Sarian A - B, A - C, C - B etc the routers are on 192.168.6.0, 7.0, and 8.0 pfsense is 192.168.5.0

Checked firewall logs nothing comes through when i try and ping sarian to sarian

Any help again appreciated

Cheers

spiritbreaker

Hi,

this is by design^^ u cant route IPSEC.

What u have to do is to create multiple phase 2 entrys on Pfsense and sarians.

Have a look at this example:

Each Sarian has a IPSEC Tunnel to ur central pfsense. Sarian A cant reach Sarian B network because there is no route.

pfsense
              192.168.5.0
                |           |
                |           |
                |           |
         Sarian A      Sarian B
     192.168.6.0     192.168.7.0

Solution:
IPSEC Tunnel Pfsense <-> sarian A

Pfsense:
add phase 2 like this:

localnet: 192.168.7.0/24
remotenet: 192.168.6.0/24
use same encryption as ur first phase 2 entry.

Sarian A:

i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.

localnet: 192.168.6.0/24
remotenet: 192.168.7.0/24

IPSEC Tunnel Pfsense <-> sarian B

Pfsense:
add phase 2 like this:

localnet: 192.168.6.0/24
remotenet: 192.168.7.0/24
use same encryption as ur first phase 2 entry.

Sarian B:

i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.

localnet: 192.168.7.0/24
remotenet: 192.168.6.0/24

At the end create fireweallrules on pfsense to allow traffic between sarian A und B and vice versa...thats it.

If u have many sarians to connect each other u need to combine networks to minimize phase 2 entries otherwise there is much to configure.

good luck

cya