Site-to-site pfSense-pfSense IPsec VPN



  • Hi, All,

    I know I did this less than a year ago (pre-release), but I can't figure out how to do this now…

    I have two pfSense 1.01 boxes:

    Box A: a definite static WAN IP, LAN is 192.168.1.0/255.255.255.0
    Box B: a relatively static (changes ~monthly) WAN IP, LAN is 192.168.100.0/255.255.255.0 .

    I've set up a preshared key on both boxes, and have attempted to create a tunnel between the two.

    Box A Phase 1:

    Interface: WAN
      Local subnet:  LAN subnet
      Remote subnet: 192.168.100.0 / 24
      Remote gateway: {public IP of box B}

    Negotation mode: aggressive
      My identifier: My IP address
      Encryption algorithm: Blowfish
      Hash algorithm: SHA1
      DH key group: 2 (1024 bit)
      Lifetime: 28800
      Authentication method: pre-shared key

    Box A Phase2:

    Protocol: ESP
      Encryption algorithm: Blowfish
      Hash algorithm: SHA1
      PFS key group: 2 (1024 bit)
      Lifetime: 86400

    Box B Phase 1:

    Interface: WAN
      Local subnet:  LAN subnet
      Remote subnet: 192.168.1.0 / 24
      Remote gateway: {public static IP of box A}

    Negotation mode: aggressive
      My identifier: My IP address
      Encryption algorithm: Blowfish
      Hash algorithm: SHA1
      DH key group: 2 (1024 bit)
      Lifetime: 28800
      Authentication method: pre-shared key

    Box B Phase2:

    Protocol: ESP
      Encryption algorithm: Blowfish
      Hash algorithm: SHA1
      PFS key group: 2 (1024 bit)
      Lifetime: 86400

    I still can't get the two to connect, no matter what I try...
      Since Box B isn't completely static, do I have to set it up as a mobile client?  I think I was able to do it before as site-to-site, I just had to update the tunnel config when the IP changed etc.

    Here's the IPsec error log from Box A:

    Feb 18 21:40:18 racoon: INFO: caught signal 15
    Feb 18 21:40:19 racoon: INFO: racoon shutdown
    Feb 18 21:40:21 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
    Feb 18 21:40:21 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    Feb 18 21:40:21 racoon: INFO: fe80::202:b3ff:fe9d:a31%ng0[500] used as isakmp port (fd=13)
    Feb 18 21:40:21 racoon: INFO: {Box A public IP}[500] used as isakmp port (fd=14)
    Feb 18 21:40:21 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Feb 18 21:40:21 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=15)
    Feb 18 21:40:21 racoon: INFO: ::1[500] used as isakmp port (fd=16)
    Feb 18 21:40:21 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=17)
    Feb 18 21:40:21 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Feb 18 21:40:21 racoon: INFO: fe80::203:47ff:fe99:f922%fxp1[500] used as isakmp port (fd=18)
    Feb 18 21:40:21 racoon: INFO: fe80::202:b3ff:fe9d:a31%fxp0[500] used as isakmp port (fd=19)
    Feb 18 21:40:21 racoon: INFO: 192.168.1.5[500] used as isakmp port (fd=20)
    Feb 18 21:40:21 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

    And from Box B:

    Feb 18 21:42:21 racoon: INFO: caught signal 15
    Feb 18 21:42:22 racoon: INFO: racoon shutdown
    Feb 18 21:42:23 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
    Feb 18 21:42:23 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    Feb 18 21:42:23 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
    Feb 18 21:42:23 racoon: INFO: ::1[500] used as isakmp port (fd=14)
    Feb 18 21:42:23 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Feb 18 21:42:23 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Feb 18 21:42:23 racoon: INFO: fe80::206:29ff:fea9:9362%fxp1[500] used as isakmp port (fd=16)
    Feb 18 21:42:23 racoon: INFO: 192.168.100.1[500] used as isakmp port (fd=17)
    Feb 18 21:42:23 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Feb 18 21:42:23 racoon: INFO: [Box B public IP}[500] used as isakmp port (fd=18)
    Feb 18 21:42:23 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Feb 18 21:42:23 racoon: INFO: fe80::2d0:b7ff:fe90:69c1%fxp0[500] used as isakmp port (fd=19)
    Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.100.1/32[0] proto=any dir=in
    Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.100.0/24[0] proto=any dir=in
    Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.1/32[0] 192.168.100.0/24[0] proto=any dir=out
    Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.1.0/24[0] proto=any dir=out

    Is there something really basic I'm missing here?  I've looked over the m0n0wall guides but I just don't seem to be able to figure this out…

    Thanks in advance for any assistance.  I'm running out of hair to pull  ???





  • Ok,

    I tried setting up Site B as a mobile client, enabling mobile clients on A.
      Still getting the same errors in the IPsec logs, though.

    From Box B:

    Feb 19 18:27:23 racoon: INFO: caught signal 15
    Feb 19 18:27:24 racoon: INFO: racoon shutdown
    Feb 19 18:27:26 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
    Feb 19 18:27:26 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    Feb 19 18:27:26 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
    Feb 19 18:27:26 racoon: INFO: ::1[500] used as isakmp port (fd=14)
    Feb 19 18:27:26 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Feb 19 18:27:26 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Feb 19 18:27:26 racoon: INFO: fe80::206:29ff:fea9:9362%fxp1[500] used as isakmp port (fd=16)
    Feb 19 18:27:26 racoon: INFO: 192.168.100.1[500] used as isakmp port (fd=17)
    Feb 19 18:27:26 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Feb 19 18:27:26 racoon: INFO: {Box B Public IP}[500] used as isakmp port (fd=18)
    Feb 19 18:27:26 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Feb 19 18:27:26 racoon: INFO: fe80::2d0:b7ff:fe90:69c1%fxp0[500] used as isakmp port (fd=19)
    Feb 19 18:27:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.100.1/32[0] proto=any dir=in
    Feb 19 18:27:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.1/32[0] 192.168.100.0/24[0] proto=any dir=out

    Do they have to be on completely different subnets or something?  I'm 98% positive I did this with three boxes before–192.168.1.0, 192.168.10.0, and 192.168.20.0--and it worked...



  • Just checked my logs and find the same error messages, but my tunnels are up and working fine. The settings mentioned above seem to be ok.
    Did you try to wait a while to let things settle? (maybe decrease the lifetimes to speed things up).



  • I have a 12 location setup like this with only one of the locations having a static IP with even "routing" all traffic between the sublocations through the mainlocation. No issues with that.



  • Strange, I'll try letting it settle, as suggested.

    Thanks for the encouragement, guys!



  • Which pfsense versions you have??



  • I had the same trouble, but after i pinged opposite side of tunnel, everything went ok.

    Last message before i pinged was
    racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

    After

    racoon: INFO: IPsec-SA established: ESP/Tunnel 10.7.3.115[0]->192.170.1.2[0] spi=236667421(0xe1b421d)
    racoon: INFO: IPsec-SA established: ESP/Tunnel 192.170.1.2[0]->10.7.3.115[0] spi=53599917(0x331dead)

    And it works fine.


Log in to reply