Site-to-site pfSense-pfSense IPsec VPN

strick1226

Hi, All,

I know I did this less than a year ago (pre-release), but I can't figure out how to do this now…

I have two pfSense 1.01 boxes:

Box A: a definite static WAN IP, LAN is 192.168.1.0/255.255.255.0
Box B: a relatively static (changes ~monthly) WAN IP, LAN is 192.168.100.0/255.255.255.0 .

I've set up a preshared key on both boxes, and have attempted to create a tunnel between the two.

Box A Phase 1:

Interface: WAN
  Local subnet:  LAN subnet
  Remote subnet: 192.168.100.0 / 24
  Remote gateway: {public IP of box B}

Negotation mode: aggressive
  My identifier: My IP address
  Encryption algorithm: Blowfish
  Hash algorithm: SHA1
  DH key group: 2 (1024 bit)
  Lifetime: 28800
  Authentication method: pre-shared key

Box A Phase2:

Protocol: ESP
  Encryption algorithm: Blowfish
  Hash algorithm: SHA1
  PFS key group: 2 (1024 bit)
  Lifetime: 86400

Box B Phase 1:

Interface: WAN
  Local subnet:  LAN subnet
  Remote subnet: 192.168.1.0 / 24
  Remote gateway: {public static IP of box A}

Negotation mode: aggressive
  My identifier: My IP address
  Encryption algorithm: Blowfish
  Hash algorithm: SHA1
  DH key group: 2 (1024 bit)
  Lifetime: 28800
  Authentication method: pre-shared key

Box B Phase2:

Protocol: ESP
  Encryption algorithm: Blowfish
  Hash algorithm: SHA1
  PFS key group: 2 (1024 bit)
  Lifetime: 86400

I still can't get the two to connect, no matter what I try...
  Since Box B isn't completely static, do I have to set it up as a mobile client?  I think I was able to do it before as site-to-site, I just had to update the tunnel config when the IP changed etc.

Here's the IPsec error log from Box A:

Feb 18 21:40:18 racoon: INFO: caught signal 15
Feb 18 21:40:19 racoon: INFO: racoon shutdown
Feb 18 21:40:21 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Feb 18 21:40:21 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Feb 18 21:40:21 racoon: INFO: fe80::202:b3ff:fe9d:a31%ng0[500] used as isakmp port (fd=13)
Feb 18 21:40:21 racoon: INFO: {Box A public IP}[500] used as isakmp port (fd=14)
Feb 18 21:40:21 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 18 21:40:21 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=15)
Feb 18 21:40:21 racoon: INFO: ::1[500] used as isakmp port (fd=16)
Feb 18 21:40:21 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=17)
Feb 18 21:40:21 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 18 21:40:21 racoon: INFO: fe80::203:47ff:fe99:f922%fxp1[500] used as isakmp port (fd=18)
Feb 18 21:40:21 racoon: INFO: fe80::202:b3ff:fe9d:a31%fxp0[500] used as isakmp port (fd=19)
Feb 18 21:40:21 racoon: INFO: 192.168.1.5[500] used as isakmp port (fd=20)
Feb 18 21:40:21 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

And from Box B:

Feb 18 21:42:21 racoon: INFO: caught signal 15
Feb 18 21:42:22 racoon: INFO: racoon shutdown
Feb 18 21:42:23 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Feb 18 21:42:23 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Feb 18 21:42:23 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Feb 18 21:42:23 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Feb 18 21:42:23 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Feb 18 21:42:23 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 18 21:42:23 racoon: INFO: fe80::206:29ff:fea9:9362%fxp1[500] used as isakmp port (fd=16)
Feb 18 21:42:23 racoon: INFO: 192.168.100.1[500] used as isakmp port (fd=17)
Feb 18 21:42:23 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 18 21:42:23 racoon: INFO: [Box B public IP}[500] used as isakmp port (fd=18)
Feb 18 21:42:23 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 18 21:42:23 racoon: INFO: fe80::2d0:b7ff:fe90:69c1%fxp0[500] used as isakmp port (fd=19)
Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.100.1/32[0] proto=any dir=in
Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.100.0/24[0] proto=any dir=in
Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.1/32[0] 192.168.100.0/24[0] proto=any dir=out
Feb 18 21:42:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.1.0/24[0] proto=any dir=out

Is there something really basic I'm missing here?  I've looked over the m0n0wall guides but I just don't seem to be able to figure this out…

Thanks in advance for any assistance.  I'm running out of hair to pull  ???

hoba

http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/

strick1226

Ok,

I tried setting up Site B as a mobile client, enabling mobile clients on A.
  Still getting the same errors in the IPsec logs, though.

From Box B:

Feb 19 18:27:23 racoon: INFO: caught signal 15
Feb 19 18:27:24 racoon: INFO: racoon shutdown
Feb 19 18:27:26 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Feb 19 18:27:26 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Feb 19 18:27:26 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Feb 19 18:27:26 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Feb 19 18:27:26 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Feb 19 18:27:26 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 19 18:27:26 racoon: INFO: fe80::206:29ff:fea9:9362%fxp1[500] used as isakmp port (fd=16)
Feb 19 18:27:26 racoon: INFO: 192.168.100.1[500] used as isakmp port (fd=17)
Feb 19 18:27:26 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 19 18:27:26 racoon: INFO: {Box B Public IP}[500] used as isakmp port (fd=18)
Feb 19 18:27:26 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Feb 19 18:27:26 racoon: INFO: fe80::2d0:b7ff:fe90:69c1%fxp0[500] used as isakmp port (fd=19)
Feb 19 18:27:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.100.1/32[0] proto=any dir=in
Feb 19 18:27:26 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.1/32[0] 192.168.100.0/24[0] proto=any dir=out

Do they have to be on completely different subnets or something?  I'm 98% positive I did this with three boxes before–192.168.1.0, 192.168.10.0, and 192.168.20.0--and it worked...

Delex

Just checked my logs and find the same error messages, but my tunnels are up and working fine. The settings mentioned above seem to be ok.
Did you try to wait a while to let things settle? (maybe decrease the lifetimes to speed things up).

hoba

I have a 12 location setup like this with only one of the locations having a static IP with even "routing" all traffic between the sublocations through the mainlocation. No issues with that.

strick1226

Strange, I'll try letting it settle, as suggested.

Thanks for the encouragement, guys!

usuarioforum

Which pfsense versions you have??

grab3

I had the same trouble, but after i pinged opposite side of tunnel, everything went ok.

Last message before i pinged was
racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

After

racoon: INFO: IPsec-SA established: ESP/Tunnel 10.7.3.115[0]->192.170.1.2[0] spi=236667421(0xe1b421d)
racoon: INFO: IPsec-SA established: ESP/Tunnel 192.170.1.2[0]->10.7.3.115[0] spi=53599917(0x331dead)

And it works fine.