<![CDATA[Phase2, subnet missmatch???]]>

<![CDATA[Phase2, subnet missmatch???]]>Hello!!

i gotten this far at least with my first VPN pfsense 2.0 AMD x64 -> Android 3.1

but at Phase 2 i get a subnet miss-match… i don't understand this really.... could this be that my tablets ISP got a dynamic ip and a proxy (Swedish Telia) ?

x.x.x.x = my pfsense WAN IP
y.y.y.y = my tablets WAN IP

Jul 17 23:50:57 racoon: DEBUG: getsainfo params: loc='x.x.x.x' rmt='y.y.y.y' peer='y.y.y.y' client='y.y.y.y' id=1
Jul 17 23:50:57 racoon: DEBUG: evaluating sainfo: loc='192.168.0.0/24', rmt='192.168.1.0/24', peer='ANY', id=1
Jul 17 23:50:57 racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
Jul 17 23:50:57 racoon: DEBUG: cmpid target: '<my-pfsense-dynamic-ip>'
Jul 17 23:50:57 racoon: DEBUG: cmpid source: '192.168.0.0/24'
Jul 17 23:50:57 racoon: ERROR: failed to get sainfo.
Jul 17 23:50:57 racoon: ERROR: failed to get sainfo.
Jul 17 23:50:57 racoon: [mytablet]: [y.y.y.y] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jul 17 23:50:57 racoon: DEBUG: IV freed

$ cat /var/etc/racoon.conf
# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
	isakmp x.x.x.x [500];
	isakmp_natt x.x.x.x [4500];
}

remote y.y.y.y
{
	ph1id 1;
	exchange_mode main;
	my_identifier address x.x.x.x;
	peers_identifier address y.y.y.y;
	ike_frag on;
	generate_policy = unique;
	initial_contact = on;
	nat_traversal = force;

	support_proxy on;
	proposal_check obey;

	proposal
	{
		authentication_method pre_shared_key;
		encryption_algorithm aes 128;
		hash_algorithm sha1;
		dh_group 2;
		lifetime time 3600 secs;
	}
}

sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/32 any
{
	remoteid 1;
	encryption_algorithm aes 128;
	authentication_algorithm hmac_sha1;

	lifetime time 3600 secs;
	compression_algorithm deflate;
}

Local Network Type: LAN subnet
Remote Network Type: Network, 192.168.1.0/24

Automatically ping host: 192.168.1.5 (don't exist but if i understand this correct i don't need to)


$ cat /var/etc/spd.conf
spdadd 192.168.0.1/32 192.168.0.0/24 any -P out none;
spdadd 192.168.0.0/24 192.168.0.1/32 any -P in none;
spdadd 192.168.0.0/24 192.168.1.0/32 any -P out ipsec esp/tunnel/x.x.x.x-y.y.y.y/unique;
spdadd 192.168.1.0/32 192.168.0.0/24 any -P in ipsec esp/tunnel/y.y.y.y-x.x.x.x/unique;

anyone got an clue why?</my-pfsense-dynamic-ip>

]]>https://forum.netgate.com/topic/35525/phase2-subnet-missmatchRSS for NodeThu, 16 Apr 2026 08:17:21 GMTSun, 17 Jul 2011 22:02:49 GMT60