Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Phase2, subnet missmatch???

    IPsec
    1
    1
    4.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thewho
      last edited by

      Hello!!

      i gotten this far at least with my first VPN pfsense 2.0 AMD x64 -> Android 3.1

      but at Phase 2 i get a subnet miss-match… i don't understand this really.... could this be that my tablets ISP got a dynamic ip and a proxy (Swedish Telia) ?

      x.x.x.x = my pfsense WAN IP
      y.y.y.y = my tablets WAN IP

      Jul 17 23:50:57 racoon: DEBUG: getsainfo params: loc='x.x.x.x' rmt='y.y.y.y' peer='y.y.y.y' client='y.y.y.y' id=1
      Jul 17 23:50:57 racoon: DEBUG: evaluating sainfo: loc='192.168.0.0/24', rmt='192.168.1.0/24', peer='ANY', id=1
      Jul 17 23:50:57 racoon: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
      Jul 17 23:50:57 racoon: DEBUG: cmpid target: '<my-pfsense-dynamic-ip>'
      Jul 17 23:50:57 racoon: DEBUG: cmpid source: '192.168.0.0/24'
      Jul 17 23:50:57 racoon: ERROR: failed to get sainfo.
      Jul 17 23:50:57 racoon: ERROR: failed to get sainfo.
      Jul 17 23:50:57 racoon: [mytablet]: [y.y.y.y] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
      Jul 17 23:50:57 racoon: DEBUG: IV freed

      $ cat /var/etc/racoon.conf
# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen
{
	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
	isakmp x.x.x.x [500];
	isakmp_natt x.x.x.x [4500];
}

remote y.y.y.y
{
	ph1id 1;
	exchange_mode main;
	my_identifier address x.x.x.x;
	peers_identifier address y.y.y.y;
	ike_frag on;
	generate_policy = unique;
	initial_contact = on;
	nat_traversal = force;

	support_proxy on;
	proposal_check obey;

	proposal
	{
		authentication_method pre_shared_key;
		encryption_algorithm aes 128;
		hash_algorithm sha1;
		dh_group 2;
		lifetime time 3600 secs;
	}
}

sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/32 any
{
	remoteid 1;
	encryption_algorithm aes 128;
	authentication_algorithm hmac_sha1;

	lifetime time 3600 secs;
	compression_algorithm deflate;
}

      Local Network Type: LAN subnet
      Remote Network Type: Network, 192.168.1.0/24

      Automatically ping host: 192.168.1.5 (don't exist but if i understand this correct i don't need to)

      
$ cat /var/etc/spd.conf
spdadd 192.168.0.1/32 192.168.0.0/24 any -P out none;
spdadd 192.168.0.0/24 192.168.0.1/32 any -P in none;
spdadd 192.168.0.0/24 192.168.1.0/32 any -P out ipsec esp/tunnel/x.x.x.x-y.y.y.y/unique;
spdadd 192.168.1.0/32 192.168.0.0/24 any -P in ipsec esp/tunnel/y.y.y.y-x.x.x.x/unique;

      anyone got an clue why?</my-pfsense-dynamic-ip>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.