Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PF Sense to Monowall VPN / Newbie to VPN's

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 8.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tulsapilot
      last edited by

      Two of my friends and I are trying to set up a three way VPN.  They are running M0n0wall.  I'm running PF Sense.  We are seeing the following errors in the IPSEC Log.  Has anyone seen a problem like this and can point me in the right dir?

      Jan 10 21:57:50 racoon: ERROR: phase1 negotiation failed due to time up. 0cb690fac74420d7:58a2314d483daadd
      Jan 10 21:57:40 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:57:39 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:57:39 racoon: NOTIFY: the packet is retransmitted by 69.30.171.51[500].
      Jan 10 21:57:30 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:57:30 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:57:30 racoon: NOTIFY: the packet is retransmitted by 69.30.171.51[500].
      Jan 10 21:57:20 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:57:19 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:57:19 racoon: NOTIFY: the packet is retransmitted by 69.30.171.51[500].
      Jan 10 21:57:10 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:57:10 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:57:09 racoon: NOTIFY: the packet is retransmitted by 69.30.171.51[500].
      Jan 10 21:57:00 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:56:59 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:56:59 racoon: NOTIFY: the packet is retransmitted by 69.30.171.51[500].
      Jan 10 21:56:50 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
      Jan 10 21:56:50 racoon: WARNING: No ID match.
      Jan 10 21:56:50 racoon: INFO: received Vendor ID: DPD
      Jan 10 21:56:50 racoon: INFO: begin Aggressive mode.
      Jan 10 21:56:50 racoon: INFO: respond new phase 1 negotiation: 70.189.74.26[500]<=>69.30.171.51[500]

      IPSec Config:

      • <ipsec><preferredoldsa><enable>- <tunnel><interface>wan</interface>
      • <local-subnet><address>192.168.4.0/22</address></local-subnet>
          <remote-subnet>10.0.0.0/8</remote-subnet>
          <remote-gateway>68.97.171.10</remote-gateway>
      • <p1><mode>aggressive</mode>
      • <myident><fqdn>theharrises.homeip.net</fqdn></myident>
          <encryption-algorithm>blowfish</encryption-algorithm>
          <hash-algorithm>md5</hash-algorithm>
          <dhgroup>2</dhgroup>
          <lifetime>28800</lifetime>
          <pre-shared-key>bob</pre-shared-key>
          <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
      • <p2><protocol>esp</protocol>
          <encryption-algorithm-option>blowfish</encryption-algorithm-option>
          <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
          <hash-algorithm-option>hmac_md5</hash-algorithm-option>
          <pfsgroup>2</pfsgroup>
          <lifetime>28800</lifetime></p2>
          <descr>Justin's Network</descr></tunnel>
      • <tunnel><interface>wan</interface>
      • <local-subnet><address>192.168.4.0/22</address></local-subnet>
          <remote-subnet>192.168.1.0/24</remote-subnet>
          <remote-gateway>69.30.171.51</remote-gateway>
      • <p1><mode>aggressive</mode>
      • <myident><fqdn>theharrises.homeip.net</fqdn></myident>
          <encryption-algorithm>blowfish</encryption-algorithm>
          <hash-algorithm>md5</hash-algorithm>
          <dhgroup>2</dhgroup>
          <lifetime>28800</lifetime>
          <pre-shared-key>thisneedstoworknow</pre-shared-key>
          <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
      • <p2><protocol>esp</protocol>
          <encryption-algorithm-option>blowfish</encryption-algorithm-option>
          <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
          <hash-algorithm-option>hmac_md5</hash-algorithm-option>
          <pfsgroup>2</pfsgroup>
          <lifetime>28800</lifetime></p2>
          <descr>Pope's Network</descr></tunnel>
      • <mobilekey><ident>painter.homeip.net</ident>
          <pre-shared-key>dirt_bikes_rule</pre-shared-key></mobilekey>
      • <mobilekey><ident>jpope.homeip.net</ident>
          <pre-shared-key>dirt_bikes_rule</pre-shared-key></mobilekey>
      • <mobileclients>- <p1><mode>aggressive</mode>
      • <myident><fqdn>theharrises.homeip.net</fqdn></myident>
          <encryption-algorithm>blowfish</encryption-algorithm>
          <hash-algorithm>sha1</hash-algorithm>
          <dhgroup>2</dhgroup>
          <lifetime>28800</lifetime>
          <private-key><cert><authentication_method>pre_shared_key</authentication_method></cert></private-key></p1>
      • <p2><protocol>esp</protocol>
          <encryption-algorithm-option>blowfish</encryption-algorithm-option>
          <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
          <pfsgroup>2</pfsgroup>
          <lifetime>28800</lifetime></p2></mobileclients></enable></preferredoldsa></ipsec>
      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Phase one fails for some reason. I guess you have static IPs on WAN so just try the IP-Adresses as identifier. fqdn only works if they are configured on the other end correctly. I can confirm that m0n0-pfsense-tunnels are working without issues. Already tested that.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.