Ipsec Multiple subnet problem between pfsense and vigor



  • Hello,

    I have tow site and I try to connect them.
    site A (main) have tow subnets and pfsense (2.0-RELEASE (i386) built on Tue Sep 13 17:28:43 EDT 2011 )
    site B have one subnet with Vigor 2910 and need access to all site A subnets

    site A                      site B

    192.168.48.0/24 10.100.100.0/24
    192.168.47.0/24

    I configure Ipsec tunnel with one phase 1 and tow phase 2:
    Ph 2-a -> local subnet 192.168.48.0/24      remote subnet 10.100.100.8
    Ph 2-b -> local subnet 192.168.47.0/24      remote subnet 10.100.100.8

    I have access between 10.100.100.0/24 and 192.168.48.0/24 but don't have access between 10.100.100.0/24 to 192.168.47.0/24 .
    when I check the ipsec status I see the pf think that all tunnel are ip.

    I have few more IPsec tunnel on this machine (single subnet) thats work fine.

    I need help.

    recoon.conf:

    $ cat /var/etc/racoon.conf

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    listen
    {
    adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    isakmp x.x.x.x [500];
    isakmp_natt x.x.x.x [4500];
    }

    remote y.y.y.y
    {
    ph1id 1;
    exchange_mode main;
    my_identifier address x.x.x.x;
    peers_identifier address y.y.y.y;
    ike_frag on;
    generate_policy = off;
    initial_contact = on;
    nat_traversal = on;

    dpd_delay = 10;
    dpd_maxfail = 5;
    support_proxy on;
    proposal_check claim;

    proposal
    {
    authentication_method pre_shared_key;
    encryption_algorithm 3des;
    hash_algorithm sha1;
    dh_group 2;
    lifetime time 28800 secs;
    }
    }

    sainfo subnet 192.168.47.0/24 any subnet 10.100.100.0/24 any
    {
    remoteid 1;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1,hmac_md5;

    lifetime time 3600 secs;
    compression_algorithm deflate;
    }

    sainfo subnet 192.168.48.0/24 any subnet 10.100.100.0/24 any
    {
    remoteid 1;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1,hmac_md5;

    lifetime time 3600 secs;
    compression_algorithm deflate;
    }



  • I think it's regards to  remoteid that it's the same.

    Thank u all.


Log in to reply