4. PfSense IPSec Site to Site

PfSense IPSec Site to Site

  • P

    Hi All

    Is there anyone who can able to help me to fix my problem
    I have two pfsense installed in a different PC.
    both have two lan card, Public IP and Local IP

    I used IPSec VPN both are enabled

    My settings are:
    SITE A:
    Remote Gateway: ISP IP Address (119.92.56.77)
    Mode: aggressive
    P1 Protocol: AES (256 bits)
    P1 transforms: SHA1
    pre shreadKey: veryverysecret
    Encryption algorithm: AES | 256 bits
    Hash algorithm: SHA1
    DH Key Group: 2
    Lifetime: 28800

    Phase 2:
    Local Network: LAN subnet
    Remote Network: 192.168.51.0/24
    Protocol: ESP
    Encryption algorithm: AES/Blowfish/3DES/CAST128
    Hash algorithms: SHA1/MD5
    PFS key group: 2
    lifetime:3600

    SITE B:
    Remote Gateway: ISP IP Address (119.92.56.78)
    Mode: aggressive
    P1 Protocol: AES (256 bits)
    P1 transforms: SHA1
    pre shreadKey: veryverysecret
    Encryption algorithm: AES | 256 bits
    Hash algorithm: SHA1
    DH Key Group: 2
    Lifetime: 28800
    Phase 2:
    Local Network: LAN subnet
    Remote Network: 192.168.50.0/24
    Protocol: ESP
    Encryption algorithm: AES/Blowfish/3DES/CAST128
    Hash algorithms: SHA1/MD5
    PFS key group: 2
    lifetime:3600

    On SITE A Logs:
    racoon: ERROR failed to get sainfo
    racoon:[ ]: [119.92.56.78] ERROR: failed to pre-process ph2 packet [check phase 2 settings, networks] (side 1, status: 1)

    On SITE B Logs:

    racoon: []: INFO: initiate new phase 2 negotiation: 119.92.56.78[500]<=>119.92.56.77[500] racoon: ERROR: 119.92.56.77 give up to get IPsec-SA due to time up to wait.

    racoon: []: INFO: initiate new phase 2 negotiation: 119.92.56.78[500]<=>119.92.56.77[500]

    racoon: ERROR: 119.92.56.77 give up to get IPsec-SA due to time up to wait.

    thanks

    0
  • S

    Don't use "LAN subnet" on the phase 2 settings, type the address in yourself.  I ran into this issue and that fixed it for me.


    0
  • D

    @SectorNine50:

    Don't use "LAN subnet" on the phase 2 settings, type the address in yourself.  I ran into this issue and that fixed it for me.

    That's odd …

    Could you please save and compare (diff file1 file2) the files
    /var/etc/racoon.conf
    /var/etc/spd.conf
    under both situations (when you put in "LAN subnet" and when you type the address yourself) ?

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy