Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense IPSec Site to Site

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      prinzz chyz
      last edited by

      Hi All

      Is there anyone who can able to help me to fix my problem
      I have two pfsense installed in a different PC.
      both have two lan card, Public IP and Local IP

      I used IPSec VPN both are enabled

      My settings are:
      SITE A:
      Remote Gateway: ISP IP Address (119.92.56.77)
      Mode: aggressive
      P1 Protocol: AES (256 bits)
      P1 transforms: SHA1
      pre shreadKey: veryverysecret
      Encryption algorithm: AES | 256 bits
      Hash algorithm: SHA1
      DH Key Group: 2
      Lifetime: 28800

      Phase 2:
      Local Network: LAN subnet
      Remote Network: 192.168.51.0/24
      Protocol: ESP
      Encryption algorithm: AES/Blowfish/3DES/CAST128
      Hash algorithms: SHA1/MD5
      PFS key group: 2
      lifetime:3600

      SITE B:
      Remote Gateway: ISP IP Address (119.92.56.78)
      Mode: aggressive
      P1 Protocol: AES (256 bits)
      P1 transforms: SHA1
      pre shreadKey: veryverysecret
      Encryption algorithm: AES | 256 bits
      Hash algorithm: SHA1
      DH Key Group: 2
      Lifetime: 28800
      Phase 2:
      Local Network: LAN subnet
      Remote Network: 192.168.50.0/24
      Protocol: ESP
      Encryption algorithm: AES/Blowfish/3DES/CAST128
      Hash algorithms: SHA1/MD5
      PFS key group: 2
      lifetime:3600

      On SITE A Logs:
      racoon: ERROR failed to get sainfo
      racoon:[ ]: [119.92.56.78] ERROR: failed to pre-process ph2 packet [check phase 2 settings, networks] (side 1, status: 1)

      On SITE B Logs:

      racoon: []: INFO: initiate new phase 2 negotiation: 119.92.56.78[500]<=>119.92.56.77[500] racoon: ERROR: 119.92.56.77 give up to get IPsec-SA due to time up to wait.

      racoon: []: INFO: initiate new phase 2 negotiation: 119.92.56.78[500]<=>119.92.56.77[500]

      racoon: ERROR: 119.92.56.77 give up to get IPsec-SA due to time up to wait.

      thanks

      1 Reply Last reply Reply Quote 0
      • S
        SectorNine50
        last edited by

        Don't use "LAN subnet" on the phase 2 settings, type the address in yourself.  I ran into this issue and that fixed it for me.

        Capture.PNG
        Capture.PNG_thumb

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          @SectorNine50:

          Don't use "LAN subnet" on the phase 2 settings, type the address in yourself.  I ran into this issue and that fixed it for me.

          That's odd …

          Could you please save and compare (diff file1 file2) the files
          /var/etc/racoon.conf
          /var/etc/spd.conf
          under both situations (when you put in "LAN subnet" and when you type the address yourself) ?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.