Can't connect two pfSense site-to-site IPSec vpn's
-
Greetings,
I'm having a terrible time trying to get two pfSense boxes to connect via IPSec. I'm hoping someone can shed some light on what I'm doing wrong. Here's my setup:
SiteA-1 (CARP Primary) \ / SiteB-1 (CARP Primary) |-> IPSec <-| SiteA-2 (CARP Backup) / \ SiteB-2 (CARP Backup)Before we got SiteB-2 set up, SiteB-1 was configured and connected successfully to SiteA. We setup SiteB-2, enabled CARP, and created some virtual IP's to take over the VPN. After reconfiguring the VPN to use the virtual IP's, the VPN will no longer connect. I've deleted the settings on both SiteA and SiteB, recreated them, tried different encryption settings, and nothing seems to work.
Here's debug output from SiteB-1:
Aug 21 21:07:41 racoon: INFO: unsupported PF_KEY message REGISTER Aug 21 21:07:41 racoon: DEBUG: got pfkey REGISTER message Aug 21 21:07:41 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:41 racoon: DEBUG: getsainfo params: loc='172.17.0.0/16' rmt='172.16.0.0/16' peer='NULL' client='NULL' id=1 Aug 21 21:07:41 racoon: DEBUG: no check of compression algorithm; not supported in sadb message. Aug 21 21:07:41 racoon: DEBUG: reading config file /var/etc/racoon.conf Aug 21 21:07:41 racoon: DEBUG: pk_recv: retry[2] recv() Aug 21 21:07:41 racoon: DEBUG: pk_recv: retry[1] recv() Aug 21 21:07:41 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a910: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out Aug 21 21:07:41 racoon: DEBUG: sub:0x7fffffffe580: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out Aug 21 21:07:41 racoon: DEBUG: db :0x80163a790: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in Aug 21 21:07:41 racoon: DEBUG: sub:0x7fffffffe580: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out Aug 21 21:07:41 racoon: DEBUG: sub:0x7fffffffe580: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out Aug 21 21:07:41 racoon: DEBUG: got pfkey X_SPDDUMP message Aug 21 21:07:41 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:41 racoon: DEBUG: db :0x80163a790: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in Aug 21 21:07:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe580: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out Aug 21 21:07:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe580: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out Aug 21 21:07:41 racoon: DEBUG: got pfkey X_SPDDUMP message Aug 21 21:07:41 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:41 racoon: DEBUG: sub:0x7fffffffe580: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in Aug 21 21:07:41 racoon: DEBUG: got pfkey X_SPDDUMP message Aug 21 21:07:41 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:41 racoon: DEBUG: got pfkey X_SPDDUMP message Aug 21 21:07:41 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:41 racoon: INFO: unsupported PF_KEY message REGISTER Aug 21 21:07:41 racoon: DEBUG: got pfkey REGISTER message Aug 21 21:07:41 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:39 racoon: DEBUG: db :0x80163a910: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out Aug 21 21:07:39 racoon: DEBUG: sub:0x7fffffffe590: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in Aug 21 21:07:39 racoon: DEBUG: sub:0x7fffffffe590: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in Aug 21 21:07:39 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a610: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out Aug 21 21:07:39 racoon: DEBUG: sub:0x7fffffffe590: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in Aug 21 21:07:39 racoon: DEBUG: got pfkey X_SPDADD message Aug 21 21:07:39 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:39 racoon: DEBUG: sub:0x7fffffffe590: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out Aug 21 21:07:39 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a610: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out Aug 21 21:07:39 racoon: DEBUG: sub:0x7fffffffe590: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out Aug 21 21:07:39 racoon: DEBUG: got pfkey X_SPDADD message Aug 21 21:07:39 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:39 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a610: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out Aug 21 21:07:39 racoon: DEBUG: sub:0x7fffffffe590: 172.17.1.0/24[0] 172.17.1.149/32[0] proto=any dir=in Aug 21 21:07:39 racoon: DEBUG: got pfkey X_SPDADD message Aug 21 21:07:39 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:39 racoon: DEBUG: got pfkey X_SPDADD message Aug 21 21:07:39 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:39 racoon: INFO: unsupported PF_KEY message REGISTER Aug 21 21:07:39 racoon: DEBUG: got pfkey REGISTER message Aug 21 21:07:39 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:39 racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory Aug 21 21:07:39 racoon: DEBUG: got pfkey X_SPDDUMP message Aug 21 21:07:39 racoon: DEBUG: pk_recv: retry[0] recv() Aug 21 21:07:39 racoon: [Self]: INFO: 192.168.1.74[500] used as isakmp port (fd=15) Aug 21 21:07:39 racoon: [Self]: INFO: 192.168.1.74[500] used for NAT-T Aug 21 21:07:39 racoon: [Self]: INFO: 192.168.1.74[4500] used as isakmp port (fd=14) Aug 21 21:07:39 racoon: [Self]: INFO: 192.168.1.74[4500] used for NAT-T Aug 21 21:07:39 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management. Aug 21 21:07:39 racoon: DEBUG: getsainfo params: loc='172.17.0.0/16' rmt='172.16.0.0/16' peer='NULL' client='NULL' id=1 Aug 21 21:07:39 racoon: DEBUG: no check of compression algorithm; not supported in sadb message. Aug 21 21:07:39 racoon: DEBUG: reading config file /var/etc/racoon.conf Aug 21 21:07:39 racoon: DEBUG: call pfkey_send_register for IPCOMP Aug 21 21:07:39 racoon: DEBUG: call pfkey_send_register for ESP Aug 21 21:07:39 racoon: DEBUG: call pfkey_send_register for AH Aug 21 21:07:39 racoon: INFO: Reading configuration from "/var/etc/racoon.conf" Aug 21 21:07:39 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/) Aug 21 21:07:39 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)SiteA-1 does not have debug turned on (I don't want to kill our active VPN's yet) but all it has during the above time frame is:
racoon: INFO: unsupported PF_KEY message REGISTERAt first I thought it was a side effect of setting up CARP and moving to a virtual IP. I turned off CARP, removed the vip and flipped it all back to the originally working config. It still would never connect. Any ideas what might be causing this?
-
Here's the racoon.conf files for the above systems. Please note I've changed the first three octets of the IP's, but other than that they should be the same.
The IP's involved will be:
WAN:
SiteA vip: 192.168.1.66
SiteA-1: 192.168.1.76
SiteA-2: 192.168.1.77SiteB vip: 192.168.1.74
SiteB-1: 192.168.73
SiteB-2: 192.168.72LAN:
SiteA network: 172.16.0.0/16
SiteB network: 172.17.0.0/16SiteA-1-racoon.conf.txt
SiteA-2-racoon.conf.txt
SiteB-1-racoon.conf.txt
SiteB-2-racoon.conf.txt
-
"Unknown Gateway/Dynamic" indicates you setup the wrong "remote" endpoint IP on that side.
-
It's not though, at least not in the config or the web ui. We're going to reformat them since they aren't doing anything important. See if that makes a difference.
-
It's not Windows. :) Unless you've been mucking with source code, the format and reinstall routine isn't going to change anything.
Without seeing non-anonymized configs, I can't offer further suggestions.
-
Aye, I'm getting to used to Windows here..
Anyways, I think we figured it out. We had the two systems on the same network segment. And.. I used the same vhid and carp passwords for both. Once we moved them behind another router on another network, it's been working fine. This also solved our seemingly random flip-flopping of our main pfsense boxes. I guess that's why you shouldn't have multiple vip's in the same carp group on the same network.