Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't connect two pfSense site-to-site IPSec vpn's

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nullifi
      last edited by

      Greetings,

      I'm having a terrible time trying to get two pfSense boxes to connect via IPSec. I'm hoping someone can shed some light on what I'm doing wrong. Here's my setup:

      
      SiteA-1 (CARP Primary) \                  / SiteB-1 (CARP Primary)
                                       |-> IPSec <-|
      SiteA-2 (CARP Backup) /                  \ SiteB-2 (CARP Backup)
      
      

      Before we got SiteB-2 set up, SiteB-1 was configured and connected successfully to SiteA. We setup SiteB-2, enabled CARP, and created some virtual IP's to take over the VPN. After reconfiguring the VPN to use the virtual IP's, the VPN will no longer connect. I've deleted the settings on both SiteA and SiteB, recreated them, tried different encryption settings, and nothing seems to work.

      Here's debug output from SiteB-1:

      
      Aug 21 21:07:41	racoon: INFO: unsupported PF_KEY message REGISTER
      Aug 21 21:07:41	racoon: DEBUG: got pfkey REGISTER message
      Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:41	racoon: DEBUG: getsainfo params: loc='172.17.0.0/16' rmt='172.16.0.0/16' peer='NULL' client='NULL' id=1
      Aug 21 21:07:41	racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
      Aug 21 21:07:41	racoon: DEBUG: reading config file /var/etc/racoon.conf
      Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[2] recv()
      Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[1] recv()
      Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:41	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a910: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
      Aug 21 21:07:41	racoon: DEBUG: sub:0x7fffffffe580: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
      Aug 21 21:07:41	racoon: DEBUG: db :0x80163a790: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
      Aug 21 21:07:41	racoon: DEBUG: sub:0x7fffffffe580: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
      Aug 21 21:07:41	racoon: DEBUG: sub:0x7fffffffe580: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
      Aug 21 21:07:41	racoon: DEBUG: got pfkey X_SPDDUMP message
      Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:41	racoon: DEBUG: db :0x80163a790: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
      Aug 21 21:07:41	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe580: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
      Aug 21 21:07:41	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe580: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
      Aug 21 21:07:41	racoon: DEBUG: got pfkey X_SPDDUMP message
      Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:41	racoon: DEBUG: sub:0x7fffffffe580: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
      Aug 21 21:07:41	racoon: DEBUG: got pfkey X_SPDDUMP message
      Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:41	racoon: DEBUG: got pfkey X_SPDDUMP message
      Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:41	racoon: INFO: unsupported PF_KEY message REGISTER
      Aug 21 21:07:41	racoon: DEBUG: got pfkey REGISTER message
      Aug 21 21:07:41	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:39	racoon: DEBUG: db :0x80163a910: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
      Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
      Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
      Aug 21 21:07:39	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a610: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
      Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.16.0.0/16[0] 172.17.0.0/16[0] proto=any dir=in
      Aug 21 21:07:39	racoon: DEBUG: got pfkey X_SPDADD message
      Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
      Aug 21 21:07:39	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a610: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
      Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.17.0.0/16[0] 172.16.0.0/16[0] proto=any dir=out
      Aug 21 21:07:39	racoon: DEBUG: got pfkey X_SPDADD message
      Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:39	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x80163a610: 172.17.1.149/32[0] 172.17.1.0/24[0] proto=any dir=out
      Aug 21 21:07:39	racoon: DEBUG: sub:0x7fffffffe590: 172.17.1.0/24[0] 172.17.1.149/32[0] proto=any dir=in
      Aug 21 21:07:39	racoon: DEBUG: got pfkey X_SPDADD message
      Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:39	racoon: DEBUG: got pfkey X_SPDADD message
      Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:39	racoon: INFO: unsupported PF_KEY message REGISTER
      Aug 21 21:07:39	racoon: DEBUG: got pfkey REGISTER message
      Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:39	racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
      Aug 21 21:07:39	racoon: DEBUG: got pfkey X_SPDDUMP message
      Aug 21 21:07:39	racoon: DEBUG: pk_recv: retry[0] recv()
      Aug 21 21:07:39	racoon: [Self]: INFO: 192.168.1.74[500] used as isakmp port (fd=15)
      Aug 21 21:07:39	racoon: [Self]: INFO: 192.168.1.74[500] used for NAT-T
      Aug 21 21:07:39	racoon: [Self]: INFO: 192.168.1.74[4500] used as isakmp port (fd=14)
      Aug 21 21:07:39	racoon: [Self]: INFO: 192.168.1.74[4500] used for NAT-T
      Aug 21 21:07:39	racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
      Aug 21 21:07:39	racoon: DEBUG: getsainfo params: loc='172.17.0.0/16' rmt='172.16.0.0/16' peer='NULL' client='NULL' id=1
      Aug 21 21:07:39	racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
      Aug 21 21:07:39	racoon: DEBUG: reading config file /var/etc/racoon.conf
      Aug 21 21:07:39	racoon: DEBUG: call pfkey_send_register for IPCOMP
      Aug 21 21:07:39	racoon: DEBUG: call pfkey_send_register for ESP
      Aug 21 21:07:39	racoon: DEBUG: call pfkey_send_register for AH
      Aug 21 21:07:39	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
      Aug 21 21:07:39	racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
      Aug 21 21:07:39	racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
      
      

      SiteA-1 does not have debug turned on (I don't want to kill our active VPN's yet) but all it has during the above time frame is:

      
      racoon: INFO: unsupported PF_KEY message REGISTER
      
      

      At first I thought it was a side effect of setting up CARP and moving to a virtual IP. I turned off CARP, removed the vip and flipped it all back to the originally working config. It still would never connect. Any ideas what might be causing this?

      1 Reply Last reply Reply Quote 0
      • N
        nullifi
        last edited by

        Here's the racoon.conf files for the above systems. Please note I've changed the first three octets of the IP's, but other than that they should be the same.

        The IP's involved will be:
        WAN:
        SiteA vip: 192.168.1.66
        SiteA-1: 192.168.1.76
        SiteA-2: 192.168.1.77

        SiteB vip: 192.168.1.74
        SiteB-1: 192.168.73
        SiteB-2: 192.168.72

        LAN:
        SiteA network: 172.16.0.0/16
        SiteB network: 172.17.0.0/16

        SiteA-1-racoon.conf.txt
        SiteA-2-racoon.conf.txt
        SiteB-1-racoon.conf.txt
        SiteB-2-racoon.conf.txt

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          "Unknown Gateway/Dynamic" indicates you setup the wrong "remote" endpoint IP on that side.

          1 Reply Last reply Reply Quote 0
          • N
            nullifi
            last edited by

            It's not though, at least not in the config or the web ui. We're going to reformat them since they aren't doing anything important. See if that makes a difference.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              It's not Windows. :) Unless you've been mucking with source code, the format and reinstall routine isn't going to change anything.

              Without seeing non-anonymized configs, I can't offer further suggestions.

              1 Reply Last reply Reply Quote 0
              • N
                nullifi
                last edited by

                Aye, I'm getting to used to Windows here..

                Anyways, I think we figured it out. We had the two systems on the same network segment. And.. I used the same vhid and carp passwords for both. Once we moved them behind another router on another network, it's been working fine. This also solved our seemingly random flip-flopping of our main pfsense boxes. I guess that's why you shouldn't have multiple vip's in the same carp group on the same network.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.