Tunnel troubles
-
cheech
Do you fixed your tunnel problems?
-
It is not a bug. I run IPSEC all over the place and have no issues.
Cheech it is probably the Cisco that is the problem.
-
I think, now i have a stable config between pfsense carp <–> pfsense carp and also pfsense carp <--> openswan ipsec. I will make another test tommorrow, but currently the tunnels are all up and running great....
I need two rules on the wan , ESP permit and UDP 500 permit to the wan carp, then it runs as it should...
greetings
heiko -
I had a similar problem and the exact same solution. It looks like pfsense isn't adding the rules to allow the carp address just the wan address
I guess I wasn't being stupid after all ;D
-
Yes, for me it works only with the additional rules…...
-
I have found interoperability issues between pfsense and non-pfsense routers when using IPSEC. I might be wrong but I think pfsense is intended primarily for pfsense <> pfsense. Unfortunately it is not always possible /practical to convince the other side to switch to pfsense. I have seen problems with connectivity between pfsense to Dlink, Linksys and Cisco VPN products. Sometimes simply solved by deleting the SPD.
-
I have found interoperability issues between pfsense and non-pfsense routers when using IPSEC. I might be wrong but I think pfsense is intended primarily for pfsense <> pfsense. Unfortunately it is not always possible /practical to convince the other side to switch to pfsense. I have seen problems with connectivity between pfsense to Dlink, Linksys and Cisco VPN products. Sometimes simply solved by deleting the SPD.
IPsec is IPsec. If you have it properly configured on both ends it'll work fine. If you have to delete SPD's, you probably have mismatched lifetimes, and/or a data transfer-based lifetime (i.e. expire after X KB) configured, the latter of which you can't configure on the pfsense side so you cannot use.
It can be difficult to properly configure IPsec to match what pfsense allows you to configure, especially on devices as flexible (and hence complex) as Cisco. pfsense to pfsense or m0n0wall is dead simple because the config options are simple to get matched properly.
As for Dlink and Linksys, I haven't worked with Dlink IPsec, or heard of others who have, but Linksys IPsec is widely known to be a joke. Maybe their more recent equipment and/or firmware is better, but when it has come up on the m0n0wall list several times in the past, numerous people have stated those things never work reliably for them regardless of what they're connecting to.
-
well… i have about 40 linksys befvp41 and 10 netgear fvs318v3 connected to pfsense box. besides minor missconfiguration problems everything work fine.
-
Today all tunnels are up and runs fine, between carp pfsense <–> carp pfsense and carp pfsense <--> Openswan ipsec. The Openswan config is a little bit tricky....but it runs :D :D :D
This is the working ipsec.conf here:
left=xxx
leftnexthop=%defaultroute
leftsubnet=192.168.10.0/255.255.255.0
right=219.6.85.88
rightsubnet=192.168.11.0/255.255.255.0
rightnexthop=%defaultroute
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
ikelifetime=1h
keylife=8h
dpddelay=30
dpdtimeout=120
dpdaction=hold
pfs=yes
authby=secret
auto=startHave fun.., but do not forget the rules on the wan at this time (ESP and UDP500 to the WAN CARP)
cmb have opened a ticket for this szenario http://cvstrac.pfsense.org/tktview?tn=1349
Greetings from Germany -
well… i have about 40 linksys befvp41 and 10 netgear fvs318v3 connected to pfsense box. besides minor missconfiguration problems everything work fine.
Wow, so they're actually stable? I cringe at the thought of supporting 40 Linksys VPN boxes. ;D I've tried the BEFVP41, granted it was probably 5 years ago, but at the time it didn't work reliably at all no matter what I connected it to.
I think I still have it on a shelf around here somewhere, maybe it's time to give it another shot if for nothing other than the sake of documenting the proper way to configure one to connect to pfsense.