IPsec Doesn't connect … with no error



  • Hi Guys,

    I'm trying to establish a VPN connection between a pfSense 2.0.1 box and a Dlink router. But after starting the IPsec service on the pfSense box - it doesn't appear to do anything.

    I did a packet dump on both WAN and IPsec interfaces and there was no packets at all. On the IPsec status page, it just shows as amber with a X.

    It is as if it doesn't bother starting at all. Am I missing something here?

    racoon -d -v -F -f /var/etc/racoon.conf

    
    2012-10-04 18:30:40: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
    2012-10-04 18:30:40: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
    2012-10-04 18:30:40: INFO: Reading configuration from "/var/etc/racoon.conf"
    2012-10-04 18:30:40: DEBUG: call pfkey_send_register for AH
    2012-10-04 18:30:40: DEBUG: call pfkey_send_register for ESP
    2012-10-04 18:30:40: DEBUG: call pfkey_send_register for IPCOMP
    2012-10-04 18:30:40: DEBUG: reading config file /var/etc/racoon.conf
    2012-10-04 18:30:40: DEBUG2: lifetime = 86400
    2012-10-04 18:30:40: DEBUG2: lifebyte = 0
    2012-10-04 18:30:40: DEBUG2: encklen=0
    2012-10-04 18:30:40: DEBUG2: p:1 t:1
    2012-10-04 18:30:40: DEBUG2: 3DES-CBC(5)
    2012-10-04 18:30:40: DEBUG2: MD5(1)
    2012-10-04 18:30:40: DEBUG2: 1024-bit MODP group(2)
    2012-10-04 18:30:40: DEBUG2: pre-shared key(1)
    2012-10-04 18:30:40: DEBUG2:
    2012-10-04 18:30:40: DEBUG2: Etype mismatch: got 2, expected 4.
    2012-10-04 18:30:40: DEBUG: no check of compression algorithm; not supported in sadb message.
    2012-10-04 18:30:40: DEBUG: getsainfo params: loc='192.168.0.0/24' rmt='192.168.1.0/24' peer='NULL' client='NULL' id=1
    2012-10-04 18:30:40: DEBUG2: parse successed.
    2012-10-04 18:30:40: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
    2012-10-04 18:30:40: INFO: 55.33.22.11[4500] used for NAT-T
    2012-10-04 18:30:40: INFO: 55.33.22.11[4500] used as isakmp port (fd=7)
    2012-10-04 18:30:40: INFO: 55.33.22.11[500] used for NAT-T
    2012-10-04 18:30:40: INFO: 55.33.22.11[500] used as isakmp port (fd=8)
    2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv()
    2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message
    2012-10-04 18:30:40: DEBUG2:
    02120000 0a000100 03000000 37860000 03000500 ff180000 10020000 0afefe00
    00000000 00000000 03000600 ff200000 10020000 0afefe03 00000000 00000000
    02001200 01000100 3e000000 00000000
    2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv()
    2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message
    2012-10-04 18:30:40: DEBUG2:
    02120000 0f000100 02000000 37860000 03000500 ff180000 10020000 0a000000
    00000000 00000000 03000600 ff180000 10020000 ac100000 00000000 00000000
    07001200 02000100 58000000 00000000 28003200 02034e40 10020000 5111414a
    00000000 00000000 10020000 5c2a7ec9 00000000 00000000
    2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    2012-10-04 18:30:40: DEBUG: db :0x80163b610: 10.254.254.0/24[0] 10.254.254.3/32[0] proto=any dir=in
    2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv()
    2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message
    2012-10-04 18:30:40: DEBUG2:
    02120000 0a000100 01000000 37860000 03000500 ff200000 10020000 0afefe03
    00000000 00000000 03000600 ff180000 10020000 0afefe00 00000000 00000000
    02001200 01000200 3d000000 00000000
    2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 10.254.254.3/32[0] 10.254.254.0/24[0] proto=any dir=out
    2012-10-04 18:30:40: DEBUG: db :0x80163b610: 10.254.254.0/24[0] 10.254.254.3/32[0] proto=any dir=in
    2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 10.254.254.3/32[0] 10.254.254.0/24[0] proto=any dir=out
    2012-10-04 18:30:40: DEBUG: db :0x80163b790: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv()
    2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message
    2012-10-04 18:30:40: DEBUG2:
    02120000 0f000100 00000000 37860000 03000500 ff180000 10020000 ac100000
    00000000 00000000 03000600 ff180000 10020000 0a000000 00000000 00000000
    07001200 02000200 57000000 00000000 28003200 02034d40 10020000 5c2a7ec9
    00000000 00000000 10020000 5111414a 00000000 00000000
    2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
    2012-10-04 18:30:40: DEBUG: db :0x80163b610: 10.254.254.0/24[0] 10.254.254.3/32[0] proto=any dir=in
    2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
    2012-10-04 18:30:40: DEBUG: db :0x80163b790: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
    2012-10-04 18:30:40: DEBUG: db :0x80163b910: 10.254.254.3/32[0] 10.254.254.0/24[0] proto=any dir=out
    
    

    /var/etc/racoon.conf

    
    # This file is automatically generated. Do not edit
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    listen
    {
            adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
            isakmp 55.33.22.11 [500];
            isakmp_natt 55.33.22.11 [4500];
    }
    
    remote 66.33.22.11
    {
            ph1id 1;
            exchange_mode main;
            my_identifier address 55.33.22.11;
            peers_identifier address 66.33.22.11;
            ike_frag on;
            generate_policy = off;
            initial_contact = on;
            nat_traversal = off;
    
            dpd_delay = 10;
            dpd_maxfail = 5;
            support_proxy on;
            proposal_check claim;
    
            proposal
            {
                    authentication_method pre_shared_key;
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    dh_group 2;
                    lifetime time 86400 secs;
            }
    }
    
    sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/24 any
    {
            remoteid 1;
            encryption_algorithm 3des;
            authentication_algorithm hmac_md5;
    
            lifetime time 28800 secs;
            compression_algorithm deflate;
    }
    
    

  • Rebel Alliance Developer Netgate

    A tunnel will not try to connect unless some data tries to cross the tunnel. You can either try to send some traffic directly, or set a keep-alive IP in the Phase 2 settings, targeting an IP inside of the remote phase 2 network.



  • Hi Jimp,

    Okay that makes sense and you were correct. The keepalive didn't do anything, but pinging a system on the remote network did initiate the tunnel.


Log in to reply