Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Doesn't connect … with no error

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 4.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      ben_uk
      last edited by

      Hi Guys,

      I'm trying to establish a VPN connection between a pfSense 2.0.1 box and a Dlink router. But after starting the IPsec service on the pfSense box - it doesn't appear to do anything.

      I did a packet dump on both WAN and IPsec interfaces and there was no packets at all. On the IPsec status page, it just shows as amber with a X.

      It is as if it doesn't bother starting at all. Am I missing something here?

      racoon -d -v -F -f /var/etc/racoon.conf

      
      2012-10-04 18:30:40: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
      2012-10-04 18:30:40: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
      2012-10-04 18:30:40: INFO: Reading configuration from "/var/etc/racoon.conf"
      2012-10-04 18:30:40: DEBUG: call pfkey_send_register for AH
      2012-10-04 18:30:40: DEBUG: call pfkey_send_register for ESP
      2012-10-04 18:30:40: DEBUG: call pfkey_send_register for IPCOMP
      2012-10-04 18:30:40: DEBUG: reading config file /var/etc/racoon.conf
      2012-10-04 18:30:40: DEBUG2: lifetime = 86400
      2012-10-04 18:30:40: DEBUG2: lifebyte = 0
      2012-10-04 18:30:40: DEBUG2: encklen=0
      2012-10-04 18:30:40: DEBUG2: p:1 t:1
      2012-10-04 18:30:40: DEBUG2: 3DES-CBC(5)
      2012-10-04 18:30:40: DEBUG2: MD5(1)
      2012-10-04 18:30:40: DEBUG2: 1024-bit MODP group(2)
      2012-10-04 18:30:40: DEBUG2: pre-shared key(1)
      2012-10-04 18:30:40: DEBUG2:
      2012-10-04 18:30:40: DEBUG2: Etype mismatch: got 2, expected 4.
      2012-10-04 18:30:40: DEBUG: no check of compression algorithm; not supported in sadb message.
      2012-10-04 18:30:40: DEBUG: getsainfo params: loc='192.168.0.0/24' rmt='192.168.1.0/24' peer='NULL' client='NULL' id=1
      2012-10-04 18:30:40: DEBUG2: parse successed.
      2012-10-04 18:30:40: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
      2012-10-04 18:30:40: INFO: 55.33.22.11[4500] used for NAT-T
      2012-10-04 18:30:40: INFO: 55.33.22.11[4500] used as isakmp port (fd=7)
      2012-10-04 18:30:40: INFO: 55.33.22.11[500] used for NAT-T
      2012-10-04 18:30:40: INFO: 55.33.22.11[500] used as isakmp port (fd=8)
      2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv()
      2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message
      2012-10-04 18:30:40: DEBUG2:
      02120000 0a000100 03000000 37860000 03000500 ff180000 10020000 0afefe00
      00000000 00000000 03000600 ff200000 10020000 0afefe03 00000000 00000000
      02001200 01000100 3e000000 00000000
      2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv()
      2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message
      2012-10-04 18:30:40: DEBUG2:
      02120000 0f000100 02000000 37860000 03000500 ff180000 10020000 0a000000
      00000000 00000000 03000600 ff180000 10020000 ac100000 00000000 00000000
      07001200 02000100 58000000 00000000 28003200 02034e40 10020000 5111414a
      00000000 00000000 10020000 5c2a7ec9 00000000 00000000
      2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
      2012-10-04 18:30:40: DEBUG: db :0x80163b610: 10.254.254.0/24[0] 10.254.254.3/32[0] proto=any dir=in
      2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv()
      2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message
      2012-10-04 18:30:40: DEBUG2:
      02120000 0a000100 01000000 37860000 03000500 ff200000 10020000 0afefe03
      00000000 00000000 03000600 ff180000 10020000 0afefe00 00000000 00000000
      02001200 01000200 3d000000 00000000
      2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 10.254.254.3/32[0] 10.254.254.0/24[0] proto=any dir=out
      2012-10-04 18:30:40: DEBUG: db :0x80163b610: 10.254.254.0/24[0] 10.254.254.3/32[0] proto=any dir=in
      2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 10.254.254.3/32[0] 10.254.254.0/24[0] proto=any dir=out
      2012-10-04 18:30:40: DEBUG: db :0x80163b790: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
      2012-10-04 18:30:40: DEBUG: pk_recv: retry[0] recv()
      2012-10-04 18:30:40: DEBUG: got pfkey X_SPDDUMP message
      2012-10-04 18:30:40: DEBUG2:
      02120000 0f000100 00000000 37860000 03000500 ff180000 10020000 ac100000
      00000000 00000000 03000600 ff180000 10020000 0a000000 00000000 00000000
      07001200 02000200 57000000 00000000 28003200 02034d40 10020000 5c2a7ec9
      00000000 00000000 10020000 5111414a 00000000 00000000
      2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
      2012-10-04 18:30:40: DEBUG: db :0x80163b610: 10.254.254.0/24[0] 10.254.254.3/32[0] proto=any dir=in
      2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
      2012-10-04 18:30:40: DEBUG: db :0x80163b790: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
      2012-10-04 18:30:40: DEBUG: sub:0x7fffffffe330: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
      2012-10-04 18:30:40: DEBUG: db :0x80163b910: 10.254.254.3/32[0] 10.254.254.0/24[0] proto=any dir=out
      
      

      /var/etc/racoon.conf

      
      # This file is automatically generated. Do not edit
      path pre_shared_key "/var/etc/psk.txt";
      
      path certificate  "/var/etc";
      
      listen
      {
              adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
              isakmp 55.33.22.11 [500];
              isakmp_natt 55.33.22.11 [4500];
      }
      
      remote 66.33.22.11
      {
              ph1id 1;
              exchange_mode main;
              my_identifier address 55.33.22.11;
              peers_identifier address 66.33.22.11;
              ike_frag on;
              generate_policy = off;
              initial_contact = on;
              nat_traversal = off;
      
              dpd_delay = 10;
              dpd_maxfail = 5;
              support_proxy on;
              proposal_check claim;
      
              proposal
              {
                      authentication_method pre_shared_key;
                      encryption_algorithm 3des;
                      hash_algorithm md5;
                      dh_group 2;
                      lifetime time 86400 secs;
              }
      }
      
      sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/24 any
      {
              remoteid 1;
              encryption_algorithm 3des;
              authentication_algorithm hmac_md5;
      
              lifetime time 28800 secs;
              compression_algorithm deflate;
      }
      
      
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        A tunnel will not try to connect unless some data tries to cross the tunnel. You can either try to send some traffic directly, or set a keep-alive IP in the Phase 2 settings, targeting an IP inside of the remote phase 2 network.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          ben_uk
          last edited by

          Hi Jimp,

          Okay that makes sense and you were correct. The keepalive didn't do anything, but pinging a system on the remote network did initiate the tunnel.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.