Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Site to site

    IPsec
    3
    8
    3362
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stuff_and_things last edited by

      http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/
      I followed this exactly.
      Both firewalls where installed from the same cd.
      Version pfSense-1.2-BETA-1-LiveCD-Installer.iso
      FreeBSD REMOTE1.local 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4
      #0: Mon Apr 30 10:46:52 EDT 2007 
      sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense.6  i386
      Both sides are on static addresses from different internet providers.
      I checked to confirm that both internet connections are unfiltered.
      Is there some sort of firewall rules that need to be added to allow
      the vpn to complete or maybe I need to use a non-beta version ?

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).

        1 Reply Last reply Reply Quote 0
        • U
          usuarioforum last edited by

          The public IP is in pfsense or in a router before?

          1 Reply Last reply Reply Quote 0
          • S
            stuff_and_things last edited by

            @cmb:

            Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).

            I re-installed with the non-beta iso.
            I will try this. What logs are useful in troubleshooting this?

            1 Reply Last reply Reply Quote 0
            • S
              stuff_and_things last edited by

              @usuarioforum:

              The public IP is in pfsense or in a router before?

              The public ip is in pfsense.

              1 Reply Last reply Reply Quote 0
              • S
                stuff_and_things last edited by

                From main location ipsec vpn log

                Jun 22 10:49:28 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
                Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 10:49:28 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
                Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 10:49:28 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
                Jun 22 10:49:28 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
                Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 10:49:28 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
                Jun 22 10:49:28 racoon: INFO: ::1[500] used as isakmp port (fd=14)
                Jun 22 10:49:28 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
                Jun 22 10:49:28 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
                Jun 22 10:49:28 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
                Jun 22 10:49:27 racoon: INFO: racoon shutdown
                Jun 22 10:49:26 racoon: INFO: caught signal 15
                Jun 22 10:48:07 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
                Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 10:48:07 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
                Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 10:48:07 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
                Jun 22 10:48:07 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
                Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 10:48:07 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
                Jun 22 10:48:07 racoon: INFO: ::1[500] used as isakmp port (fd=14)
                Jun 22 10:48:07 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
                Jun 22 10:48:05 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
                Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 10:48:05 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
                Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 10:48:05 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
                Jun 22 10:48:05 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
                Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 10:48:05 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)

                From remotesite 2 ipsec vpn log

                Jun 22 17:43:34 racoon: INFO: delete phase 2 handler.
                Jun 22 17:43:34 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP xxx.xxx.xxx.xxx[500]->xxx.xxx.xxx.xxx[500]
                Jun 22 17:43:03 racoon: INFO: begin Aggressive mode.
                Jun 22 17:43:03 racoon: INFO: initiate new phase 1 negotiation: xxx.xxx.xxx.xxx [500]<=>xxx.xxx.xxx.xxx [500]
                Jun 22 17:43:03 racoon: INFO: IPsec-SA request for xxx.xxx.xxx.xxx queued due to no phase1 found.
                Jun 22 17:36:14 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.1/32[0] 192.168.10.0/24[0] proto=any dir=out
                Jun 22 17:36:14 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 192.168.10.1/32[0] proto=any dir=in
                Jun 22 17:36:14 racoon: INFO: fe80::2c0:26ff:fe80:ed37%ed0[500] used as isakmp port (fd=19)
                Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 17:36:14 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=18)
                Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 17:36:14 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=17)
                Jun 22 17:36:14 racoon: INFO: fe80::20f:1fff:fe46:173a%bfe0[500] used as isakmp port (fd=16)
                Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 17:36:14 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
                Jun 22 17:36:14 racoon: INFO: ::1[500] used as isakmp port (fd=14)
                Jun 22 17:36:14 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
                Jun 22 17:36:14 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
                Jun 22 17:36:14 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
                Jun 22 17:36:13 racoon: INFO: racoon shutdown
                Jun 22 17:36:12 racoon: INFO: caught signal 15
                Jun 22 17:36:01 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.1/32[0] 192.168.10.0/24[0] proto=any dir=out
                Jun 22 17:36:01 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 192.168.10.1/32[0] proto=any dir=in
                Jun 22 17:36:01 racoon: INFO: fe80::2c0:26ff:fe80:ed37%ed0[500] used as isakmp port (fd=19)
                Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 17:36:01 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=18)
                Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 17:36:01 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=17)
                Jun 22 17:36:01 racoon: INFO: fe80::20f:1fff:fe46:173a%bfe0[500] used as isakmp port (fd=16)
                Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                Jun 22 17:36:01 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
                Jun 22 17:36:01 racoon: INFO: ::1[500] used as isakmp port (fd=14)
                Jun 22 17:36:01 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
                Jun 22 17:36:01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
                Jun 22 17:36:01 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
                Jun 22 17:36:00 racoon: INFO: racoon shutdown
                Jun 22 17:35:59 racoon: INFO: caught signal 15

                Neither side is able to access anything on remotes or vise-versa.
                I understand that I will not be able to ping the lan interface of the
                pfsense device.
                These are both fresh installs of pfSense-1.0.1-LiveCD-Installer.iso
                Is there a how to on setting up static remotes?

                1 Reply Last reply Reply Quote 0
                • S
                  stuff_and_things last edited by

                  @cmb:

                  Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).

                  Okay maybe I`m stupid, but what your saying is to add tunnels under the VPN: IPsec
                  Area to the main location for each remote ? Right?
                  Then add tunnels at each remote for each of the other sites all in the VPN: IPsec
                  All sites with the same pre-shared keys? Right?
                  Lans of sites
                  Main location
                  192.168.1.0/24
                  Remotes
                  192.168.10.0/24
                  192.168.11.0/24

                  1 Reply Last reply Reply Quote 0
                  • S
                    stuff_and_things last edited by

                    Okay now the sites are working.  ???
                    Now I`m going to try and add a
                    adtran netvanta 2300,and a
                    cisco 2600 into the mix.
                    Looks like the adtran will not support blowfish encryption.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post