Site to site
-
http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/
I followed this exactly.
Both firewalls where installed from the same cd.
Version pfSense-1.2-BETA-1-LiveCD-Installer.iso
FreeBSD REMOTE1.local 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4
#0: Mon Apr 30 10:46:52 EDT 2007
sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense.6 i386
Both sides are on static addresses from different internet providers.
I checked to confirm that both internet connections are unfiltered.
Is there some sort of firewall rules that need to be added to allow
the vpn to complete or maybe I need to use a non-beta version ? -
Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).
-
The public IP is in pfsense or in a router before?
-
@cmb:
Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).
I re-installed with the non-beta iso.
I will try this. What logs are useful in troubleshooting this? -
-
From main location ipsec vpn log
Jun 22 10:49:28 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 10:49:28 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 10:49:28 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
Jun 22 10:49:28 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 10:49:28 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Jun 22 10:49:28 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Jun 22 10:49:28 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Jun 22 10:49:28 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jun 22 10:49:28 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Jun 22 10:49:27 racoon: INFO: racoon shutdown
Jun 22 10:49:26 racoon: INFO: caught signal 15
Jun 22 10:48:07 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 10:48:07 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 10:48:07 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
Jun 22 10:48:07 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 10:48:07 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Jun 22 10:48:07 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Jun 22 10:48:07 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Jun 22 10:48:05 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 10:48:05 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 10:48:05 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
Jun 22 10:48:05 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 10:48:05 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)From remotesite 2 ipsec vpn log
Jun 22 17:43:34 racoon: INFO: delete phase 2 handler.
Jun 22 17:43:34 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP xxx.xxx.xxx.xxx[500]->xxx.xxx.xxx.xxx[500]
Jun 22 17:43:03 racoon: INFO: begin Aggressive mode.
Jun 22 17:43:03 racoon: INFO: initiate new phase 1 negotiation: xxx.xxx.xxx.xxx [500]<=>xxx.xxx.xxx.xxx [500]
Jun 22 17:43:03 racoon: INFO: IPsec-SA request for xxx.xxx.xxx.xxx queued due to no phase1 found.
Jun 22 17:36:14 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.1/32[0] 192.168.10.0/24[0] proto=any dir=out
Jun 22 17:36:14 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 192.168.10.1/32[0] proto=any dir=in
Jun 22 17:36:14 racoon: INFO: fe80::2c0:26ff:fe80:ed37%ed0[500] used as isakmp port (fd=19)
Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 17:36:14 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=18)
Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 17:36:14 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=17)
Jun 22 17:36:14 racoon: INFO: fe80::20f:1fff:fe46:173a%bfe0[500] used as isakmp port (fd=16)
Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 17:36:14 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Jun 22 17:36:14 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Jun 22 17:36:14 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Jun 22 17:36:14 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jun 22 17:36:14 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Jun 22 17:36:13 racoon: INFO: racoon shutdown
Jun 22 17:36:12 racoon: INFO: caught signal 15
Jun 22 17:36:01 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.1/32[0] 192.168.10.0/24[0] proto=any dir=out
Jun 22 17:36:01 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 192.168.10.1/32[0] proto=any dir=in
Jun 22 17:36:01 racoon: INFO: fe80::2c0:26ff:fe80:ed37%ed0[500] used as isakmp port (fd=19)
Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 17:36:01 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=18)
Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 17:36:01 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=17)
Jun 22 17:36:01 racoon: INFO: fe80::20f:1fff:fe46:173a%bfe0[500] used as isakmp port (fd=16)
Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jun 22 17:36:01 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Jun 22 17:36:01 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Jun 22 17:36:01 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Jun 22 17:36:01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jun 22 17:36:01 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Jun 22 17:36:00 racoon: INFO: racoon shutdown
Jun 22 17:35:59 racoon: INFO: caught signal 15Neither side is able to access anything on remotes or vise-versa.
I understand that I will not be able to ping the lan interface of the
pfsense device.
These are both fresh installs of pfSense-1.0.1-LiveCD-Installer.iso
Is there a how to on setting up static remotes? -
@cmb:
Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).
Okay maybe I`m stupid, but what your saying is to add tunnels under the VPN: IPsec
Area to the main location for each remote ? Right?
Then add tunnels at each remote for each of the other sites all in the VPN: IPsec
All sites with the same pre-shared keys? Right?
Lans of sites
Main location
192.168.1.0/24
Remotes
192.168.10.0/24
192.168.11.0/24 -
Okay now the sites are working. ???
Now I`m going to try and add a
adtran netvanta 2300,and a
cisco 2600 into the mix.
Looks like the adtran will not support blowfish encryption.