Site to site



  • http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/
    I followed this exactly.
    Both firewalls where installed from the same cd.
    Version pfSense-1.2-BETA-1-LiveCD-Installer.iso
    FreeBSD REMOTE1.local 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4
    #0: Mon Apr 30 10:46:52 EDT 2007 
    sullrich@builder6.pfsense.com:/usr/obj.pfSense/usr/src/sys/pfSense.6  i386
    Both sides are on static addresses from different internet providers.
    I checked to confirm that both internet connections are unfiltered.
    Is there some sort of firewall rules that need to be added to allow
    the vpn to complete or maybe I need to use a non-beta version ?



  • Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).



  • The public IP is in pfsense or in a router before?



  • @cmb:

    Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).

    I re-installed with the non-beta iso.
    I will try this. What logs are useful in troubleshooting this?



  • @usuarioforum:

    The public IP is in pfsense or in a router before?

    The public ip is in pfsense.



  • From main location ipsec vpn log

    Jun 22 10:49:28 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
    Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 10:49:28 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
    Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 10:49:28 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
    Jun 22 10:49:28 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
    Jun 22 10:49:28 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 10:49:28 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Jun 22 10:49:28 racoon: INFO: ::1[500] used as isakmp port (fd=14)
    Jun 22 10:49:28 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
    Jun 22 10:49:28 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    Jun 22 10:49:28 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
    Jun 22 10:49:27 racoon: INFO: racoon shutdown
    Jun 22 10:49:26 racoon: INFO: caught signal 15
    Jun 22 10:48:07 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
    Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 10:48:07 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
    Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 10:48:07 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
    Jun 22 10:48:07 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
    Jun 22 10:48:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 10:48:07 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Jun 22 10:48:07 racoon: INFO: ::1[500] used as isakmp port (fd=14)
    Jun 22 10:48:07 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
    Jun 22 10:48:05 racoon: INFO: fe80::280:adff:fe71:e7f5%dc0[500] used as isakmp port (fd=19)
    Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 10:48:05 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=18)
    Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 10:48:05 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=17)
    Jun 22 10:48:05 racoon: INFO: fe80::201:3ff:fecf:455e%xl0[500] used as isakmp port (fd=16)
    Jun 22 10:48:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 10:48:05 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)

    From remotesite 2 ipsec vpn log

    Jun 22 17:43:34 racoon: INFO: delete phase 2 handler.
    Jun 22 17:43:34 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP xxx.xxx.xxx.xxx[500]->xxx.xxx.xxx.xxx[500]
    Jun 22 17:43:03 racoon: INFO: begin Aggressive mode.
    Jun 22 17:43:03 racoon: INFO: initiate new phase 1 negotiation: xxx.xxx.xxx.xxx [500]<=>xxx.xxx.xxx.xxx [500]
    Jun 22 17:43:03 racoon: INFO: IPsec-SA request for xxx.xxx.xxx.xxx queued due to no phase1 found.
    Jun 22 17:36:14 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.1/32[0] 192.168.10.0/24[0] proto=any dir=out
    Jun 22 17:36:14 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 192.168.10.1/32[0] proto=any dir=in
    Jun 22 17:36:14 racoon: INFO: fe80::2c0:26ff:fe80:ed37%ed0[500] used as isakmp port (fd=19)
    Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 17:36:14 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=18)
    Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 17:36:14 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=17)
    Jun 22 17:36:14 racoon: INFO: fe80::20f:1fff:fe46:173a%bfe0[500] used as isakmp port (fd=16)
    Jun 22 17:36:14 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 17:36:14 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Jun 22 17:36:14 racoon: INFO: ::1[500] used as isakmp port (fd=14)
    Jun 22 17:36:14 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
    Jun 22 17:36:14 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    Jun 22 17:36:14 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
    Jun 22 17:36:13 racoon: INFO: racoon shutdown
    Jun 22 17:36:12 racoon: INFO: caught signal 15
    Jun 22 17:36:01 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.1/32[0] 192.168.10.0/24[0] proto=any dir=out
    Jun 22 17:36:01 racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 192.168.10.1/32[0] proto=any dir=in
    Jun 22 17:36:01 racoon: INFO: fe80::2c0:26ff:fe80:ed37%ed0[500] used as isakmp port (fd=19)
    Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 17:36:01 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=18)
    Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 17:36:01 racoon: INFO: xxx.xxx.xxx.xxx [500] used as isakmp port (fd=17)
    Jun 22 17:36:01 racoon: INFO: fe80::20f:1fff:fe46:173a%bfe0[500] used as isakmp port (fd=16)
    Jun 22 17:36:01 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
    Jun 22 17:36:01 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Jun 22 17:36:01 racoon: INFO: ::1[500] used as isakmp port (fd=14)
    Jun 22 17:36:01 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
    Jun 22 17:36:01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    Jun 22 17:36:01 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
    Jun 22 17:36:00 racoon: INFO: racoon shutdown
    Jun 22 17:35:59 racoon: INFO: caught signal 15

    Neither side is able to access anything on remotes or vise-versa.
    I understand that I will not be able to ping the lan interface of the
    pfsense device.
    These are both fresh installs of pfSense-1.0.1-LiveCD-Installer.iso
    Is there a how to on setting up static remotes?



  • @cmb:

    Don't follow the mobile clients setup for site to site with both ends using static IP's. You just need to add an entry to the tunnels tab for both sides, matching all the settings on both sides other than the obvious ones that will differ (endpoint and subnet).

    Okay maybe I`m stupid, but what your saying is to add tunnels under the VPN: IPsec
    Area to the main location for each remote ? Right?
    Then add tunnels at each remote for each of the other sites all in the VPN: IPsec
    All sites with the same pre-shared keys? Right?
    Lans of sites
    Main location
    192.168.1.0/24
    Remotes
    192.168.10.0/24
    192.168.11.0/24



  • Okay now the sites are working.  ???
    Now I`m going to try and add a
    adtran netvanta 2300,and a
    cisco 2600 into the mix.
    Looks like the adtran will not support blowfish encryption.


Log in to reply