NAT before IPsec VPN on pfsense 2.1

themr0c

hum, it seems it has been truncated. In the log after the restart you can see things happning for both ipsec tunnels. tunnel "A" is not green in the status interface, but it is usable. tunnel "B" is just half-working.

eri--

On the next snapshot the status page should be fixed.

For the second tunnel can you show me the /tmp/rules.debug file by anonimizing the ips?
I am saying this since the nat rules for the same subnet are generated and your first tunnel rule might be impacting your second one.

I removed previous dump of you since your private keys are pasted in there and your ips as well :)

eri--

Thank you for the ruleset and information.
It seems that mss clamping was a bit broken for ipsec on 2.1, please try with the next coming snapshot or gitsync it should behave better.

themr0c

Thanks a lot !

Sorry for the last question: When will the next coming snapshot published ?

eri--

It takes around 8 hours usually but it sometimes is a bit faster.
For you gitsync should be easier, check one of the sticky topics on it.

The related change is this https://github.com/bsdperimeter/pfsense/commit/af982472816c43827177e499011b92531ba40d72

themr0c

gitsync worked like a charm, issue is fixed, many many many thanks !

namtab

I had the same problem on 2.0.2, so I was using an additional NIC just for having a correct local subnet for IPSec.. I guess I could've tried replacing the bogus NIC with a Virtual IP on the LAN subnet..

Anyway, I just crossed fingers and upgraded to 2.1-BETA1 (i386) built on Thu Jan 31 12:38:17 EST 2013 then I followed your steps.

Now I have:

• in Advanced > Miscellaneous checked Enable MSS clamping on VPN traffic and set it to 1200

• IPSec Phase 1 setup correctly

  • IPSec Phase 2 with
    Local Network 192.168.111.0/24 (real LAN)
    NAT/BINAT single address 192.168.36.129 (from remotely imposed 192.168.36.129/24 subnet)
    Remote subnet 192.168.36.0/25

and got phase 2 with NAT working… "Yippee ki-yay, mf!"

One last glitch that bugs me: the Status > IPSec page still shows the tunnel as down  ???, even though log says

INFO: ISAKMP-SA established

and

INFO: IPsec-SA established

, and traffic gets through normally…

Can this log message be relevant

racoon: NOTIFY: no in-bound policy found: 192.168.36.0/25[0] 192.168.111.0/24[0] proto=any dir=in

?

I already have a Firewall rule on the IPsec interface that allows all traffic through.

Did I miss anything or is this issue still on the devs' radar ?

Now if only version 2.1 had a PPTP helper, allowing multiple distinct outbound GRE sessions to the same remote IP, I'd be the happiest pfSense user of all time!  ::)

eri--

@namtab:

One last glitch that bugs me: the Status > IPSec page still shows the tunnel as down  ???, even though log says

INFO: ISAKMP-SA established

and

INFO: IPsec-SA established

, and traffic gets through normally…

I pushed a fix for this but will double check.

Can this log message be relevant

racoon: NOTIFY: no in-bound policy found: 192.168.36.0/25[0] 192.168.111.0/24[0] proto=any dir=in

?

No worries about it. Maybe need to remove the warning completely but its because you are natting that the warning shows up.

Now if only version 2.1 had a PPTP helper, allowing multiple distinct outbound GRE sessions to the same remote IP, I'd be the happiest pfSense user of all time!  ::)

I am not sure for 2.1 it will make it :)

namtab

I'm on the latest build and the Status problem is still there, precisely yellow.

The tunnel is by all means up, traffic gets around correctly.

Can the Status be determined as yellow because of the "ERROR: such policy already exists. anyway replace it: " messages in the log (which I have no idea why they come up)?

This is /var/etc/spd.conf

spdadd -4 192.168.111.254/32 192.168.111.0/24 any -P out none;
spdadd -4 192.168.111.0/24 192.168.111.254/32 any -P in none;
spdadd -4 192.168.111.0/24 192.168.36.0/25 any -P out ipsec esp/tunnel/192.168.112.1-{remote tunnel public ip}/unique;
spdadd -4 192.168.36.0/25 192.168.36.129/32 any -P in ipsec esp/tunnel/{remote tunnel public ip}-192.168.112.1/unique;

This is my IPSec log

Feb 2 00:54:32	racoon: [IPSec client 1]: INFO: IPsec-SA established: ESP 192.168.112.1[500]->{remote tunnel public ip}[500] spi=2237067141(0x8556ef85)
Feb 2 00:54:32	racoon: [IPSec client 1]: INFO: IPsec-SA established: ESP 192.168.112.1[500]->{remote tunnel public ip}[500] spi=85261209(0x514fb99)
Feb 2 00:54:32	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Feb 2 00:54:32	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Feb 2 00:54:32	racoon: WARNING: attribute has been modified.
Feb 2 00:54:32	racoon: INFO: received RESPONDER-LIFETIME: 4608000 kbytes
Feb 2 00:54:32	racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
Feb 2 00:54:32	racoon: [IPSec client 1]: INFO: initiate new phase 2 negotiation: 192.168.112.1[4500]<=>{remote tunnel public ip}[4500]
Feb 2 00:54:31	racoon: [IPSec client 1]: INFO: ISAKMP-SA established 192.168.112.1[4500]-{remote tunnel public ip}[4500] spi:1a77e52bf34f298b:b9d50cec11c73ffb
Feb 2 00:54:31	racoon: WARNING: port 4500 expected, but 0
Feb 2 00:54:31	racoon: [IPSec client 1]: INFO: KA list add: 192.168.112.1[4500]->{remote tunnel public ip}[4500]
Feb 2 00:54:31	racoon: INFO: NAT detected: ME
Feb 2 00:54:31	racoon: INFO: NAT-D payload #1 verified
Feb 2 00:54:31	racoon: [IPSec client 1]: [{remote tunnel public ip}] INFO: Hashing {remote tunnel public ip}[500] with algo #1
Feb 2 00:54:31	racoon: INFO: NAT-D payload #0 doesn't match
Feb 2 00:54:31	racoon: [Self]: [192.168.112.1] INFO: Hashing 192.168.112.1[500] with algo #1
Feb 2 00:54:31	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 2 00:54:31	racoon: INFO: received Vendor ID: DPD
Feb 2 00:54:31	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 2 00:54:31	racoon: INFO: Adding remote and local NAT-D payloads.
Feb 2 00:54:31	racoon: [Self]: [192.168.112.1] INFO: Hashing 192.168.112.1[500] with algo #1
Feb 2 00:54:31	racoon: [IPSec client 1]: [{remote tunnel public ip}] INFO: Hashing {remote tunnel public ip}[500] with algo #1
Feb 2 00:54:31	racoon: [IPSec client 1]: [{remote tunnel public ip}] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Feb 2 00:54:31	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 2 00:54:31	racoon: INFO: begin Identity Protection mode.
Feb 2 00:54:31	racoon: [IPSec client 1]: INFO: initiate new phase 1 negotiation: 192.168.112.1[500]<=>{remote tunnel public ip}[500]
Feb 2 00:54:31	racoon: [IPSec client 1]: INFO: IPsec-SA request for {remote tunnel public ip} queued due to no phase1 found.
Feb 2 00:54:31	racoon: NOTIFY: no in-bound policy found: 192.168.36.0/25[0] 192.168.111.0/24[0] proto=any dir=in
Feb 2 00:54:05	racoon: ERROR: such policy already exists. anyway replace it: 192.168.36.0/25[0] 192.168.36.129/32[0] proto=any dir=in
Feb 2 00:54:05	racoon: ERROR: such policy already exists. anyway replace it: 192.168.111.0/24[0] 192.168.36.0/25[0] proto=any dir=out
Feb 2 00:54:05	racoon: ERROR: such policy already exists. anyway replace it: 192.168.111.0/24[0] 192.168.111.254/32[0] proto=any dir=in
Feb 2 00:54:05	racoon: ERROR: such policy already exists. anyway replace it: 192.168.111.254/32[0] 192.168.111.0/24[0] proto=any dir=out
Feb 2 00:54:05	racoon: INFO: unsupported PF_KEY message REGISTER
Feb 2 00:54:05	racoon: [Self]: INFO: 192.168.112.1[500] used as isakmp port (fd=15)
Feb 2 00:54:05	racoon: [Self]: INFO: 192.168.112.1[500] used for NAT-T
Feb 2 00:54:05	racoon: [Self]: INFO: 192.168.112.1[4500] used as isakmp port (fd=14)
Feb 2 00:54:05	racoon: [Self]: INFO: 192.168.112.1[4500] used for NAT-T
Feb 2 00:54:05	racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Feb 2 00:54:05	racoon: INFO: @(#)This product linked OpenSSL 1.0.1c 10 May 2012 (http://www.openssl.org/)
Feb 2 00:54:05	racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)

namtab

anyone?