Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT before IPsec VPN on pfsense 2.1

    2.1 Snapshot Feedback and Problems - RETIRED
    3
    22
    17.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      namtab
      last edited by

      I'm on the latest build and the Status problem is still there, precisely yellow.

      The tunnel is by all means up, traffic gets around correctly.

      Can the Status be determined as yellow because of the "ERROR: such policy already exists. anyway replace it: " messages in the log (which I have no idea why they come up)?

      This is /var/etc/spd.conf

      spdadd -4 192.168.111.254/32 192.168.111.0/24 any -P out none;
spdadd -4 192.168.111.0/24 192.168.111.254/32 any -P in none;
spdadd -4 192.168.111.0/24 192.168.36.0/25 any -P out ipsec esp/tunnel/192.168.112.1-{remote tunnel public ip}/unique;
spdadd -4 192.168.36.0/25 192.168.36.129/32 any -P in ipsec esp/tunnel/{remote tunnel public ip}-192.168.112.1/unique;

      This is my IPSec log

      
Feb 2 00:54:32	racoon: [IPSec client 1]: INFO: IPsec-SA established: ESP 192.168.112.1[500]->{remote tunnel public ip}[500] spi=2237067141(0x8556ef85)
Feb 2 00:54:32	racoon: [IPSec client 1]: INFO: IPsec-SA established: ESP 192.168.112.1[500]->{remote tunnel public ip}[500] spi=85261209(0x514fb99)
Feb 2 00:54:32	racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Feb 2 00:54:32	racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Feb 2 00:54:32	racoon: WARNING: attribute has been modified.
Feb 2 00:54:32	racoon: INFO: received RESPONDER-LIFETIME: 4608000 kbytes
Feb 2 00:54:32	racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443).
Feb 2 00:54:32	racoon: [IPSec client 1]: INFO: initiate new phase 2 negotiation: 192.168.112.1[4500]<=>{remote tunnel public ip}[4500]
Feb 2 00:54:31	racoon: [IPSec client 1]: INFO: ISAKMP-SA established 192.168.112.1[4500]-{remote tunnel public ip}[4500] spi:1a77e52bf34f298b:b9d50cec11c73ffb
Feb 2 00:54:31	racoon: WARNING: port 4500 expected, but 0
Feb 2 00:54:31	racoon: [IPSec client 1]: INFO: KA list add: 192.168.112.1[4500]->{remote tunnel public ip}[4500]
Feb 2 00:54:31	racoon: INFO: NAT detected: ME
Feb 2 00:54:31	racoon: INFO: NAT-D payload #1 verified
Feb 2 00:54:31	racoon: [IPSec client 1]: [{remote tunnel public ip}] INFO: Hashing {remote tunnel public ip}[500] with algo #1
Feb 2 00:54:31	racoon: INFO: NAT-D payload #0 doesn't match
Feb 2 00:54:31	racoon: [Self]: [192.168.112.1] INFO: Hashing 192.168.112.1[500] with algo #1
Feb 2 00:54:31	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 2 00:54:31	racoon: INFO: received Vendor ID: DPD
Feb 2 00:54:31	racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 2 00:54:31	racoon: INFO: Adding remote and local NAT-D payloads.
Feb 2 00:54:31	racoon: [Self]: [192.168.112.1] INFO: Hashing 192.168.112.1[500] with algo #1
Feb 2 00:54:31	racoon: [IPSec client 1]: [{remote tunnel public ip}] INFO: Hashing {remote tunnel public ip}[500] with algo #1
Feb 2 00:54:31	racoon: [IPSec client 1]: [{remote tunnel public ip}] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Feb 2 00:54:31	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 2 00:54:31	racoon: INFO: begin Identity Protection mode.
Feb 2 00:54:31	racoon: [IPSec client 1]: INFO: initiate new phase 1 negotiation: 192.168.112.1[500]<=>{remote tunnel public ip}[500]
Feb 2 00:54:31	racoon: [IPSec client 1]: INFO: IPsec-SA request for {remote tunnel public ip} queued due to no phase1 found.
Feb 2 00:54:31	racoon: NOTIFY: no in-bound policy found: 192.168.36.0/25[0] 192.168.111.0/24[0] proto=any dir=in
Feb 2 00:54:05	racoon: ERROR: such policy already exists. anyway replace it: 192.168.36.0/25[0] 192.168.36.129/32[0] proto=any dir=in
Feb 2 00:54:05	racoon: ERROR: such policy already exists. anyway replace it: 192.168.111.0/24[0] 192.168.36.0/25[0] proto=any dir=out
Feb 2 00:54:05	racoon: ERROR: such policy already exists. anyway replace it: 192.168.111.0/24[0] 192.168.111.254/32[0] proto=any dir=in
Feb 2 00:54:05	racoon: ERROR: such policy already exists. anyway replace it: 192.168.111.254/32[0] 192.168.111.0/24[0] proto=any dir=out
Feb 2 00:54:05	racoon: INFO: unsupported PF_KEY message REGISTER
Feb 2 00:54:05	racoon: [Self]: INFO: 192.168.112.1[500] used as isakmp port (fd=15)
Feb 2 00:54:05	racoon: [Self]: INFO: 192.168.112.1[500] used for NAT-T
Feb 2 00:54:05	racoon: [Self]: INFO: 192.168.112.1[4500] used as isakmp port (fd=14)
Feb 2 00:54:05	racoon: [Self]: INFO: 192.168.112.1[4500] used for NAT-T
Feb 2 00:54:05	racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Feb 2 00:54:05	racoon: INFO: @(#)This product linked OpenSSL 1.0.1c 10 May 2012 (http://www.openssl.org/)
Feb 2 00:54:05	racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
      1 Reply Last reply Reply Quote 0
      • N
        namtab
        last edited by

        anyone?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.