IPsec tunnel looks OK but no firewall rules are generated



  • Hello all,

    I'm running a CARP system (pfsense 1.0-BETA1) and have been able to set up  IPsec tunnel with another Pfsense system (both have static IP's and VPN is running fine).
    Now I would like to connect Road Warriors also with IPsec, I'm trying to do this with a software called TheGreenBow and using pre-shared keys.

    I am able to open the tunnel, as the logs in TheGreenBow and Pfsense are showing, but then no traffic can be send trough, looks like no firewall rules permitting traffic between the two private networks are created in the Pfsense system.

    When I try to connect the tunnel, this is what the logs are showing in Pfsense:
    –----------------------------------
    racoon: INFO: respond new phase 1 negotiation: xx.yy.zz.220[500]<=>aa.bb.cc.133[500]
    racoon: INFO: begin Aggressive mode.
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    racoon: INFO: received Vendor ID: DPD
    racoon: INFO: ISAKMP-SA established xx.yy.zz.220[500]-aa.bb.cc.133[500] spi:46677973de0cca8f:a8c09e2b878512c2
    racoon: INFO: respond new phase 2 negotiation: xx.yy.zz.220[0]<=>aa.bb.cc.133[0]
    racoon: INFO: Update the generated policy : 192.168.1.34/32[0] 192.168.2.0/24[0] proto=any dir=in
    racoon: INFO: IPsec-SA established: ESP/Tunnel aa.bb.cc.133[0]->xx.yy.zz.220[0] spi=236417513(0xe1771e9)
    racoon: INFO: IPsec-SA established: ESP/Tunnel xx.yy.zz.220[0]->aa.bb.cc.133[0] spi=3157787005(0xbc38017d)
    racoon: ERROR: such policy does not already exist: "192.168.1.34/32[0] 192.168.2.0/24[0] proto=any dir=in"
    racoon: ERROR: such policy does not already exist: "192.168.2.0/24[0] 192.168.1.34/32[0] proto=any dir=out"
    –----------------------------------

    I have read through tutorials and forums (I'm totally newbie) but didn't find any clue to my problem and any help will be really welcome.

    thx in advance

    djno



  • You shouldn't need any firewallrules and actually we are not yet able to filter IPSEC traffic anyway. I would check the greenbow side as the site to site connection is working. Also, are you connecting to the real IP or the CARP IP. If it is the CARP IP, have you configured the failover IPSEC settings correctly? If using CARP IPSEC it is also recommended to set "prefer older SAs" to enabled at system>advanced so there is no need to generate new SAs under a failovercondition (tunnel will only be down for about 1-2 seconds then).



  • I will check the GreenBow settings. And I'm connecting to the CARP IP.
    The failover IPsec settings look good, well at least when I switch off the main fw, the backup fw creates also the IPsec tunnel (VPN always up)
    Thank you for the hint concerning "prefer older SAs"

    I know that the IPsec traffic cannot be filtered but  I still don't understand the following line in the IPsec logs

    racoon: INFO: Update the generated policy : 192.168.1.34/32[0] 192.168.2.0/24[0] proto=any dir=in



  • @djno:

    I will check the GreenBow settings. And I'm connecting to the CARP IP.
    The failover IPsec settings look good, well at least when I switch off the main fw, the backup fw creates also the IPsec tunnel (VPN always up)
    Thank you for the hint concerning "prefer older SAs"

    I know that the IPsec traffic cannot be filtered but  I still don't understand the following line in the IPsec logs

    racoon: INFO: Update the generated policy : 192.168.1.34/32[0] 192.168.2.0/24[0] proto=any dir=in

    I am also getting this problem, it would seem that the rules are not being generated and applied properly for on the fly (road warrior) connections.  Since "static" vpn's have the subnets etc setup from the get go I'm not surprised that they work with no error.

    I have tried :-
    TauVPN 0.36 0.36 0.40
    The Green Bow 2.5.1.008

    and all result in the same error in the ipsec logs.

    Sadly I'm poking arround on the cmd line is my limit (and i could not find ipsec.conf to "setkey" it).


Locked