IPSEC Using ShrewSoft connects, but can not ping pfSense Box



  • I'm a newbie at creating a VPN, my boss wanted me to create a VPN connection between our 2 lab networks in the office that we use. I followed the IPsec tutorial located here: http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth and it got my tunnel created, however from the remote machine, I can not ping the LAN inside of pfSense which is located at 10.215.10.1

    from the pfSense box I am able to ping the virtual address which is 10.215.15.1

    Here is the IPsec log from pfsense:

    Aug 14 11:22:04 racoon: INFO: deleting a generated policy.
    Aug 14 11:22:04 racoon: INFO: purged IPsec-SA proto_id=ESP spi=1978371461.
    Aug 14 11:22:04 racoon: [Self]: INFO: ISAKMP-SA expired 75.141.191.3[4500]-75.141.191.2[1923] spi:e5517d0e1f522f69:4cf69e1c42a64d88
    Aug 14 11:22:04 racoon: [Self]: INFO: ISAKMP-SA deleted 75.141.191.3[4500]-75.141.191.2[1923] spi:e5517d0e1f522f69:4cf69e1c42a64d88
    Aug 14 11:22:04 racoon: INFO: Released port 0
    Aug 14 11:22:08 racoon: [Self]: INFO: respond new phase 1 negotiation: 75.141.191.3[500]<=>75.141.191.2[1943]
    Aug 14 11:22:08 racoon: INFO: begin Aggressive mode.
    Aug 14 11:22:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Aug 14 11:22:08 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Aug 14 11:22:08 racoon: INFO: received Vendor ID: RFC 3947
    Aug 14 11:22:08 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 14 11:22:08 racoon: INFO: received Vendor ID: CISCO-UNITY
    Aug 14 11:22:08 racoon: [75.141.191.2] INFO: Selected NAT-T version: RFC 3947
    Aug 14 11:22:09 racoon: INFO: Adding remote and local NAT-D payloads.
    Aug 14 11:22:09 racoon: [75.141.191.2] INFO: Hashing 75.141.191.2[1943] with algo #2 (NAT-T forced)
    Aug 14 11:22:09 racoon: [Self]: [75.141.191.3] INFO: Hashing 75.141.191.3[500] with algo #2 (NAT-T forced)
    Aug 14 11:22:09 racoon: [Self]: INFO: NAT-T: ports changed to: 75.141.191.2[1923]<->75.141.191.3[4500]
    Aug 14 11:22:09 racoon: INFO: NAT-D payload #0 doesn't match
    Aug 14 11:22:09 racoon: INFO: NAT-D payload #1 doesn't match
    Aug 14 11:22:09 racoon: INFO: NAT detected: ME PEER
    Aug 14 11:22:09 racoon: [Self]: INFO: ISAKMP-SA established 75.141.191.3[4500]-75.141.191.2[1923] spi:65b83814feeb57b2:259dc5f291c75942
    Aug 14 11:22:09 racoon: [75.141.191.2] INFO: received INITIAL-CONTACT
    Aug 14 11:22:09 racoon: INFO: purging spi=67170306.
    Aug 14 11:22:09 racoon: INFO: Using port 0
    Aug 14 11:22:09 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Aug 14 11:22:15 racoon: [Self]: INFO: respond new phase 2 negotiation: 75.141.191.3[4500]<=>75.141.191.2[1923]
    Aug 14 11:22:15 racoon: INFO: Update the generated policy : 10.215.15.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    Aug 14 11:22:15 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Aug 14 11:22:15 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
    Aug 14 11:22:15 racoon: [Self]: INFO: IPsec-SA established: ESP 75.141.191.3[500]->75.141.191.2[500] spi=132023411(0x7de8473)
    Aug 14 11:22:15 racoon: [Self]: INFO: IPsec-SA established: ESP 75.141.191.3[500]->75.141.191.2[500] spi=1716966044(0x6656d29c)

    Any ideas as to why I can not ping the pfsense lan from the remote?



  • I was able to figure my issue out, turns out I had forgotten to create the firewall rules..

    rookie mistake heh.


Log in to reply