No traffic between PfSense and Monowall tunnel



  • Hello

    I have site-to-site setup between (site1)PfSense(2.1) and (site2)Monowall(1.34). The Ipsec tunnel was working like a charm before when I was running the previous version of PfSense.
    But after I upgraded to latest version. No traffic is going trough it.
    If I go to:

    Status->ipsec->overview = Active(Green)

    Status->ipsec->SAD=
    Source     Destination  Protocol    SPI                 Enc. alg.         Auth. alg  . Data
    Site1            Site2                 ESP          09f1b348  blowfish-cbc hmac-sha1 5504 B
    Site2            Site1            ESP                 00540335 blowfish-cbc hmac-sha1 0 B

    Status->ipsec->LOG
    Oct 1 21:58:38 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    Oct 1 21:58:38 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
    Oct 1 21:58:38 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    Oct 1 21:58:38 racoon: [Self]: INFO: Site1ip[4500] used for NAT-T
    Oct 1 21:58:38 racoon: [Self]: INFO: Site1ip[4500] used as isakmp port (fd=13)
    Oct 1 21:58:38 racoon: [Self]: INFO: Site1ip[500] used for NAT-T
    Oct 1 21:58:38 racoon: [Self]: INFO: Site1ip[500] used as isakmp port (fd=14)
    Oct 1 21:58:41 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    Oct 1 21:58:41 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
    Oct 1 21:58:41 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    Oct 1 21:58:41 racoon: [Self]: INFO: Site1ip[4500] used for NAT-T
    Oct 1 21:58:41 racoon: [Self]: INFO: Site1ip[4500] used as isakmp port (fd=13)
    Oct 1 21:58:41 racoon: [Self]: INFO: Site1ip[500] used for NAT-T
    Oct 1 21:58:41 racoon: [Self]: INFO: Site1ip[500] used as isakmp port (fd=14)
    Oct 1 21:58:41 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 1 21:58:41 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.2/32[0] 192.168.0.0/24[0] proto=any dir=out
    Oct 1 21:58:41 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.0.2/32[0] proto=any dir=in
    Oct 1 21:58:42 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 1 21:59:14 racoon: INFO: unsupported PF_KEY message REGISTER
    Oct 1 22:00:09 racoon: [GreenCity]: INFO: respond new phase 1 negotiation: Site1ip[500]<=>Site2ip[500]
    Oct 1 22:00:09 racoon: INFO: begin Aggressive mode.
    Oct 1 22:00:09 racoon: INFO: received Vendor ID: DPD
    Oct 1 22:00:09 racoon: [GreenCity]: [Site2ip] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Oct 1 22:00:09 racoon: [GreenCity]: INFO: ISAKMP-SA established Site1ip[500]-Site2ip[500] spi:d15325d570874ce9:c06ed6b1cb5c72af
    Oct 1 22:00:10 racoon: [GreenCity]: INFO: respond new phase 2 negotiation: Site1ip[500]<=>Site2ip[500]
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:256 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:248 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:240 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:232 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:224 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:216 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:208 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:200 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:192 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:184 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:176 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:168 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:160 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:152 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:144 peer:128.
    Oct 1 22:00:10 racoon: WARNING: low key length proposed, mine:136 peer:128.
    Oct 1 22:00:10 racoon: [GreenCity]: INFO: IPsec-SA established: ESP Site1ip[500]->Site2ip[500] spi=215023445(0xcd0ff55)
    Oct 1 22:00:10 racoon: [GreenCity]: INFO: IPsec-SA established: ESP Site1ip[500]->Site2ip[500] spi=143386518(0x88be796)



  • Anyone that have a clue what could be wrong here?


Log in to reply