Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Identifier problem - pfSense 1.2RC3 (dynIP) <-> pfSense 1.2RC2 (Static IP)

    Scheduled Pinned Locked Moved IPsec
    8 Posts 2 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      ssheikh
      last edited by

      I'm trying to setup an IPSec VPN between home and work.

      Home FW = pfSense 1.2 RC3. Dynamic IP.
      Work FW = pfSense 1.2 RC2. Static IP.

      Have followed this guide: http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec

      I can get everything to work if:

      Home side / VPN / IPSec / Tunnel / Phase 1 / My Identifier = My IP Address
      Work side / IPSec / Pre-shared keys / Identifier = A.B.C.D

      where A.B.C.D = DHCP assigned WAN IP on the home FW.

      If I change this to:

      Home FW / VPN / IPSec / Tunnel / Phase 1 / My Identifier = User FQDN / Home@boo.foo
      Work FW / IPSec / Pre-shared keys / Identifier = Home@boo.foo

      then I get this error in the IPSec logs of the work firewall:

      racoon: ERROR: couldn't find the pskey for A.B.C.D

      It seems that in spite of the identifier being set to User FQDN, the identifier that is being sent by the home FW is still the WAN IP address.

      At this point if I change the pre-shared key at the work FW to A.B.C.D then I get this error code:

      racoon: ERROR: Expecting IP address type in main mode, but User_FQDN.

      I'm assuming this is because the Work firewall is expecting the identity to be in the form of IP address but instead what came is USER_FQDN.

      So it seems like my home FW is telling the work FW that its sending User_FQDN but instead of sending the correct string it winds up sending the WAN IP address as at string.

      What am I doing wrong?

      Thanks,

      Shahid

      1 Reply Last reply Reply Quote 0
      • S
        ssheikh
        last edited by

        Bump to see if anyone has any comments.

        My IP changes frequently (even when the firewall is never shutdown) on the dyn IP side which breaks the VPN.

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          set the work side to my identifier = my ip adress at the mobile clients page and the home "dyn" side to User FQDN

          1 Reply Last reply Reply Quote 0
          • S
            ssheikh
            last edited by

            Sorry I don't follow.

            Where on the work/static IP side would you like me to set "my identifier"?

            If you want me to set it under the "Mobile Clients" tab then it is already set to "My IP address"

            Otherwise, I do not have any tunnels defined on the work/static side to have the option of setting "my identifier" anywhere.

            With this scenario if I set the identifier at the home/dynamic IP side to User FQDN and make sure that on the work side the pre-shared key identifier matches that User FQDN then the IPSec connection does not get established and I get this logged:

            racoon: ERROR: couldn't find the pskey for A.B.C.D

            where A.B.C.D is the IP address of the home/dynamic IP firewall.

            With the configuration that you suggested (which is the same as the mobile_ipsec document) what should the identifier for the pre-shared key at the work/static IP side be defined as?

            1 Reply Last reply Reply Quote 0
            • H
              heiko
              last edited by

              I think you have anything misconfigured!

              Here are some screenshots with an up and running szenario between static and dynamic addresses.

              Have fun

              static1.jpg
              static1.jpg_thumb
              static2.jpg
              static2.jpg_thumb
              dyn1.jpg
              dyn1.jpg_thumb
              dyn2.jpg
              dyn2.jpg_thumb
              dyn3.jpg
              dyn3.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • S
                ssheikh
                last edited by

                Can you show me how your pre-shared key on the static side is configured.

                Thanks.

                1 Reply Last reply Reply Quote 0
                • S
                  ssheikh
                  last edited by

                  Ok. Got it to work. This configuration does not work in Main Mode. It only works in Agressive mode.

                  1 Reply Last reply Reply Quote 0
                  • H
                    heiko
                    last edited by

                    OK, sorry, yes, mobile clients are working  not in main mode…..

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.