Identifier problem - pfSense 1.2RC3 (dynIP) <-> pfSense 1.2RC2 (Static IP)



  • I'm trying to setup an IPSec VPN between home and work.

    Home FW = pfSense 1.2 RC3. Dynamic IP.
    Work FW = pfSense 1.2 RC2. Static IP.

    Have followed this guide: http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec

    I can get everything to work if:

    Home side / VPN / IPSec / Tunnel / Phase 1 / My Identifier = My IP Address
    Work side / IPSec / Pre-shared keys / Identifier = A.B.C.D

    where A.B.C.D = DHCP assigned WAN IP on the home FW.

    If I change this to:

    Home FW / VPN / IPSec / Tunnel / Phase 1 / My Identifier = User FQDN / Home@boo.foo
    Work FW / IPSec / Pre-shared keys / Identifier = Home@boo.foo

    then I get this error in the IPSec logs of the work firewall:

    racoon: ERROR: couldn't find the pskey for A.B.C.D

    It seems that in spite of the identifier being set to User FQDN, the identifier that is being sent by the home FW is still the WAN IP address.

    At this point if I change the pre-shared key at the work FW to A.B.C.D then I get this error code:

    racoon: ERROR: Expecting IP address type in main mode, but User_FQDN.

    I'm assuming this is because the Work firewall is expecting the identity to be in the form of IP address but instead what came is USER_FQDN.

    So it seems like my home FW is telling the work FW that its sending User_FQDN but instead of sending the correct string it winds up sending the WAN IP address as at string.

    What am I doing wrong?

    Thanks,

    Shahid



  • Bump to see if anyone has any comments.

    My IP changes frequently (even when the firewall is never shutdown) on the dyn IP side which breaks the VPN.



  • set the work side to my identifier = my ip adress at the mobile clients page and the home "dyn" side to User FQDN



  • Sorry I don't follow.

    Where on the work/static IP side would you like me to set "my identifier"?

    If you want me to set it under the "Mobile Clients" tab then it is already set to "My IP address"

    Otherwise, I do not have any tunnels defined on the work/static side to have the option of setting "my identifier" anywhere.

    With this scenario if I set the identifier at the home/dynamic IP side to User FQDN and make sure that on the work side the pre-shared key identifier matches that User FQDN then the IPSec connection does not get established and I get this logged:

    racoon: ERROR: couldn't find the pskey for A.B.C.D

    where A.B.C.D is the IP address of the home/dynamic IP firewall.

    With the configuration that you suggested (which is the same as the mobile_ipsec document) what should the identifier for the pre-shared key at the work/static IP side be defined as?



  • I think you have anything misconfigured!

    Here are some screenshots with an up and running szenario between static and dynamic addresses.

    Have fun












  • Can you show me how your pre-shared key on the static side is configured.

    Thanks.



  • Ok. Got it to work. This configuration does not work in Main Mode. It only works in Agressive mode.



  • OK, sorry, yes, mobile clients are working  not in main mode…..


Log in to reply