Setup IPSec VPN to a node behind another Pfsense Box (Attached Network Diagram)



  • I have a pfsense box (Call this BOX1) that has LANs and a WAN which connects to the internet and is used to create a VPN connection to a client.: This has pfsense version 2.0.2-RELEASE (i386)
    I have another pfsense box (Call this BOX2) with an Internet Connection. Behind it is several LANs (LANx): This has pfsense version 2.1-RELEASE (i386)
    There is also a Point to Point Connection between BOX1 and BOX2
    BOX2 uses BOX1 as its default gateway.
    This means BOX1 is the default gateway for its own LAN and also the default gateway for BOX2 and the networks behind BOX2.
    The internet of BOX2 is normally used only when BOX1's WAN is unreachable.
    BOX1 has got a site to site VPN to a client who use that VPN to connect to an IP 192.168.2.5 (Call it SRV1) which sits in the LAN behind BOX1.
    Using the WAN on BOX2, I want to setup a backup VPN to the client so that they can connect to SRV1 via the Point to Point that connects BOX2 and BOX1.
    The client's computer is on IP: 172.16.2.10

    Basically, if the WAN supporting the VPN on the PfSense BOX1 is down, I want the clients themselves to switch to VPN2 which will connect via the Point to Point link to BOX1 and thus find SRV1 which sits behind BOX1.

    Can you guide me on how to do this kind of setup?

    So far, I have tried but haven't succeeded. On BOX2, am getting the errors:

    Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=in
    Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=in
    Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe724: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=in
    Jan 30 10:32:04	racoon: DEBUG: got pfkey X_SPDADD message
    Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
    Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=out
    Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501508: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=out
    Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe724: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=out
    Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=in
    Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe724: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=out
    Jan 30 10:32:04	racoon: DEBUG: got pfkey X_SPDADD message
    Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
    Jan 30 10:32:04	racoon: INFO: unsupported PF_KEY message REGISTER
    Jan 30 10:32:04	racoon: DEBUG: got pfkey REGISTER message
    Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
    Jan 30 10:32:04	racoon: DEBUG: getsainfo params: loc='192.168.2.5' rmt='172.16.2.10/24' peer='NULL' client='NULL' id=1
    Jan 30 10:32:04	racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
    Jan 30 10:32:04	racoon: DEBUG: hmac(modp1536)
    Jan 30 10:32:04	racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
    Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[2] recv()
    Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[1] recv()
    Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
    Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=in
    Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe704: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=out
    Jan 30 10:32:04	racoon: DEBUG: got pfkey X_SPDDUMP message
    Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
    Jan 30 10:32:04	racoon: DEBUG: got pfkey X_SPDDUMP message
    Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
    Jan 30 10:32:04	racoon: INFO: unsupported PF_KEY message REGISTER
    Jan 30 10:32:04	racoon: DEBUG: got pfkey REGISTER message
    Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
    

    Need more info? Let me know.

    Thanks.
    ![pfsense setup.JPG_thumb](/public/imported_attachments/1/pfsense setup.JPG_thumb)
    ![pfsense setup.JPG](/public/imported_attachments/1/pfsense setup.JPG)


Log in to reply