Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Setup IPSec VPN to a node behind another Pfsense Box (Attached Network Diagram)

    IPsec
    1
    1
    1637
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reloded last edited by

      I have a pfsense box (Call this BOX1) that has LANs and a WAN which connects to the internet and is used to create a VPN connection to a client.: This has pfsense version 2.0.2-RELEASE (i386)
      I have another pfsense box (Call this BOX2) with an Internet Connection. Behind it is several LANs (LANx): This has pfsense version 2.1-RELEASE (i386)
      There is also a Point to Point Connection between BOX1 and BOX2
      BOX2 uses BOX1 as its default gateway.
      This means BOX1 is the default gateway for its own LAN and also the default gateway for BOX2 and the networks behind BOX2.
      The internet of BOX2 is normally used only when BOX1's WAN is unreachable.
      BOX1 has got a site to site VPN to a client who use that VPN to connect to an IP 192.168.2.5 (Call it SRV1) which sits in the LAN behind BOX1.
      Using the WAN on BOX2, I want to setup a backup VPN to the client so that they can connect to SRV1 via the Point to Point that connects BOX2 and BOX1.
      The client's computer is on IP: 172.16.2.10

      Basically, if the WAN supporting the VPN on the PfSense BOX1 is down, I want the clients themselves to switch to VPN2 which will connect via the Point to Point link to BOX1 and thus find SRV1 which sits behind BOX1.

      Can you guide me on how to do this kind of setup?

      So far, I have tried but haven't succeeded. On BOX2, am getting the errors:

      Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=in
Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=in
Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe724: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=in
Jan 30 10:32:04	racoon: DEBUG: got pfkey X_SPDADD message
Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=out
Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501508: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=out
Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe724: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=out
Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=in
Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe724: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=out
Jan 30 10:32:04	racoon: DEBUG: got pfkey X_SPDADD message
Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04	racoon: INFO: unsupported PF_KEY message REGISTER
Jan 30 10:32:04	racoon: DEBUG: got pfkey REGISTER message
Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04	racoon: DEBUG: getsainfo params: loc='192.168.2.5' rmt='172.16.2.10/24' peer='NULL' client='NULL' id=1
Jan 30 10:32:04	racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
Jan 30 10:32:04	racoon: DEBUG: hmac(modp1536)
Jan 30 10:32:04	racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[2] recv()
Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[1] recv()
Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 172.16.2.10/24[0] 10.10.11.3/32[0] proto=any dir=in
Jan 30 10:32:04	racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0xbfbfe704: 192.168.2.5/32[0] 172.16.2.10/24[0] proto=any dir=out
Jan 30 10:32:04	racoon: DEBUG: got pfkey X_SPDDUMP message
Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04	racoon: DEBUG: got pfkey X_SPDDUMP message
Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()
Jan 30 10:32:04	racoon: INFO: unsupported PF_KEY message REGISTER
Jan 30 10:32:04	racoon: DEBUG: got pfkey REGISTER message
Jan 30 10:32:04	racoon: DEBUG: pk_recv: retry[0] recv()

      Need more info? Let me know.

      Thanks.
      ![pfsense setup.JPG_thumb](/public/imported_attachments/1/pfsense setup.JPG_thumb)
      ![pfsense setup.JPG](/public/imported_attachments/1/pfsense setup.JPG)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense Plus
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy