Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help on PFsense 2.1 IPSec

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AYSMAN
      last edited by

      Can anybody help me on my IPsec. I've checked and re-checked everything on my settings and I'm sure both sites have exactly the same settings (Except from the Remote WAN IP of course). But still there is no traffic on my tunnel and this message appears on the ipsec logs

      ERROR: such policy already exists. anyway replace it: 192.168.231.0/24[0] 192.168.235.0/24[0] proto=any dir=out
      Feb 19 14:40:26

      ERROR: such policy already exists. anyway replace it: 192.168.235.0/24[0] 192.168.231.0/24[0] proto=any dir=in

      1 Reply Last reply Reply Quote 0
      • S
        silvertip257
        last edited by

        @AYSMAN:

        Can anybody help me on my IPsec. I've checked and re-checked everything on my settings and I'm sure both sites have exactly the same settings (Except from the Remote WAN IP of course). But still there is no traffic on my tunnel and this message appears on the ipsec logs

        ERROR: such policy already exists. anyway replace it: 192.168.231.0/24[0] 192.168.235.0/24[0] proto=any dir=out
        Feb 19 14:40:26

        ERROR: such policy already exists. anyway replace it: 192.168.235.0/24[0] 192.168.231.0/24[0] proto=any dir=in

        Please describe your set up in more detail.

        Are both ends pfsense nodes?

        You might also provide examples of the configuration at both ends with sensitive information (passwords, public IP addresses, and what not) obfuscated to protect the innocent. :)

        1 Reply Last reply Reply Quote 0
        • A
          AYSMAN
          last edited by

          Thanks for your reply. Here's my set up:

          SITE A

          Internet Protocol:                IPv4
          Interface:                            WAN
          Remote Gateway:              (SITE B PUBLIC WAN IP)
          Auth Method:                      Mutual PSK
          Negotiation Mode:              Main
          My Identifier                        My IP Add
          Peer Identifier:                    Peer ID Add
          Pre-Shared Key:                  password
          Policy Generation:              Default
          Proposal Checking:              Default
          Encryption Checking:          3DES
          Hash Algorithm:                  SHA256
          DH Key Group:                    2(1024Bit)
          Lifetime:                              28800
          NAT Traversal:                    Disable
          DPD:                                    Unchecked

          SITE A PHASE 2

          Mode:                                Tunnel IPV4
          Local Network:                  LAN Subnet
          Remote Network:              192.168.235.0/24 (Local Network of SITE B)
          Protocol:                            ESP
          Encryption Algorithm:      3DES
          Hash Algorithm:                SHA1
          PFS Key Group:                2(1024Bit)
          Lifetime                            3600

          SITE B

          Internet Protocol:                IPv4
          Interface:                            WAN
          Remote Gateway:              (SITE A PUBLIC WAN IP)
          Auth Method:                      Mutual PSK
          Negotiation Mode:              Main
          My Identifier                        My IP Add
          Peer Identifier:                    Peer ID Add
          Pre-Shared Key:                  password
          Policy Generation:              Default
          Proposal Checking:              Default
          Encryption Checking:          3DES
          Hash Algorithm:                  SHA256
          DH Key Group:                    2(1024Bit)
          Lifetime:                              28800
          NAT Traversal:                    Disable
          DPD:                                    Unchecked

          SITE B PHASE 2

          Mode:                                Tunnel IPV4
          Local Network:                  LAN Subnet
          Remote Network:              192.168.235.0/24 (Local Network of SITE A)
          Protocol:                            ESP
          Encryption Algorithm:      3DES
          Hash Algorithm:                SHA1
          PFS Key Group:                2(1024Bit)
          Lifetime                            3600

          Both Sites already have a firewall rule: Screen Shot attached

          Capture.JPG
          Capture.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • S
            silvertip257
            last edited by

            Ok, so those are both pfSense hosts at either end.

            Does the tunnel establish between the two hosts?

            @AYSMAN:

            SITE A PHASE 2

            Mode:                                Tunnel IPV4
            Local Network:                  LAN Subnet
            Remote Network:              192.168.235.0/24 (Local Network of SITE B)
            Protocol:                            ESP
            Encryption Algorithm:      3DES
            Hash Algorithm:                SHA1
            PFS Key Group:                2(1024Bit)
            Lifetime                            3600

            […snipped...]

            SITE B PHASE 2

            Mode:                                Tunnel IPV4
            Local Network:                  LAN Subnet
            Remote Network:              192.168.235.0/24 (Local Network of SITE A)
            Protocol:                            ESP
            Encryption Algorithm:      3DES
            Hash Algorithm:                SHA1
            PFS Key Group:                2(1024Bit)
            Lifetime                            3600

            In your information, the subnet information in both phase2 sections is identical.  That will not work.

            In order to create traffic that will establish and/or traverse your IPSec tunnel…

            From the webui:
            Status > IPSec > Click the button to establish the tunnel
            OR
            Diagnostics > Ping > Change interface to LAN

            From the shell:
            ping -S <local_lan_ip><remote_lan_ip>That command above is sourcing packets from the LAN IP you specify (so it is sent across the tunnel) and sending it to the remote LAN.</remote_lan_ip></local_lan_ip>

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.