Help on PFsense 2.1 IPSec



  • Can anybody help me on my IPsec. I've checked and re-checked everything on my settings and I'm sure both sites have exactly the same settings (Except from the Remote WAN IP of course). But still there is no traffic on my tunnel and this message appears on the ipsec logs

    ERROR: such policy already exists. anyway replace it: 192.168.231.0/24[0] 192.168.235.0/24[0] proto=any dir=out
    Feb 19 14:40:26

    ERROR: such policy already exists. anyway replace it: 192.168.235.0/24[0] 192.168.231.0/24[0] proto=any dir=in



  • @AYSMAN:

    Can anybody help me on my IPsec. I've checked and re-checked everything on my settings and I'm sure both sites have exactly the same settings (Except from the Remote WAN IP of course). But still there is no traffic on my tunnel and this message appears on the ipsec logs

    ERROR: such policy already exists. anyway replace it: 192.168.231.0/24[0] 192.168.235.0/24[0] proto=any dir=out
    Feb 19 14:40:26

    ERROR: such policy already exists. anyway replace it: 192.168.235.0/24[0] 192.168.231.0/24[0] proto=any dir=in

    Please describe your set up in more detail.

    Are both ends pfsense nodes?

    You might also provide examples of the configuration at both ends with sensitive information (passwords, public IP addresses, and what not) obfuscated to protect the innocent. :)



  • Thanks for your reply. Here's my set up:

    SITE A

    Internet Protocol:                IPv4
    Interface:                            WAN
    Remote Gateway:              (SITE B PUBLIC WAN IP)
    Auth Method:                      Mutual PSK
    Negotiation Mode:              Main
    My Identifier                        My IP Add
    Peer Identifier:                    Peer ID Add
    Pre-Shared Key:                  password
    Policy Generation:              Default
    Proposal Checking:              Default
    Encryption Checking:          3DES
    Hash Algorithm:                  SHA256
    DH Key Group:                    2(1024Bit)
    Lifetime:                              28800
    NAT Traversal:                    Disable
    DPD:                                    Unchecked

    SITE A PHASE 2

    Mode:                                Tunnel IPV4
    Local Network:                  LAN Subnet
    Remote Network:              192.168.235.0/24 (Local Network of SITE B)
    Protocol:                            ESP
    Encryption Algorithm:      3DES
    Hash Algorithm:                SHA1
    PFS Key Group:                2(1024Bit)
    Lifetime                            3600

    SITE B

    Internet Protocol:                IPv4
    Interface:                            WAN
    Remote Gateway:              (SITE A PUBLIC WAN IP)
    Auth Method:                      Mutual PSK
    Negotiation Mode:              Main
    My Identifier                        My IP Add
    Peer Identifier:                    Peer ID Add
    Pre-Shared Key:                  password
    Policy Generation:              Default
    Proposal Checking:              Default
    Encryption Checking:          3DES
    Hash Algorithm:                  SHA256
    DH Key Group:                    2(1024Bit)
    Lifetime:                              28800
    NAT Traversal:                    Disable
    DPD:                                    Unchecked

    SITE B PHASE 2

    Mode:                                Tunnel IPV4
    Local Network:                  LAN Subnet
    Remote Network:              192.168.235.0/24 (Local Network of SITE A)
    Protocol:                            ESP
    Encryption Algorithm:      3DES
    Hash Algorithm:                SHA1
    PFS Key Group:                2(1024Bit)
    Lifetime                            3600

    Both Sites already have a firewall rule: Screen Shot attached




  • Ok, so those are both pfSense hosts at either end.

    Does the tunnel establish between the two hosts?

    @AYSMAN:

    SITE A PHASE 2

    Mode:                                Tunnel IPV4
    Local Network:                  LAN Subnet
    Remote Network:              192.168.235.0/24 (Local Network of SITE B)
    Protocol:                            ESP
    Encryption Algorithm:      3DES
    Hash Algorithm:                SHA1
    PFS Key Group:                2(1024Bit)
    Lifetime                            3600

    […snipped...]

    SITE B PHASE 2

    Mode:                                Tunnel IPV4
    Local Network:                  LAN Subnet
    Remote Network:              192.168.235.0/24 (Local Network of SITE A)
    Protocol:                            ESP
    Encryption Algorithm:      3DES
    Hash Algorithm:                SHA1
    PFS Key Group:                2(1024Bit)
    Lifetime                            3600

    In your information, the subnet information in both phase2 sections is identical.  That will not work.

    In order to create traffic that will establish and/or traverse your IPSec tunnel…

    From the webui:
    Status > IPSec > Click the button to establish the tunnel
    OR
    Diagnostics > Ping > Change interface to LAN

    From the shell:
    ping -S <local_lan_ip><remote_lan_ip>That command above is sourcing packets from the LAN IP you specify (so it is sent across the tunnel) and sending it to the remote LAN.</remote_lan_ip></local_lan_ip>