4. SOLVED: Pfsense 2.1.2 with CARP IPSEC VPN PROBLEM

SOLVED: Pfsense 2.1.2 with CARP IPSEC VPN PROBLEM

  • C

    Hello

    I have the 2 Pfsense 2.1.2 in CARP.

    I would like to create a VPN IPSEC.

    I have a VPN_A
    My local IP: IP CARP
    Local network 172.16.0.0/12  to remote network 10.144.1.0/24    is working

    If I add a new vpn  VPN_B with Cisco ASA.
    from local network 172.22.0.0/16  to remote network 10.129.2.0/24  is  not work.

    In the LOG I see only this messages for the VPN_B

    pr 23 12:37:29 racoon: INFO: purged IPsec-SA proto_id=ESP spi=10237954.
    Apr 23 12:44:34 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 12:44:34 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 12:44:59 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 12:44:59 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 12:45:16 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 12:45:16 racoon: INFO: unsupported PF_KEY message REGISTER

    VPN_B options

    Phase 1
    Mode: aggressive
    P1 Protocol : 3DES
    P1 Trasnfroms MD5

    Phase 2
    P2 Protocol ESP
    P2 Transfrom 3DES
    P2 Auth Methods MD5

    In the debug log I received:

    Apr 23 13:40:33 racoon: INFO: caught signal 15
    Apr 23 13:40:33 racoon: INFO: racoon process 98170 shutdown
    Apr 23 13:40:38 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    Apr 23 13:40:38 racoon: INFO: @(#)This product linked OpenSSL 1.0.1g 7 Apr 2014 (http://www.openssl.org/)
    Apr 23 13:40:38 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for AH
    Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for ESP
    Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for IPCOMP
    Apr 23 13:40:38 racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
    Apr 23 13:40:38 racoon: DEBUG: hmac(modp1536)
    Apr 23 13:40:38 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
    Apr 23 13:40:38 racoon: DEBUG: getsainfo params: loc='172.22.0.0/16' rmt='10.129.2.0/24' peer='NULL' client='NULL' id=2
    Apr 23 13:40:38 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
    Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[4500] used for NAT-T
    Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[4500] used as isakmp port (fd=14)
    Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[500] used for NAT-T
    Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[500] used as isakmp port (fd=15)
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDDUMP message
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDDUMP message
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey REGISTER message
    Apr 23 13:40:38 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: ERROR: such policy already exists. anyway replace it: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: ERROR: such policy already exists. anyway replace it: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447790: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out

    Could yoy help to understand the problem of the VPN ?

    In the IPSEC:SAD I don't see any SA associations for the VPN_B

    cuccu
    ![Schermata del 2014-04-23 14:36:57.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:36:57.png)
    ![Schermata del 2014-04-23 14:37:08.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:08.png_thumb)
    ![Schermata del 2014-04-23 14:37:08.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:08.png)
    ![Schermata del 2014-04-23 14:36:57.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:36:57.png_thumb)
    ![Schermata del 2014-04-23 14:37:18.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:18.png_thumb)
    ![Schermata del 2014-04-23 14:37:18.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:18.png)
    ![Schermata del 2014-04-23 14:34:33.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:34:33.png)
    ![Schermata del 2014-04-23 14:34:33.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:34:33.png_thumb)

    0
  • C

    I solved.

    I'm not sure that is this the problem but now is working.

    Change the My identifier with CARP IP.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy