Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SOLVED: Pfsense 2.1.2 with CARP IPSEC VPN PROBLEM

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cuccu
      last edited by

      Hello

      I have the 2 Pfsense 2.1.2 in CARP.

      I would like to create a VPN IPSEC.

      I have a VPN_A
      My local IP: IP CARP
      Local network 172.16.0.0/12  to remote network 10.144.1.0/24    is working

      If I add a new vpn  VPN_B with Cisco ASA.
      from local network 172.22.0.0/16  to remote network 10.129.2.0/24  is  not work.

      In the LOG I see only this messages for the VPN_B

      pr 23 12:37:29 racoon: INFO: purged IPsec-SA proto_id=ESP spi=10237954.
      Apr 23 12:44:34 racoon: INFO: unsupported PF_KEY message REGISTER
      Apr 23 12:44:34 racoon: INFO: unsupported PF_KEY message REGISTER
      Apr 23 12:44:59 racoon: INFO: unsupported PF_KEY message REGISTER
      Apr 23 12:44:59 racoon: INFO: unsupported PF_KEY message REGISTER
      Apr 23 12:45:16 racoon: INFO: unsupported PF_KEY message REGISTER
      Apr 23 12:45:16 racoon: INFO: unsupported PF_KEY message REGISTER

      VPN_B options

      Phase 1
      Mode: aggressive
      P1 Protocol : 3DES
      P1 Trasnfroms MD5

      Phase 2
      P2 Protocol ESP
      P2 Transfrom 3DES
      P2 Auth Methods MD5

      In the debug log I received:

      Apr 23 13:40:33 racoon: INFO: caught signal 15
      Apr 23 13:40:33 racoon: INFO: racoon process 98170 shutdown
      Apr 23 13:40:38 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
      Apr 23 13:40:38 racoon: INFO: @(#)This product linked OpenSSL 1.0.1g 7 Apr 2014 (http://www.openssl.org/)
      Apr 23 13:40:38 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
      Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for AH
      Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for ESP
      Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for IPCOMP
      Apr 23 13:40:38 racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
      Apr 23 13:40:38 racoon: DEBUG: hmac(modp1536)
      Apr 23 13:40:38 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
      Apr 23 13:40:38 racoon: DEBUG: getsainfo params: loc='172.22.0.0/16' rmt='10.129.2.0/24' peer='NULL' client='NULL' id=2
      Apr 23 13:40:38 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
      Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[4500] used for NAT-T
      Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[4500] used as isakmp port (fd=14)
      Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[500] used for NAT-T
      Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[500] used as isakmp port (fd=15)
      Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
      Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDDUMP message
      Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
      Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDDUMP message
      Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
      Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
      Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
      Apr 23 13:40:38 racoon: DEBUG: got pfkey REGISTER message
      Apr 23 13:40:38 racoon: INFO: unsupported PF_KEY message REGISTER
      Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
      Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
      Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
      Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
      Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
      Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
      Apr 23 13:40:38 racoon: ERROR: such policy already exists. anyway replace it: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
      Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
      Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
      Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
      Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
      Apr 23 13:40:38 racoon: ERROR: such policy already exists. anyway replace it: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
      Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
      Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
      Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out
      Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
      Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out
      Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
      Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
      Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
      Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
      Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
      Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
      Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
      Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
      Apr 23 13:40:38 racoon: DEBUG: db :0x801447790: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out

      Could yoy help to understand the problem of the VPN ?

      In the IPSEC:SAD I don't see any SA associations for the VPN_B

      cuccu
      ![Schermata del 2014-04-23 14:36:57.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:36:57.png)
      ![Schermata del 2014-04-23 14:37:08.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:08.png_thumb)
      ![Schermata del 2014-04-23 14:37:08.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:08.png)
      ![Schermata del 2014-04-23 14:36:57.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:36:57.png_thumb)
      ![Schermata del 2014-04-23 14:37:18.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:18.png_thumb)
      ![Schermata del 2014-04-23 14:37:18.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:18.png)
      ![Schermata del 2014-04-23 14:34:33.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:34:33.png)
      ![Schermata del 2014-04-23 14:34:33.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:34:33.png_thumb)

      1 Reply Last reply Reply Quote 0
      • C
        cuccu
        last edited by

        I solved.

        I'm not sure that is this the problem but now is working.

        Change the My identifier with CARP IP.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.