SOLVED: Pfsense 2.1.2 with CARP IPSEC VPN PROBLEM



  • Hello

    I have the 2 Pfsense 2.1.2 in CARP.

    I would like to create a VPN IPSEC.

    I have a VPN_A
    My local IP: IP CARP
    Local network 172.16.0.0/12  to remote network 10.144.1.0/24    is working

    If I add a new vpn  VPN_B with Cisco ASA.
    from local network 172.22.0.0/16  to remote network 10.129.2.0/24  is  not work.

    In the LOG I see only this messages for the VPN_B

    pr 23 12:37:29 racoon: INFO: purged IPsec-SA proto_id=ESP spi=10237954.
    Apr 23 12:44:34 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 12:44:34 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 12:44:59 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 12:44:59 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 12:45:16 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 12:45:16 racoon: INFO: unsupported PF_KEY message REGISTER

    VPN_B options

    Phase 1
    Mode: aggressive
    P1 Protocol : 3DES
    P1 Trasnfroms MD5

    Phase 2
    P2 Protocol ESP
    P2 Transfrom 3DES
    P2 Auth Methods MD5

    In the debug log I received:

    Apr 23 13:40:33 racoon: INFO: caught signal 15
    Apr 23 13:40:33 racoon: INFO: racoon process 98170 shutdown
    Apr 23 13:40:38 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    Apr 23 13:40:38 racoon: INFO: @(#)This product linked OpenSSL 1.0.1g 7 Apr 2014 (http://www.openssl.org/)
    Apr 23 13:40:38 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for AH
    Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for ESP
    Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for IPCOMP
    Apr 23 13:40:38 racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
    Apr 23 13:40:38 racoon: DEBUG: hmac(modp1536)
    Apr 23 13:40:38 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
    Apr 23 13:40:38 racoon: DEBUG: getsainfo params: loc='172.22.0.0/16' rmt='10.129.2.0/24' peer='NULL' client='NULL' id=2
    Apr 23 13:40:38 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
    Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[4500] used for NAT-T
    Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[4500] used as isakmp port (fd=14)
    Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[500] used for NAT-T
    Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[500] used as isakmp port (fd=15)
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDDUMP message
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDDUMP message
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey REGISTER message
    Apr 23 13:40:38 racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: ERROR: such policy already exists. anyway replace it: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: ERROR: such policy already exists. anyway replace it: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
    Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
    Apr 23 13:40:38 racoon: DEBUG: db :0x801447790: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out

    Could yoy help to understand the problem of the VPN ?

    In the IPSEC:SAD I don't see any SA associations for the VPN_B

    cuccu
    ![Schermata del 2014-04-23 14:36:57.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:36:57.png)
    ![Schermata del 2014-04-23 14:37:08.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:08.png_thumb)
    ![Schermata del 2014-04-23 14:37:08.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:08.png)
    ![Schermata del 2014-04-23 14:36:57.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:36:57.png_thumb)
    ![Schermata del 2014-04-23 14:37:18.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:18.png_thumb)
    ![Schermata del 2014-04-23 14:37:18.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:18.png)
    ![Schermata del 2014-04-23 14:34:33.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:34:33.png)
    ![Schermata del 2014-04-23 14:34:33.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:34:33.png_thumb)



  • I solved.

    I'm not sure that is this the problem but now is working.

    Change the My identifier with CARP IP.