SOLVED: Pfsense 2.1.2 with CARP IPSEC VPN PROBLEM
-
Hello
I have the 2 Pfsense 2.1.2 in CARP.
I would like to create a VPN IPSEC.
I have a VPN_A
My local IP: IP CARP
Local network 172.16.0.0/12 to remote network 10.144.1.0/24 is workingIf I add a new vpn VPN_B with Cisco ASA.
from local network 172.22.0.0/16 to remote network 10.129.2.0/24 is not work.In the LOG I see only this messages for the VPN_B
pr 23 12:37:29 racoon: INFO: purged IPsec-SA proto_id=ESP spi=10237954.
Apr 23 12:44:34 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 23 12:44:34 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 23 12:44:59 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 23 12:44:59 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 23 12:45:16 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 23 12:45:16 racoon: INFO: unsupported PF_KEY message REGISTERVPN_B options
Phase 1
Mode: aggressive
P1 Protocol : 3DES
P1 Trasnfroms MD5Phase 2
P2 Protocol ESP
P2 Transfrom 3DES
P2 Auth Methods MD5In the debug log I received:
Apr 23 13:40:33 racoon: INFO: caught signal 15
Apr 23 13:40:33 racoon: INFO: racoon process 98170 shutdown
Apr 23 13:40:38 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
Apr 23 13:40:38 racoon: INFO: @(#)This product linked OpenSSL 1.0.1g 7 Apr 2014 (http://www.openssl.org/)
Apr 23 13:40:38 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for AH
Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for ESP
Apr 23 13:40:38 racoon: DEBUG: call pfkey_send_register for IPCOMP
Apr 23 13:40:38 racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
Apr 23 13:40:38 racoon: DEBUG: hmac(modp1536)
Apr 23 13:40:38 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
Apr 23 13:40:38 racoon: DEBUG: getsainfo params: loc='172.22.0.0/16' rmt='10.129.2.0/24' peer='NULL' client='NULL' id=2
Apr 23 13:40:38 racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[4500] used for NAT-T
Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[4500] used as isakmp port (fd=14)
Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[500] used for NAT-T
Apr 23 13:40:38 racoon: [Self]: INFO: 159.213.50.10[500] used as isakmp port (fd=15)
Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDDUMP message
Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDDUMP message
Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
Apr 23 13:40:38 racoon: DEBUG: got pfkey REGISTER message
Apr 23 13:40:38 racoon: INFO: unsupported PF_KEY message REGISTER
Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
Apr 23 13:40:38 racoon: ERROR: such policy already exists. anyway replace it: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
Apr 23 13:40:38 racoon: ERROR: such policy already exists. anyway replace it: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out
Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=out
Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
Apr 23 13:40:38 racoon: DEBUG: pk_recv: retry[0] recv()
Apr 23 13:40:38 racoon: DEBUG: got pfkey X_SPDADD message
Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
Apr 23 13:40:38 racoon: DEBUG: db :0x801447610: 172.19.19.11/32[0] 172.19.19.0/24[0] proto=any dir=out
Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
Apr 23 13:40:38 racoon: DEBUG: db :0x801447490: 172.19.19.0/24[0] 172.19.19.11/32[0] proto=any dir=in
Apr 23 13:40:38 racoon: DEBUG: sub:0x7fffffffe540: 10.129.2.0/24[0] 172.22.0.0/16[0] proto=any dir=in
Apr 23 13:40:38 racoon: DEBUG: db :0x801447790: 172.22.0.0/16[0] 10.129.2.0/24[0] proto=any dir=outCould yoy help to understand the problem of the VPN ?
In the IPSEC:SAD I don't see any SA associations for the VPN_B
cuccu
![Schermata del 2014-04-23 14:36:57.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:36:57.png)
![Schermata del 2014-04-23 14:37:08.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:08.png_thumb)
![Schermata del 2014-04-23 14:37:08.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:08.png)
![Schermata del 2014-04-23 14:36:57.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:36:57.png_thumb)
![Schermata del 2014-04-23 14:37:18.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:18.png_thumb)
![Schermata del 2014-04-23 14:37:18.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:37:18.png)
![Schermata del 2014-04-23 14:34:33.png](/public/imported_attachments/1/Schermata del 2014-04-23 14:34:33.png)
![Schermata del 2014-04-23 14:34:33.png_thumb](/public/imported_attachments/1/Schermata del 2014-04-23 14:34:33.png_thumb) -
I solved.
I'm not sure that is this the problem but now is working.
Change the My identifier with CARP IP.