Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC tunnel wont run

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ett_tingest
      last edited by

      Hello everyone!
      have been spending most of this day on google trying to find a sollution to my IPSEC problem.

      I have 2 pfsenses with version:

      2.1-RELEASE (i386)
      built on Wed Sep 11 18:16:44 EDT 2013
      FreeBSD pfsense.localdomain 8.3-RELEASE-p11 FreeBSD 8.3-RELEASE-p11 #0: Wed Sep 11 19:13:36 EDT 2013 root@snapshots-8_3-i386.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386

      and is trying to get a IPSEC tunnel with PSK up and running between to sites.

      This is my setup:

      Site 1:

      WAN IP: someoffice.dyndns.org
      LAN IP: 192.168.15.2 /24

      Phase 1 config:
      Internet Protocol: IPv4
      Interface: WAN
      remote gateway: somestorage.dyndns.org

      Authentication Method: Mutual PSK
      Negotiation mode: main
      My identifier: Distinguished name: someoffice.dyndns.org
      Peer identifier: somestorage.dyndns.org
      Pre-shared Key: sameonbothsides (set with 8 chars, 4small letter and 4 numbers in a mix)
      Policy Generation: Default
      Proposal Checking: Default

      Encryption algorithm: 3DES (same set on both sides)
      Hash algorithm: SHA1 (same set on both sides)

      DH key group: 2(1024 bit)
      Lifetime: 28800 seconds

      NAT Traversal: Disable (same on both sides)
      Dead peer Detection: Enabled
      10 sec
      5 retries

      Phase2 config:
      Mode: Tunnel IPv4
      Local Network: LAN Subnet
      Remote Network: Network - 192.168.30.0 /24

      Protocol: ESP
      Encryption algorithm: AES 128 bits
      Hash algorithm: SHA1
      PFS key group: 2 (1024 bit)
      Lifetime: 3600 seconds

      Site 2:
      WAN IP: somestorage.dyndns.org
      LAN IP: 192.168.30.1 /24

      Phase 1 config:
      Internet Protocol: IPv4
      Interface: WAN
      remote gateway: someoffice.dyndns.org

      Authentication Method: Mutual PSK
      Negotiation mode: main
      My identifier: Distinguished name: somestorage.dyndns.org
      Peer identifier: someoffice.dyndns.org
      Pre-shared Key: sameonbothsides (set with 8 chars, 4small letter and 4 numbers in a mix)
      Policy Generation: Default
      Proposal Checking: Default

      Encryption algorithm: 3DES (same set on both sides)
      Hash algorithm: SHA1 (same set on both sides)

      DH key group: 2(1024 bit)
      Lifetime: 28800 seconds

      NAT Traversal: Disable (same on both sides)
      Dead peer Detection: Enabled
      10 sec
      5 retries

      Phase2 config:
      Mode: Tunnel IPv4
      Local Network: LAN Subnet
      Remote Network: Network - 192.168.15.0 /24

      Protocol: ESP
      Encryption algorithm: AES 128 bits
      Hash algorithm: SHA1
      PFS key group: 2 (1024 bit)
      Lifetime: 3600 seconds

      So up there is the configuration I´ve done and now to my problem:

      I get this error from site 1(someoffice.dyndns.org):

      racoon: [someoffice]: [external IP] ERROR: couldn´t find the pskey for "external IP"
      racoon: [someoffice]: [external IP] ERROR: failed to process ph1 packet (side: 0,status 6).
      racoon: [someoffice]: [external IP] ERROR: phase1 negotiation failed.

      I get this error from site2(somestorage.dyndns.org):
      racoon: [somestorage]: [external IP]: ERROR: couldn´t find the pskey for "external IP"
      racoon: [somestorage]: [external IP]: ERROR: failed to process ph1 packet (side: 1, status 4).
      racoon: [somestorage]: [external IP]: ERROR: phase1 negotiation failed.

      Have I missed something in my config?

      Firewall rules I´ve setup allows any source on any port to WAN address on destination port 500 and ESP is allowed from any source to any destination on any port.

      Those rules I´ve setup on both sites.

      I am very new to IPSEC and would therefore appreciate help and info which helps me understand what I have done wrong.

      Best regards/
      Peter Carlstedt

      1 Reply Last reply Reply Quote 0
      • E
        ett_tingest
        last edited by

        Update I saw another post about 2.1 having a broken IPSEC so I went and updated both pfsense to 2.1.3 but that didnt help, still getting the same errors.

        I would need to get this VPN up and running asap, it there still problems with IPSEC in the latest stable release? Should I then instead set up the VPN through site to site OpenVPN?

        1 Reply Last reply Reply Quote 0
        • dotdashD
          dotdash
          last edited by

          IPSec is not broken on any of the stable releases. I would try the latest release (currently 2.1.3). I have not tried your configuration with both sides dynamic, but have run with one dynamic side as far back as 2.0.1.
          It looks correct, use DN as the identifier and put in the DNS name. You may want to test using the current IP's instead of the dyndns name to see if that works. It looks like it's not matching the dns name to the IP. Have you ping'd the name to verify it matches the IP?
          You also might want to try aggressive instead of main and try matching the p1 and p2- i.e. use aes 128 for both.

          1 Reply Last reply Reply Quote 0
          • E
            ett_tingest
            last edited by

            @dotdash:

            IPSec is not broken on any of the stable releases. I would try the latest release (currently 2.1.3). I have not tried your configuration with both sides dynamic, but have run with one dynamic side as far back as 2.0.1.
            It looks correct, use DN as the identifier and put in the DNS name. You may want to test using the current IP's instead of the dyndns name to see if that works. It looks like it's not matching the dns name to the IP. Have you ping'd the name to verify it matches the IP?
            You also might want to try aggressive instead of main and try matching the p1 and p2- i.e. use aes 128 for both.

            Hello and thanks for the answer it helped ALOT!
            But I need to understand why this works.

            If I let the P1 remain as 3DES and change into aggressive mode on both sides, it still wont work. But if i change P1 into AES 128 bits and have aggressive mode it does work. But If i change P1 into AES 128 and run in main mode it wont work. Could someone please make me understand why? Is there any releation between aggressive mode and AES 128 bits P1 Encryption Algorithm?

            1 Reply Last reply Reply Quote 0
            • dotdashD
              dotdash
              last edited by

              RE: Main vs aggressive, it should work either way, as long as both sides are set the same. You will see errors on the negotiation if there is a mismatch. As far as setting a different encryption for phase 1 and 2, it should work, again, as long as both sides are the same, but I've never had to set up a tunnel that way. I don't actually see why you'd want to.

              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                On my (retired, now openVPN) IPsec tunnels I had:

                My identifier: My IP address
                Peer identifier: Peer IP address

                …and some higher encryption as the main difference to your setup for phase 1, on first glance

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.