PFSense 2.1.4 IPSec not working



  • Initally it appeared to have an error trying to read a non existant /var/etc/racoon.conf file.

    I created one but it will not survive a reboot right now.

    Stopping racoon and starting it shows the following.  That said trying to connect with Shrew; never see anything in the logs such that I am guessing right now that its still not working.

    Any suggestions?

    Rebooted and tried again.

    [2.1.4-RELEASE] racoon -d -v -F -f /var/etc/ipsec/racoon.conf
    Foreground mode.
    2014-08-19 13:34:53: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    2014-08-19 13:34:53: INFO: @(#)This product linked OpenSSL 1.0.1h 5 Jun 2014 (http://www.openssl.org/)
    2014-08-19 13:34:53: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    2014-08-19 13:34:53: DEBUG: call pfkey_send_register for AH
    2014-08-19 13:34:53: DEBUG: call pfkey_send_register for ESP
    2014-08-19 13:34:53: DEBUG: call pfkey_send_register for IPCOMP
    2014-08-19 13:34:53: DEBUG: reading config file /var/etc/ipsec/racoon.conf
    2014-08-19 13:34:53: INFO: Resize address pool from 0 to 253
    2014-08-19 13:34:53: DEBUG: hmac(modp1024)
    2014-08-19 13:34:53: DEBUG: no check of compression algorithm; not supported in sadb message.
    2014-08-19 13:34:53: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=1
    2014-08-19 13:34:53: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
    2014-08-19 13:34:53: INFO: WANIPADDRESS[4500] used for NAT-T
    2014-08-19 13:34:53: INFO: WANIPADDRESS[4500] used as isakmp port (fd=7)
    2014-08-19 13:34:53: INFO: WANIPADDRESS[500] used for NAT-T
    2014-08-19 13:34:53: INFO: WANIPADDRESS[500] used as isakmp port (fd=8)
    2014-08-19 13:34:53: DEBUG: pk_recv: retry[0] recv()
    2014-08-19 13:34:53: DEBUG: got pfkey X_SPDDUMP message
    2014-08-19 13:34:53: DEBUG: pk_recv: retry[0] recv()
    2014-08-19 13:34:53: DEBUG: got pfkey X_SPDDUMP message
    2014-08-19 13:34:53: DEBUG: sub:0x7fffffffe3b0: 192.168.244.129/32[0] 192.168.244.128/25[0] proto=any dir=out
    2014-08-19 13:34:53: DEBUG: db :0x801448490: 192.168.244.128/25[0] 192.168.244.129/32[0] proto=any dir=in

    /var/etc/ipsec/spd.conf

    spdadd -4 192.168.244.129/32 192.168.244.128/25 any -P out none;
    spdadd -4 192.168.244.128/25 192.168.244.129/32 any -P in none;

    Apologies …found the fix here on another post.

    Finally found the answer:  Set NAT Traversal to Force

    Thanks to Vorkbaard:  https://forum.pfsense.org/index.php?topic=46917.0

    It's working fine but still see the following in the logs.

    Aug 19 14:10:36 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.244.128/25[0] 192.168.244.129/32[0] proto=any dir=in
    Aug 19 14:10:36 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.244.129/32[0] 192.168.244.128/25[0] proto=any dir=out



  • Hy guys, I have 2.1.4-RELEASE (i386)  with ipsec setup using this article https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors and we have multi wan running ok there's no problem with this.

    But we tried to setup the IPSEC for mobile users on both WAN links (interfaces) and we got the same error "Aug 19 21:53:13 racoon: ERROR: phase1 negotiation failed due to time up. 5b96ad517895d3ae:c63d8ac780cdb551"

    LAN–----[PFSENSE]–-WAN1(adsl1)---router1------INTERNET
                                ---WAN2(adsl2)---router2------INTERNET

    the NAT for UDP port 500 is published on each ADSL router (router1 and router2) sending it to the WAN1, WAN2 interface on the PFSENSE

    racoon is on debug mode

    Aug 19 21:52:53 racoon: DEBUG: resend phase1 packet 5b96ad517895d3ae:c63d8ac780cdb551
    Aug 19 21:53:03 racoon: DEBUG: 388 bytes from 192.168.3.4[500] to 187.21.17.63[500]
    Aug 19 21:53:03 racoon: DEBUG: sockname 192.168.3.4[500]
    Aug 19 21:53:03 racoon: DEBUG: send packet from 192.168.3.4[500]
    Aug 19 21:53:03 racoon: DEBUG: send packet to 187.21.17.63[500]
    Aug 19 21:53:03 racoon: DEBUG: 1 times of 388 bytes message will be sent to 187.21.17.63[500]
    Aug 19 21:53:03 racoon: DEBUG: 5b96ad51 7895d3ae c63d8ac7 80cdb551 01100400 00000000 00000184 0400003c 00000001 00000001 00000030 01010001 00000028 01010000 80010007 800e0100 80020002 80040002 80030001 800b0001 000c0004 00000e10 0a000084 43b9ab3a 7139d265 84b43c8e 19ce563c 2ac8b945 a989b5ee 295c9eef e37b4ba3 a17746ec 156c2d89 ad5d9858 6148a581 89749a26 065cd632 caf28793 3eadaa47 91e0f90a ea6955ae cdbe5391 42834c26 9dab7264 4099d8cb 8ebbbcc6 d56f72c3 7c41db68 dfd5c715 d69fd0a4 2e60dfb5 ceb5125b 4bec8a75 b025e671 224f5fb3 05000014 e6f8f329 40140f5e 67b43a8a cd642e81 0800000c 011101f4 c0a80304 0d000018 b8a84d9f 9a793eef a6550d5b c89c77b4 f9dcdc24 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 14000014 4a131c81 07035845 5c5728f2 0e95452f 14000018 7678a363 66455471 f460485d ca10c2d3 b6b78480 0d000018 7678a363 66455471 f460485d ca10c2d3 b6b78480 00000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000
    Aug 19 21:53:03 racoon: DEBUG: resend phase1 packet 5b96ad517895d3ae:c63d8ac780cdb551
    Aug 19 21:53:13 racoon: ERROR: phase1 negotiation failed due to time up. 5b96ad517895d3ae:c63d8ac780cdb551
    Aug 19 21:53:13 racoon: DEBUG: IV freed

    dump capture is

    22:05:47.295295 IP 187.21.17.63.500 > 192.168.3.4.500: isakmp: phase 1 I agg
    22:05:47.303331 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:05:57.306604 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:06:07.336766 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:06:17.361490 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg
    22:06:27.385014 IP 192.168.3.4.500 > 187.21.17.63.500: isakmp: phase 1 R agg

    regards,

    Thiago