Having problems with pfSense -> pfSense VPN



  • Hi,

    I'm having a small problem establishing an IPsec connection between 2 pfSense machines, both 1.2c4

    Logs from my local firewall (in reverse order, sorry):-

    Feb 6 20:12:44 racoon: [LAN]: ERROR: yy.yy.yy.yy give up to get IPsec-SA due to time up to wait.
    Feb 6 20:12:14 racoon: [LAN]: INFO: initiate new phase 2 negotiation: xx.xx.xx.xx[0]<=>yy.yy.yy.yy[0]
    Feb 6 20:12:13 racoon: LAN]: INFO: ISAKMP-SA established xx.xx.xx.xx[500]-yy.yy.yy.yy[500] spi:fbbdeaa60648b997:c16dad03af4b1921
    Feb 6 20:12:13 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Feb 6 20:12:13 racoon: INFO: received Vendor ID: DPD
    Feb 6 20:12:13 racoon: INFO: begin Aggressive mode.
    Feb 6 20:12:13 racoon: [LAN]: INFO: initiate new phase 1 negotiation: xx.xx.xx.xx[500]<=>yy.yy.yy.yy[500]
    Feb 6 20:12:13 racoon: [LAN]: INFO: IPsec-SA request for yy.yy.yy.yy queued due to no phase1 found.

    and from the remote machine (again reverse order) :-

    Feb 6 20:12:14 racoon: ERROR: failed to pre-process packet.
    Feb 6 20:12:14 racoon: ERROR: failed to get sainfo.
    Feb 6 20:12:14 racoon: ERROR: failed to get sainfo.
    Feb 6 20:12:14 racoon: [(Ben's Home)]: INFO: respond new phase 2 negotiation: yy.yy.yy.yy[0]<=>xx.xx.xx.xx[0]
    Feb 6 20:12:13 racoon: [(Ben's Home)]: INFO: ISAKMP-SA established yy.yy.yy.yy[500]-xx.xx.xx.xx[500] spi:fbbdeaa60648b997:c16dad03af4b1921
    Feb 6 20:12:13 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Feb 6 20:12:13 racoon: INFO: received Vendor ID: DPD
    Feb 6 20:12:13 racoon: INFO: begin Aggressive mode.
    Feb 6 20:12:13 racoon: [(Ben's Home)]: INFO: respond new phase 1 negotiation: yy.yy.yy.yy[500]<=>xx.xx.xx.xx[500]

    I can see that the phase 1 is working out fine, and I have exactly the same settings on both sides for phase 2.

    I have a working VPN from my local firewall to a standard FreeBSD server, and I used exactly the same settings for phase1 and phase 2 as the working one.

    Can anybody see, or suggest what might be the problem?

    The remote box, has a number of interfaces, and carp VIPs, but right now I'm just trying to connect to the WAN address and access the LAN subnet. Once I get this working, I'll go back to what I was really trying to do, which was access an subnet on an opt interface, and use the VIP as the server address.

    Regards

    Ben



  • @ben.suffolk:

    Hi,

    I'm having a small problem establishing an IPsec connection between 2 pfSense machines, both 1.2c4

    The remote box, has a number of interfaces, and carp VIPs, but right now I'm just trying to connect to the WAN address and access the LAN subnet. Once I get this working, I'll go back to what I was really trying to do, which was access an subnet on an opt interface, and use the VIP as the server address.

    In replay to this message (Nortel <-> pfSense lifetime problem? ) I have posted screen-shoot's of my sample (working one) pfSense. Ignore Nortel part and use only pfSense part. It works for me.

    Sasa



  • and in addition make an update to rc5, the ipsec-tools are now 0.7 and it works fine



  • Sasa,

    I have ipsec working from FreeBSD boxes to both pfSense boxes no problem, and so there shoudl be no reason why the two pfSense boxes should not talk to each other really.

    Heiko,

    I'll try the upgrade and see if this helps.

    Thanks

    Ben



  • The upgrade did not help, so I decided to drop to eh command shell and run racoon with some more debugging enabled.

    That showed me what the problem was immediately. I had incorrectly specified the the remote LAN as 10.0.0.1/24 not 10.0.0.0/24 Correcting this sill mistake in my configuration sorted it out.

    Regards

    Ben


Locked