Having problems with pfSense -> pfSense VPN

ben.suffolk

Hi,

I'm having a small problem establishing an IPsec connection between 2 pfSense machines, both 1.2c4

Logs from my local firewall (in reverse order, sorry):-

Feb 6 20:12:44 racoon: [LAN]: ERROR: yy.yy.yy.yy give up to get IPsec-SA due to time up to wait.
Feb 6 20:12:14 racoon: [LAN]: INFO: initiate new phase 2 negotiation: xx.xx.xx.xx[0]<=>yy.yy.yy.yy[0]
Feb 6 20:12:13 racoon: LAN]: INFO: ISAKMP-SA established xx.xx.xx.xx[500]-yy.yy.yy.yy[500] spi:fbbdeaa60648b997:c16dad03af4b1921
Feb 6 20:12:13 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Feb 6 20:12:13 racoon: INFO: received Vendor ID: DPD
Feb 6 20:12:13 racoon: INFO: begin Aggressive mode.
Feb 6 20:12:13 racoon: [LAN]: INFO: initiate new phase 1 negotiation: xx.xx.xx.xx[500]<=>yy.yy.yy.yy[500]
Feb 6 20:12:13 racoon: [LAN]: INFO: IPsec-SA request for yy.yy.yy.yy queued due to no phase1 found.

and from the remote machine (again reverse order) :-

Feb 6 20:12:14 racoon: ERROR: failed to pre-process packet.
Feb 6 20:12:14 racoon: ERROR: failed to get sainfo.
Feb 6 20:12:14 racoon: ERROR: failed to get sainfo.
Feb 6 20:12:14 racoon: [(Ben's Home)]: INFO: respond new phase 2 negotiation: yy.yy.yy.yy[0]<=>xx.xx.xx.xx[0]
Feb 6 20:12:13 racoon: [(Ben's Home)]: INFO: ISAKMP-SA established yy.yy.yy.yy[500]-xx.xx.xx.xx[500] spi:fbbdeaa60648b997:c16dad03af4b1921
Feb 6 20:12:13 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Feb 6 20:12:13 racoon: INFO: received Vendor ID: DPD
Feb 6 20:12:13 racoon: INFO: begin Aggressive mode.
Feb 6 20:12:13 racoon: [(Ben's Home)]: INFO: respond new phase 1 negotiation: yy.yy.yy.yy[500]<=>xx.xx.xx.xx[500]

I can see that the phase 1 is working out fine, and I have exactly the same settings on both sides for phase 2.

I have a working VPN from my local firewall to a standard FreeBSD server, and I used exactly the same settings for phase1 and phase 2 as the working one.

Can anybody see, or suggest what might be the problem?

The remote box, has a number of interfaces, and carp VIPs, but right now I'm just trying to connect to the WAN address and access the LAN subnet. Once I get this working, I'll go back to what I was really trying to do, which was access an subnet on an opt interface, and use the VIP as the server address.

Regards

Ben

ssbaksa

@ben.suffolk:

Hi,

I'm having a small problem establishing an IPsec connection between 2 pfSense machines, both 1.2c4

The remote box, has a number of interfaces, and carp VIPs, but right now I'm just trying to connect to the WAN address and access the LAN subnet. Once I get this working, I'll go back to what I was really trying to do, which was access an subnet on an opt interface, and use the VIP as the server address.

In replay to this message (Nortel <-> pfSense lifetime problem? ) I have posted screen-shoot's of my sample (working one) pfSense. Ignore Nortel part and use only pfSense part. It works for me.

Sasa

heiko

and in addition make an update to rc5, the ipsec-tools are now 0.7 and it works fine

ben.suffolk

Sasa,

I have ipsec working from FreeBSD boxes to both pfSense boxes no problem, and so there shoudl be no reason why the two pfSense boxes should not talk to each other really.

Heiko,

I'll try the upgrade and see if this helps.

Thanks

Ben

ben.suffolk

The upgrade did not help, so I decided to drop to eh command shell and run racoon with some more debugging enabled.

That showed me what the problem was immediately. I had incorrectly specified the the remote LAN as 10.0.0.1/24 not 10.0.0.0/24 Correcting this sill mistake in my configuration sorted it out.

Regards

Ben