Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Having problems with pfSense -> pfSense VPN

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 8.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      ben.suffolk
      last edited by

      Hi,

      I'm having a small problem establishing an IPsec connection between 2 pfSense machines, both 1.2c4

      Logs from my local firewall (in reverse order, sorry):-

      Feb 6 20:12:44 racoon: [LAN]: ERROR: yy.yy.yy.yy give up to get IPsec-SA due to time up to wait.
      Feb 6 20:12:14 racoon: [LAN]: INFO: initiate new phase 2 negotiation: xx.xx.xx.xx[0]<=>yy.yy.yy.yy[0]
      Feb 6 20:12:13 racoon: LAN]: INFO: ISAKMP-SA established xx.xx.xx.xx[500]-yy.yy.yy.yy[500] spi:fbbdeaa60648b997:c16dad03af4b1921
      Feb 6 20:12:13 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Feb 6 20:12:13 racoon: INFO: received Vendor ID: DPD
      Feb 6 20:12:13 racoon: INFO: begin Aggressive mode.
      Feb 6 20:12:13 racoon: [LAN]: INFO: initiate new phase 1 negotiation: xx.xx.xx.xx[500]<=>yy.yy.yy.yy[500]
      Feb 6 20:12:13 racoon: [LAN]: INFO: IPsec-SA request for yy.yy.yy.yy queued due to no phase1 found.

      and from the remote machine (again reverse order) :-

      Feb 6 20:12:14 racoon: ERROR: failed to pre-process packet.
      Feb 6 20:12:14 racoon: ERROR: failed to get sainfo.
      Feb 6 20:12:14 racoon: ERROR: failed to get sainfo.
      Feb 6 20:12:14 racoon: [(Ben's Home)]: INFO: respond new phase 2 negotiation: yy.yy.yy.yy[0]<=>xx.xx.xx.xx[0]
      Feb 6 20:12:13 racoon: [(Ben's Home)]: INFO: ISAKMP-SA established yy.yy.yy.yy[500]-xx.xx.xx.xx[500] spi:fbbdeaa60648b997:c16dad03af4b1921
      Feb 6 20:12:13 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Feb 6 20:12:13 racoon: INFO: received Vendor ID: DPD
      Feb 6 20:12:13 racoon: INFO: begin Aggressive mode.
      Feb 6 20:12:13 racoon: [(Ben's Home)]: INFO: respond new phase 1 negotiation: yy.yy.yy.yy[500]<=>xx.xx.xx.xx[500]

      I can see that the phase 1 is working out fine, and I have exactly the same settings on both sides for phase 2.

      I have a working VPN from my local firewall to a standard FreeBSD server, and I used exactly the same settings for phase1 and phase 2 as the working one.

      Can anybody see, or suggest what might be the problem?

      The remote box, has a number of interfaces, and carp VIPs, but right now I'm just trying to connect to the WAN address and access the LAN subnet. Once I get this working, I'll go back to what I was really trying to do, which was access an subnet on an opt interface, and use the VIP as the server address.

      Regards

      Ben

      1 Reply Last reply Reply Quote 0
      • S
        ssbaksa
        last edited by

        @ben.suffolk:

        Hi,

        I'm having a small problem establishing an IPsec connection between 2 pfSense machines, both 1.2c4

        The remote box, has a number of interfaces, and carp VIPs, but right now I'm just trying to connect to the WAN address and access the LAN subnet. Once I get this working, I'll go back to what I was really trying to do, which was access an subnet on an opt interface, and use the VIP as the server address.

        In replay to this message (Nortel <-> pfSense lifetime problem? ) I have posted screen-shoot's of my sample (working one) pfSense. Ignore Nortel part and use only pfSense part. It works for me.

        Sasa

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          and in addition make an update to rc5, the ipsec-tools are now 0.7 and it works fine

          1 Reply Last reply Reply Quote 0
          • B
            ben.suffolk
            last edited by

            Sasa,

            I have ipsec working from FreeBSD boxes to both pfSense boxes no problem, and so there shoudl be no reason why the two pfSense boxes should not talk to each other really.

            Heiko,

            I'll try the upgrade and see if this helps.

            Thanks

            Ben

            1 Reply Last reply Reply Quote 0
            • B
              ben.suffolk
              last edited by

              The upgrade did not help, so I decided to drop to eh command shell and run racoon with some more debugging enabled.

              That showed me what the problem was immediately. I had incorrectly specified the the remote LAN as 10.0.0.1/24 not 10.0.0.0/24 Correcting this sill mistake in my configuration sorted it out.

              Regards

              Ben

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.