Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PfSense 2.2 <-> pfSense 2.2 IPsec tunnel (RESOLVED)

    IPsec
    6
    13
    3782
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ratch3t last edited by

      I had 3 tunnels working before 2.2 upgrade,  now none of them are working.

      These should be a simple pfSense 2.2 to pfSense 2.2 tunnel,  anyone have a working config for this so far?  Not at all worried about which modes your using, I just need something to work asap.

      EDIT:  PROBLEM RESOLVED

      1 Reply Last reply Reply Quote 0
      • R
        Riccardo90 last edited by

        Hello,
        Under Phase1 configuration, on both pfsense, fill the field My identifier with your public IP addresses and change the negotiation mode from aggressive to main.

        This shold permit to your pfsense to work. personally, i think that this version 2.2 is very very bad.. i just rolled back my pfsense to 2.1.5

        Riccardo

        1 Reply Last reply Reply Quote 0
        • S
          sammybernard last edited by

          I was having the same problems too … I changed the Identifier to my dyndns FQDN and so far the tunnel has been stable for 12 hours ... I can't force it to my IP address since I have DHCP. I agree IPSec has been causing us a lot of problems in this version. Hopefully they are all teething issues and can be expected with a move to a new backend....but still frustrating none the less.

          1 Reply Last reply Reply Quote 0
          • R
            Riccardo90 last edited by

            Do you mean that you don't have a static public IP but is dynamic?.. in this case it should works also with the FQDN of DDNS.

            Riccardo

            1 Reply Last reply Reply Quote 0
            • C
              cmb last edited by

              Where they were working before, they should work the same after the upgrade. What settings specifically do you have configured? What about it doesn't work? PM me if you can get me access.

              1 Reply Last reply Reply Quote 0
              • R
                ratch3t last edited by

                Settings for the tunnels are as follows…




                1 Reply Last reply Reply Quote 0
                • E
                  eri-- last edited by

                  If you do not use the Gateway group does it work?

                  1 Reply Last reply Reply Quote 0
                  • R
                    ratch3t last edited by

                    Tried changing it to the CARP IP and just the WANPRI interface…  Still no go.

                    1 Reply Last reply Reply Quote 0
                    • R
                      ratch3t last edited by

                      Local side is looping this in the log:

                      Jan 29 13:34:34 charon: 14[NET] 192: EC 42 7B 1F .B{.
                      Jan 29 13:34:34 charon: 14[NET] 176: 00 00 00 14 90 CB 80 91 3E BB 69 6E 08 63 81 B5 ….....>.in.c..
                      Jan 29 13:34:34 charon: 14[NET] 160: 4A 13 1C 81 07 03 58 45 5C 57 28 F2 0E 95 45 2F J…..XE\W(...E/
                      Jan 29 13:34:34 charon: 14[NET] 144: 25 E7 DE 7F 00 D6 C2 D3 80 00 00 00 0D 00 00 14 %…............
                      Jan 29 13:34:34 charon: 14[NET] 128: 74 CC 01 00 0D 00 00 18 40 48 B7 D5 6E BC E8 85 t…....@H..n...
                      Jan 29 13:34:34 charon: 14[NET] 112: 0D 00 00 14 12 F5 F2 8C 45 71 68 A9 70 2D 9F E2 ….....Eqh.p-..
                      Jan 29 13:34:34 charon: 14[NET] 96: AF CA D7 13 68 A1 F1 C9 6B 86 96 FC 77 57 01 00 ….h...k...wW..
                      Jan 29 13:34:34 charon: 14[NET] 80: 0D 00 00 0C 09 00 26 89 DF D6 B7 12 0D 00 00 14 …...&.........
                      Jan 29 13:34:34 charon: 14[NET] 64: 80 04 00 02 80 03 00 01 80 0B 00 01 80 0C 70 80 …...........p.
                      Jan 29 13:34:34 charon: 14[NET] 48: 00 00 00 20 01 01 00 00 80 01 00 05 80 02 00 01 … ............
                      Jan 29 13:34:34 charon: 14[NET] 32: 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 …........(....
                      Jan 29 13:34:34 charon: 14[NET] 16: 01 10 02 00 00 00 00 00 00 00 00 C4 0D 00 00 34 …............4
                      Jan 29 13:34:34 charon: 14[NET] 0: 5A 26 6C 38 44 63 66 42 00 00 00 00 00 00 00 00 Z&l8DcfB….....
                      Jan 29 13:34:34 charon: 14[NET] received packet => 196 bytes @ 0x7ffffe1ee590
                      Jan 29 13:34:34 charon: 14[NET] 192: EC 42 7B 1F .B{.
                      Jan 29 13:34:34 charon: 14[NET] 176: 00 00 00 14 90 CB 80 91 3E BB 69 6E 08 63 81 B5 ….....>.in.c..
                      Jan 29 13:34:34 charon: 14[NET] 160: 4A 13 1C 81 07 03 58 45 5C 57 28 F2 0E 95 45 2F J…..XE\W(...E/
                      Jan 29 13:34:34 charon: 14[NET] 144: 25 E7 DE 7F 00 D6 C2 D3 80 00 00 00 0D 00 00 14 %…............
                      Jan 29 13:34:34 charon: 14[NET] 128: 74 CC 01 00 0D 00 00 18 40 48 B7 D5 6E BC E8 85 t…....@H..n...
                      Jan 29 13:34:34 charon: 14[NET] 112: 0D 00 00 14 12 F5 F2 8C 45 71 68 A9 70 2D 9F E2 ….....Eqh.p-..
                      Jan 29 13:34:34 charon: 14[NET] 96: AF CA D7 13 68 A1 F1 C9 6B 86 96 FC 77 57 01 00 ….h...k...wW..
                      Jan 29 13:34:34 charon: 14[NET] 80: 0D 00 00 0C 09 00 26 89 DF D6 B7 12 0D 00 00 14 …...&.........
                      Jan 29 13:34:34 charon: 14[NET] 64: 80 04 00 02 80 03 00 01 80 0B 00 01 80 0C 70 80 …...........p.
                      Jan 29 13:34:34 charon: 14[NET] 48: 00 00 00 20 01 01 00 00 80 01 00 05 80 02 00 01 … ............
                      Jan 29 13:34:34 charon: 14[NET] 32: 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 …........(....
                      Jan 29 13:34:34 charon: 14[NET] 16: 01 10 02 00 00 00 00 00 00 00 00 C4 0D 00 00 34 …............4
                      Jan 29 13:34:34 charon: 14[NET] 0: 5A 26 6C 38 44 63 66 42 00 00 00 00 00 00 00 00 Z&l8DcfB….....
                      Jan 29 13:34:34 charon: 14[NET] received packet => 196 bytes @ 0x7ffffe1ee590
                      Jan 29 13:34:25 charon: 14[NET] waiting for data on sockets
                      Jan 29 13:34:25 charon: 14[NET] waiting for data on sockets
                      Jan 29 13:34:25 charon: 14[NET] received packet from –----[500] to –----[500] on ignored interface
                      Jan 29 13:34:25 charon: 14[NET] received packet from –----[500] to –----[500] on ignored interface
                      Jan 29 13:34:25 charon: 14[NET] received packet: from –----[500] to –---[500]
                      Jan 29 13:34:25 charon: 14[NET] received packet: from –----[500] to –---[500]

                      REMOTE SIDE is showing this:
                      Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_PROPOSAL
                      Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_PROPOSAL
                      Jan 29 13:37:01 charon: 09[KNL] SADB_X_EXT_POLICY
                      Jan 29 13:37:01 charon: 09[KNL] SADB_X_EXT_POLICY
                      Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_ADDRESS_DST
                      Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_ADDRESS_DST
                      Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_ADDRESS_SRC
                      Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_ADDRESS_SRC
                      Jan 29 13:37:01 charon: 09[KNL] received an SADB_ACQUIRE
                      Jan 29 13:37:01 charon: 09[KNL] received an SADB_ACQUIRE
                      Jan 29 13:37:01 charon: 06[JOB] watcher going to select()
                      Jan 29 13:37:01 charon: 06[JOB] watcher going to select()
                      Jan 29 13:37:01 charon: 06[JOB] watching 22 for reading
                      Jan 29 13:37:01 charon: 06[JOB] watching 22 for reading
                      Jan 29 13:37:01 charon: 06[JOB] watching 17 for reading
                      Jan 29 13:37:01 charon: 06[JOB] watching 17 for reading
                      Jan 29 13:37:01 charon: 06[JOB] watching 10 for reading
                      Jan 29 13:37:01 charon: 06[JOB] watching 10 for reading
                      Jan 29 13:37:01 charon: 06[JOB] watched FD 12 ready to read
                      Jan 29 13:37:01 charon: 06[JOB] watched FD 12 ready to read
                      Jan 29 13:36:33 charon: 09[MGR] check-in of IKE_SA successful.
                      Jan 29 13:36:33 charon: 09[MGR] <con1000|3381>check-in of IKE_SA successful.
                      Jan 29 13:36:33 charon: 03[JOB] next event in 41s 989ms, waiting
                      Jan 29 13:36:33 charon: 03[JOB] next event in 41s 989ms, waiting
                      Jan 29 13:36:33 charon: 08[NET] sending packet: from –----[500] to –----[500]
                      Jan 29 13:36:33 charon: 08[NET] sending packet: from –----[500] to –----[500]
                      Jan 29 13:36:33 charon: 09[MGR] checkin IKE_SA con1000[3381]
                      Jan 29 13:36:33 charon: 09[MGR] <con1000|3381>checkin IKE_SA con1000[3381]
                      Jan 29 13:36:33 charon: 09[NET] sending packet: from –-----[500] to –-----[500] (196 bytes)
                      Jan 29 13:36:33 charon: 09[NET] <con1000|3381>sending packet: from –----[500] to –---[500] (196 bytes)
                      Jan 29 13:36:33 charon: 09[IKE] sending retransmit 4 of request message ID 0, seq 1
                      Jan 29 13:36:33 charon: 09[IKE] <con1000|3381>sending retransmit 4 of request message ID 0, seq 1
                      Jan 29 13:36:33 charon: 09[MGR] IKE_SA con1000[3381] successfully checked out
                      Jan 29 13:36:33 charon: 09[MGR] IKE_SA con1000[3381] successfully checked out
                      Jan 29 13:36:33 charon: 09[MGR] checkout IKE_SA
                      Jan 29 13:36:33 charon: 09[MGR] checkout IKE_SA
                      Jan 29 13:36:33 charon: 03[JOB] no events, waiting
                      Jan 29 13:36:33 charon: 03[JOB] no events, waiting
                      Jan 29 13:36:33 charon: 03[JOB] got event, queuing job for execution
                      Jan 29 13:36:33 charon: 03[JOB] got event, queuing job for execution
                      Jan 29 13:36:29 charon: 06[JOB] watcher going to select()
                      Jan 29 13:36:29 charon: 06[JOB] watcher going to select()
                      Jan 29 13:36:29 charon: 06[JOB] watching 22 for reading
                      Jan 29 13:36:29 charon: 06[JOB] watching 22 for reading
                      Jan 29 13:36:29 charon: 06[JOB] watching 17 for reading
                      Jan 29 13:36:29 charon: 06[JOB] watching 17 for reading
                      Jan 29 13:36:29 charon: 06[JOB] watching 12 for reading
                      Jan 29 13:36:29 charon: 06[JOB] watching 12 for reading
                      Jan 29 13:36:29 charon: 06[JOB] watching 10 for reading
                      Jan 29 13:36:29 charon: 06[JOB] watching 10 for reading
                      Jan 29 13:36:29 charon: 09[CFG] ignoring acquire, connection attempt pending
                      Jan 29 13:36:29 charon: 09[CFG] ignoring acquire, connection attempt pending
                      Jan 29 13:36:29 charon: 06[JOB] watcher got notification, rebuilding
                      Jan 29 13:36:29 charon: 06[JOB] watcher got notification, rebuilding
                      Jan 29 13:36:29 charon: 02[KNL] creating acquire job for policy –----/32|/0 === -------/32|/0 with reqid {1}
                      Jan 29 13:36:29 charon: 02[KNL] creating acquire job for policy –----/32|/0 === -------/32|/0 with reqid {1}</con1000|3381></con1000|3381></con1000|3381></con1000|3381>

                      1 Reply Last reply Reply Quote 0
                      • E
                        eri-- last edited by

                        
                        an 29 13:34:25   charon: 14[NET] received packet from ------[500] to ------[500] on ignored interface
                        Jan 29 13:34:25   charon: 14[NET] received packet from ------[500] to ------[500] on ignored interface
                        Jan 29 13:34:25   charon: 14[NET] received packet: from ------[500] to -----[500]
                        Jan 29 13:34:25   charon: 14[NET] received packet: from ------[500] to -----[500]
                        
                        

                        I think you have a routing issue of sorts not related to pfSense.

                        1 Reply Last reply Reply Quote 0
                        • C
                          cmb last edited by

                          This one just ended up being mismatched IPs in the P1. It appears it was compounded by some circumstance in which if you make significant changes to the IPsec config, strongswan wants a full stop/start to properly apply that. I'm looking into that issue separately.

                          1 Reply Last reply Reply Quote 0
                          • T
                            Thale last edited by

                            @cmb:

                            It appears it was compounded by some circumstance in which if you make significant changes to the IPsec config, strongswan wants a full stop/start to properly apply that. I'm looking into that issue separately.

                            Would "Restart Service" work, or does a "full stop/start" refer to an actual stop followed by a start?

                            1 Reply Last reply Reply Quote 0
                            • C
                              cmb last edited by

                              @Thale:

                              Would "Restart Service" work, or does a "full stop/start" refer to an actual stop followed by a start?

                              Stop it, then start it. A restart in some cases apparently doesn't apply all the config file changes that were made in some circumstance(s) I haven't fully quantified yet.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post

                              Products

                              • Platform Overview
                              • TNSR
                              • pfSense Plus
                              • Appliances

                              Services

                              • Training
                              • Professional Services

                              Support

                              • Subscription Plans
                              • Contact Support
                              • Product Lifecycle
                              • Documentation

                              News

                              • Media Coverage
                              • Press
                              • Events

                              Resources

                              • Blog
                              • FAQ
                              • Find a Partner
                              • Resource Library
                              • Security Information

                              Company

                              • About Us
                              • Careers
                              • Partners
                              • Contact Us
                              • Legal
                              Our Mission

                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                              Subscribe to our Newsletter

                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                              © 2021 Rubicon Communications, LLC | Privacy Policy