Ipsec errors please help need this up Monday



  • This is the error I am getting on one box, I am using both Pfsense boxes.  Any Ideas?

    Last 50 IPSEC log entries
    Mar 29 23:18:43 racoon: [Name]: ERROR: 66.93.!.! give up to get IPsec-SA due to time up to wait.
    Mar 29 23:18:13 racoon: [Name]: INFO: initiate new phase 2 negotiation: 98.165.!.![0]<=>66.93.!.![0]
    Mar 29 23:12:55 racoon: [Name]: ERROR: 66.93.160.190 give up to get IPsec-SA due to time up to wait.
    Mar 29 23:12:25 racoon: [Name]: INFO: initiate new phase 2 negotiation: 98.165.!.![500]<=>66.93.!.![500]
    Mar 29 23:12:24 racoon: [Name]: INFO: ISAKMP-SA established 98.165.!.![500]-66.93.!.!500] spi:197dccc5e520270d:6a80ee33c50666ef
    Mar 29 23:12:24 racoon: WARNING: No ID match.
    Mar 29 23:12:24 racoon: INFO: received Vendor ID: DPD
    Mar 29 23:12:24 racoon: INFO: begin Aggressive mode.
    Mar 29 23:12:24 racoon: [Name]: INFO: initiate new phase 1 negotiation: 98.165.!.![500]<=>66.93.!.![500]
    Mar 29 23:12:24 racoon: [Name]: INFO: IPsec-SA request for 66.93.!.! queued due to no phase1 found.
    Mar 29 23:11:44 racoon: ERROR: such policy already exists. anyway replace it: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=out
    Mar 29 23:11:44 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.0.0/16[0] proto=any dir=out

    Second Box Errors
    Mar 29 23:27:16 racoon: ERROR: failed to pre-process packet.
    Mar 29 23:27:16 racoon: ERROR: failed to get proposal for responder.
    Mar 29 23:27:16 racoon: ERROR: no policy found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=in
    Mar 29 23:27:16 racoon: INFO: respond new phase 2 negotiation: 66.93.!.![0]<=>98.165.!.![0]
    Mar 29 23:27:06 racoon: ERROR: failed to pre-process packet.
    Mar 29 23:27:06 racoon: ERROR: failed to get proposal for responder.
    Mar 29 23:27:06 racoon: ERROR: no policy found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=in
    Mar 29 23:27:06 racoon: INFO: respond new phase 2 negotiation: 66.93.!.![0]<=>98.165.!.![0]
    Mar 29 23:26:56 racoon: ERROR: failed to pre-process packet.
    Mar 29 23:26:56 racoon: ERROR: failed to get proposal for responder.
    Mar 29 23:26:56 racoon: ERROR: no policy found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=in



  • Looks like it's failing negotiation somewhere because of a settings mismatch.



  • That looks like some settings mismatch to me. Recheck your tunneldefinitions on both ends.



  • I have checked and checked and still get that error! What else could it be? I changed it over now using a different internet connection at home and am getting the following error now! I really thought this would be easy, I like pfsense but this is driving me nutts. I just want to get this tunnel up to connect a remote office to a main office!

    Mar 31 00:59:25 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
    Mar 31 00:58:55 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
    Mar 31 00:58:24 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
    Mar 31 00:57:54 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
    Mar 31 00:57:22 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
    Mar 31 00:56:52 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
    Mar 31 00:56:21 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
    Mar 31 00:55:51 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
    Mar 31 00:55:18 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
    Mar 31 00:54:48 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
    Mar 31 00:54:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/16[0] 192.168.0.0/22[0] proto=any dir=out



  • one thing this is the error i get at the remote location, the server at the main office shows nothing under the ipsec log



  • could it be the two subnets?

    main network is 192.168.0.0
    255.255.252.0

    remote is 192.168.1.0
    255.255.255.0

    Thanks



  • Changed ip and now i get this again! Im getting ready to give up this is so frustrating. I have done ipsec on Cisco before

    Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.0/26[0] 192.168.0.0/22[0] proto=any dir=out
    Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.1/32[0] 128.168.1.0/26[0] proto=any dir=out
    Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 128.168.1.0/26[0] proto=any dir=in
    Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.0/26[0] 128.168.1.1/32[0] proto=any dir=in



  • Back to this! Im getting ready to throw in the towl in go buy a firewall for both places…

    Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 192.168.0.0/22[0] proto=any dir=out
    Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any dir=out
    Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 172.16.10.0/24[0] proto=any dir=in
    Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any dir=in



  • @chrisreston:

    could it be the two subnets?

    main network is 192.168.0.0
    255.255.252.0

    remote is 192.168.1.0
    255.255.255.0

    That might be why the negotiation is failing, even if it were successful it's not going to work with those two subnets. 192.168.1.0/24 is within 192.168.0.0/22, the latter subnet will think the remote subnet is on its local network, hence it won't work.

    Not sure if negotiation would actually fail in that circumstance, but it would make sense if it did.



  • @cmb:

    @chrisreston:

    could it be the two subnets?

    main network is 192.168.0.0
    255.255.252.0

    remote is 192.168.1.0
    255.255.255.0

    That might be why the negotiation is failing, even if it were successful it's not going to work with those two subnets. 192.168.1.0/24 is within 192.168.0.0/22, the latter subnet will think the remote subnet is on its local network, hence it won't work.

    Not sure if negotiation would actually fail in that circumstance, but it would make sense if it did.

    Actually that will work. I use such a setup to route traffic from remote home offices through the mainlocation:

    From the SPD-List at the mainlocation (10 remote locations):
    192.168.10.0/24 - 192.168.0.0/18 
    192.168.51.0/24 - 192.168.0.0/18
    192.168.57.0/24 - 192.168.0.0/18
    192.168.9.0/24 - 192.168.0.0/18
    192.168.43.0/24 - 192.168.0.0/18

    The mainlocation that holds the 192.168.0.0/18 subnet in ipsec has some local subnets like 192.168.2.0/24 and others inside the /18-range that can all be reached from the home offices. Additionally the homeoffices can talk to each other. The traffic gets routed through the mainlocation and there are no tunnels from one homeoffice to another. This is the sam situation with overlapping/conflicting subnets.



  • Getting this again someone plese help…
    I have two pfsense firewalls both with public ips on is at a remote location the other is at a main location. I have checked all settings over and over and they are correct!

    Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/16[0] 192.168.0.0/22[0] proto=any dir=out
    Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.1/32[0] 10.0.0.0/16[0] proto=any dir=out
    Mar 31 15:32:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 10.0.0.0/16[0] proto=any dir=in
    Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/16[0] 10.0.0.1/32[0] proto=any dir=in



  • Please provide info on how the tunnels are setup on each side.



  • Heres the info

    Remote Location

    Interface = WAN
    Local Subnet
    Type - LAN Subnet

    Remote Subnet
    192.168.0.0 /22

    Remote Gateway
    66.17.X.X

    Description
    Remote

    Phase1

    Negotiation Mode
    Agressive

    My Identifier
    My IP Address

    Encryption Agorithm
    SHA1

    DH Key Group
    2

    Lifetime
    28800

    Authentication Method
    Pre SHared Key

    Pre Shared Key
    St0rmw1nd

    Phase2

    Protocol
    ESP

    Encryption Alogorithms
    Rijndael(AES)

    Has Algorithms
    SHA1

    PS Key Group
    2

    Lifetime
    84400

    MAIN SITE
    Interface = SPARKPLUG (second WAN, I have tried both)
    Local Subnet
    Type - LAN Subnet

    Remote Subnet
    10.0.0.0 /16

    Remote Gateway
    168.158.X.X

    Description
    Main
    Phase1

    Negotiation Mode
    Agressive

    My Identifier
    My IP Address

    Encryption Agorithm
    SHA1

    DH Key Group
    2

    Lifetime
    28800

    Authentication Method
    Pre SHared Key

    Pre Shared Key
    St0rmw1nd

    Phase2

    Protocol
    ESP

    Encryption Alogorithms
    Rijndael(AES)

    Has Algorithms
    SHA1

    PS Key Group
    2

    Lifetime
    84400



  • What i am trying to do is connect my remote office to my main office bot have pfsense installed. I want to be able to get my DHCP from the Main office as well. I just need a tunnel between the two PFsense firewalls in order to connect the two  and make it as one network. Am I missing something here?



  • now im getting this error

    Mar 31 17:38:07 racoon: INFO: delete phase 2 handler.
    Mar 31 17:38:07 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 168.158.228.10[0]->66.17.85.18[0]
    Mar 31 17:37:36 racoon: INFO: begin Aggressive mode.
    Mar 31 17:37:36 racoon: INFO: initiate new phase 1 negotiation: 66.17.85.18[500]<=>168.158.228.10[500]
    Mar 31 17:37:36 racoon: INFO: IPsec-SA request for 168.158.228.10 queued due to no phase1 found.

    would it be easier to just go by a linksys router?



  • as you are doing this on a multiwan, die you add static routes for the site with the multiwan to the remote IP/32 via the gateway on wan2? There's a thread about that exact same issue already around at the forum.

    I now understand the logs too: the one system is trying to talk to the other system with the dual wan on wan2 but the dual wan system answers at wan1 due to the missing route.



  • I guess I am confused, what if I just have the remote site look for wan1 instead? Would I add the static route in the rules section?



  • I both firewalls have the tunnels at wan you don't need static routes as it will use the defaultgateway then.



  • still had issues that way.. also one note is that i am using the firewall as a dhcp server on the remote site. I have a dhcp server on the main site. How can I just link the two firewalls and use everything at the main site such as dhcp for the remote site? I am wanting to have the two sites as if they are 1



  • You can work with dhcprelay to do that though I probably wouldn't do it that way. If the tunnel fails your clients won't be able to get dhcp. I would set up a second dhcp at the remote office (could be the pfSense) but assign the mainlocations dns server as the first dns to the clients. This way lookups should work forward and backward. As second dns you could assign the local dns forwarder of the pfSense so clients would still be able to access the internet even if the tunnel is down.



  • Ok I am now using a sonicwall firewall at the remote location and the pfsense at the main. I have set everything up and now I am getting the following errors.

    Apr 1 11:31:35 racoon: ERROR: failed to pre-process packet.
    Apr 1 11:31:35 racoon: ERROR: failed to get sainfo.
    Apr 1 11:31:35 racoon: ERROR: failed to get sainfo.
    Apr 1 11:31:35 racoon: INFO: respond new phase 2 negotiation: 66.93.X.X[0]<=>168.158.X.X[0]
    Apr 1 11:31:34 racoon: INFO: ISAKMP-SA established 66.93.X.X[500]-168.158.X.X[500] spi:a84321dfbb05a217:2a9e8c8e5d8a57a4
    Apr 1 11:31:34 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Apr 1 11:31:34 racoon: WARNING: No ID match.
    Apr 1 11:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Apr 1 11:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Apr 1 11:31:34 racoon: INFO: begin Aggressive mode.



  • You just made things more complicated. Try this guide, maybe it will help you http://doc.m0n0.ch/handbook-single/#id2608734



  • In my experience you should never use aggressive mode with IPSEC.  1) It's less secure 2) Some of the check and balances (to include the mechanism for logging it) are missing.  Use Main mode.  If you need some closer to realtime help, email the support mailing list or you may be able to use the IRC channel.

    Curtis



  • Chris,
    Would a lilnksys be easier? NO.  Setting up tunnels with anything other than PfSense is difficuilt.  I used 10 different router and firewalls.  PfSense has been the simplist to setup and get working.  I have netgear, symantec vpn100 and 320's in service all work but some can really pull your hair out.

    I had this happen several times to me.  It looks like you have a couple of things going on.  I would make sure that you have your phase 1 settings correct.  I recently had a similiar issue.  I found that one end had was using agressive instead of MAIN.  I ended up removing all settings  on that router and rebuilding the tunnel after flashing the firmware.

    Send me a email to ron.carter@cartersweb.net and see what I can do to give you a hand.  I do agree with clamasters use MAIN mode.  I can give you a call tomorrow after 6:00 PM east coast time.  We should be able to get it to work with out too much trouble.

    I have my PFSense firewall up for over a year now with limited problems most have been self inflicted.  But I have been able to recover.  The forum is a great place to get issues resolved and too get help.

    RC



  • hoba,

    could you please link to the existing thread for multiwan ipsec vpn route issue.

    I'm not able to find it by using search form.

    thanks.



  • Not sure which thread exactly you mean but that topic is covered multiple time like for example here: http://forum.pfsense.org/index.php/topic,8476.msg47573.html#msg47573

    However I don't think that this has something to do with the issue we are seeing here.


Locked