Ipsec errors please help need this up Monday

chrisreston

This is the error I am getting on one box, I am using both Pfsense boxes.  Any Ideas?

Last 50 IPSEC log entries
Mar 29 23:18:43 racoon: [Name]: ERROR: 66.93.!.! give up to get IPsec-SA due to time up to wait.
Mar 29 23:18:13 racoon: [Name]: INFO: initiate new phase 2 negotiation: 98.165.!.![0]<=>66.93.!.![0]
Mar 29 23:12:55 racoon: [Name]: ERROR: 66.93.160.190 give up to get IPsec-SA due to time up to wait.
Mar 29 23:12:25 racoon: [Name]: INFO: initiate new phase 2 negotiation: 98.165.!.![500]<=>66.93.!.![500]
Mar 29 23:12:24 racoon: [Name]: INFO: ISAKMP-SA established 98.165.!.![500]-66.93.!.!500] spi:197dccc5e520270d:6a80ee33c50666ef
Mar 29 23:12:24 racoon: WARNING: No ID match.
Mar 29 23:12:24 racoon: INFO: received Vendor ID: DPD
Mar 29 23:12:24 racoon: INFO: begin Aggressive mode.
Mar 29 23:12:24 racoon: [Name]: INFO: initiate new phase 1 negotiation: 98.165.!.![500]<=>66.93.!.![500]
Mar 29 23:12:24 racoon: [Name]: INFO: IPsec-SA request for 66.93.!.! queued due to no phase1 found.
Mar 29 23:11:44 racoon: ERROR: such policy already exists. anyway replace it: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=out
Mar 29 23:11:44 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.0.0/16[0] proto=any dir=out

Second Box Errors
Mar 29 23:27:16 racoon: ERROR: failed to pre-process packet.
Mar 29 23:27:16 racoon: ERROR: failed to get proposal for responder.
Mar 29 23:27:16 racoon: ERROR: no policy found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=in
Mar 29 23:27:16 racoon: INFO: respond new phase 2 negotiation: 66.93.!.![0]<=>98.165.!.![0]
Mar 29 23:27:06 racoon: ERROR: failed to pre-process packet.
Mar 29 23:27:06 racoon: ERROR: failed to get proposal for responder.
Mar 29 23:27:06 racoon: ERROR: no policy found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=in
Mar 29 23:27:06 racoon: INFO: respond new phase 2 negotiation: 66.93.!.![0]<=>98.165.!.![0]
Mar 29 23:26:56 racoon: ERROR: failed to pre-process packet.
Mar 29 23:26:56 racoon: ERROR: failed to get proposal for responder.
Mar 29 23:26:56 racoon: ERROR: no policy found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=in

cmb

Looks like it's failing negotiation somewhere because of a settings mismatch.

hoba

That looks like some settings mismatch to me. Recheck your tunneldefinitions on both ends.

chrisreston

I have checked and checked and still get that error! What else could it be? I changed it over now using a different internet connection at home and am getting the following error now! I really thought this would be easy, I like pfsense but this is driving me nutts. I just want to get this tunnel up to connect a remote office to a main office!

Mar 31 00:59:25 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
Mar 31 00:58:55 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
Mar 31 00:58:24 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
Mar 31 00:57:54 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
Mar 31 00:57:22 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
Mar 31 00:56:52 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
Mar 31 00:56:21 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
Mar 31 00:55:51 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
Mar 31 00:55:18 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
Mar 31 00:54:48 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
Mar 31 00:54:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/16[0] 192.168.0.0/22[0] proto=any dir=out

chrisreston

one thing this is the error i get at the remote location, the server at the main office shows nothing under the ipsec log

chrisreston

could it be the two subnets?

main network is 192.168.0.0
255.255.252.0

remote is 192.168.1.0
255.255.255.0

Thanks

chrisreston

Changed ip and now i get this again! Im getting ready to give up this is so frustrating. I have done ipsec on Cisco before

Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.0/26[0] 192.168.0.0/22[0] proto=any dir=out
Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.1/32[0] 128.168.1.0/26[0] proto=any dir=out
Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 128.168.1.0/26[0] proto=any dir=in
Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.0/26[0] 128.168.1.1/32[0] proto=any dir=in

chrisreston

Back to this! Im getting ready to throw in the towl in go buy a firewall for both places…

Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 192.168.0.0/22[0] proto=any dir=out
Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any dir=out
Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 172.16.10.0/24[0] proto=any dir=in
Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any dir=in

cmb

@chrisreston:

could it be the two subnets?

main network is 192.168.0.0
255.255.252.0

remote is 192.168.1.0
255.255.255.0

That might be why the negotiation is failing, even if it were successful it's not going to work with those two subnets. 192.168.1.0/24 is within 192.168.0.0/22, the latter subnet will think the remote subnet is on its local network, hence it won't work.

Not sure if negotiation would actually fail in that circumstance, but it would make sense if it did.

hoba

@cmb:

@chrisreston:

could it be the two subnets?

main network is 192.168.0.0
255.255.252.0

remote is 192.168.1.0
255.255.255.0

That might be why the negotiation is failing, even if it were successful it's not going to work with those two subnets. 192.168.1.0/24 is within 192.168.0.0/22, the latter subnet will think the remote subnet is on its local network, hence it won't work.

Not sure if negotiation would actually fail in that circumstance, but it would make sense if it did.

Actually that will work. I use such a setup to route traffic from remote home offices through the mainlocation:

From the SPD-List at the mainlocation (10 remote locations):
192.168.10.0/24 - 192.168.0.0/18 
192.168.51.0/24 - 192.168.0.0/18
192.168.57.0/24 - 192.168.0.0/18
192.168.9.0/24 - 192.168.0.0/18
192.168.43.0/24 - 192.168.0.0/18
…

The mainlocation that holds the 192.168.0.0/18 subnet in ipsec has some local subnets like 192.168.2.0/24 and others inside the /18-range that can all be reached from the home offices. Additionally the homeoffices can talk to each other. The traffic gets routed through the mainlocation and there are no tunnels from one homeoffice to another. This is the sam situation with overlapping/conflicting subnets.

chrisreston

Getting this again someone plese help…
I have two pfsense firewalls both with public ips on is at a remote location the other is at a main location. I have checked all settings over and over and they are correct!

Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/16[0] 192.168.0.0/22[0] proto=any dir=out
Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.1/32[0] 10.0.0.0/16[0] proto=any dir=out
Mar 31 15:32:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 10.0.0.0/16[0] proto=any dir=in
Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/16[0] 10.0.0.1/32[0] proto=any dir=in

hoba

Please provide info on how the tunnels are setup on each side.

chrisreston

Heres the info

Remote Location

Interface = WAN
Local Subnet
Type - LAN Subnet

Remote Subnet
192.168.0.0 /22

Remote Gateway
66.17.X.X

Description
Remote

Phase1

Negotiation Mode
Agressive

My Identifier
My IP Address

Encryption Agorithm
SHA1

DH Key Group
2

Lifetime
28800

Authentication Method
Pre SHared Key

Pre Shared Key
St0rmw1nd

Phase2

Protocol
ESP

Encryption Alogorithms
Rijndael(AES)

Has Algorithms
SHA1

PS Key Group
2

Lifetime
84400

MAIN SITE
Interface = SPARKPLUG (second WAN, I have tried both)
Local Subnet
Type - LAN Subnet

Remote Subnet
10.0.0.0 /16

Remote Gateway
168.158.X.X

Description
Main
Phase1

Negotiation Mode
Agressive

My Identifier
My IP Address

Encryption Agorithm
SHA1

DH Key Group
2

Lifetime
28800

Authentication Method
Pre SHared Key

Pre Shared Key
St0rmw1nd

Phase2

Protocol
ESP

Encryption Alogorithms
Rijndael(AES)

Has Algorithms
SHA1

PS Key Group
2

Lifetime
84400

chrisreston

What i am trying to do is connect my remote office to my main office bot have pfsense installed. I want to be able to get my DHCP from the Main office as well. I just need a tunnel between the two PFsense firewalls in order to connect the two  and make it as one network. Am I missing something here?

chrisreston

now im getting this error

Mar 31 17:38:07 racoon: INFO: delete phase 2 handler.
Mar 31 17:38:07 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 168.158.228.10[0]->66.17.85.18[0]
Mar 31 17:37:36 racoon: INFO: begin Aggressive mode.
Mar 31 17:37:36 racoon: INFO: initiate new phase 1 negotiation: 66.17.85.18[500]<=>168.158.228.10[500]
Mar 31 17:37:36 racoon: INFO: IPsec-SA request for 168.158.228.10 queued due to no phase1 found.

would it be easier to just go by a linksys router?

hoba

as you are doing this on a multiwan, die you add static routes for the site with the multiwan to the remote IP/32 via the gateway on wan2? There's a thread about that exact same issue already around at the forum.

I now understand the logs too: the one system is trying to talk to the other system with the dual wan on wan2 but the dual wan system answers at wan1 due to the missing route.

chrisreston

I guess I am confused, what if I just have the remote site look for wan1 instead? Would I add the static route in the rules section?

hoba

I both firewalls have the tunnels at wan you don't need static routes as it will use the defaultgateway then.

chrisreston

still had issues that way.. also one note is that i am using the firewall as a dhcp server on the remote site. I have a dhcp server on the main site. How can I just link the two firewalls and use everything at the main site such as dhcp for the remote site? I am wanting to have the two sites as if they are 1

hoba

You can work with dhcprelay to do that though I probably wouldn't do it that way. If the tunnel fails your clients won't be able to get dhcp. I would set up a second dhcp at the remote office (could be the pfSense) but assign the mainlocations dns server as the first dns to the clients. This way lookups should work forward and backward. As second dns you could assign the local dns forwarder of the pfSense so clients would still be able to access the internet even if the tunnel is down.