Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec errors please help need this up Monday

    Scheduled Pinned Locked Moved IPsec
    26 Posts 6 Posters 33.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chrisreston
      last edited by

      This is the error I am getting on one box, I am using both Pfsense boxes.  Any Ideas?

      Last 50 IPSEC log entries
      Mar 29 23:18:43 racoon: [Name]: ERROR: 66.93.!.! give up to get IPsec-SA due to time up to wait.
      Mar 29 23:18:13 racoon: [Name]: INFO: initiate new phase 2 negotiation: 98.165.!.![0]<=>66.93.!.![0]
      Mar 29 23:12:55 racoon: [Name]: ERROR: 66.93.160.190 give up to get IPsec-SA due to time up to wait.
      Mar 29 23:12:25 racoon: [Name]: INFO: initiate new phase 2 negotiation: 98.165.!.![500]<=>66.93.!.![500]
      Mar 29 23:12:24 racoon: [Name]: INFO: ISAKMP-SA established 98.165.!.![500]-66.93.!.!500] spi:197dccc5e520270d:6a80ee33c50666ef
      Mar 29 23:12:24 racoon: WARNING: No ID match.
      Mar 29 23:12:24 racoon: INFO: received Vendor ID: DPD
      Mar 29 23:12:24 racoon: INFO: begin Aggressive mode.
      Mar 29 23:12:24 racoon: [Name]: INFO: initiate new phase 1 negotiation: 98.165.!.![500]<=>66.93.!.![500]
      Mar 29 23:12:24 racoon: [Name]: INFO: IPsec-SA request for 66.93.!.! queued due to no phase1 found.
      Mar 29 23:11:44 racoon: ERROR: such policy already exists. anyway replace it: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=out
      Mar 29 23:11:44 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.0.0/16[0] proto=any dir=out

      Second Box Errors
      Mar 29 23:27:16 racoon: ERROR: failed to pre-process packet.
      Mar 29 23:27:16 racoon: ERROR: failed to get proposal for responder.
      Mar 29 23:27:16 racoon: ERROR: no policy found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=in
      Mar 29 23:27:16 racoon: INFO: respond new phase 2 negotiation: 66.93.!.![0]<=>98.165.!.![0]
      Mar 29 23:27:06 racoon: ERROR: failed to pre-process packet.
      Mar 29 23:27:06 racoon: ERROR: failed to get proposal for responder.
      Mar 29 23:27:06 racoon: ERROR: no policy found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=in
      Mar 29 23:27:06 racoon: INFO: respond new phase 2 negotiation: 66.93.!.![0]<=>98.165.!.![0]
      Mar 29 23:26:56 racoon: ERROR: failed to pre-process packet.
      Mar 29 23:26:56 racoon: ERROR: failed to get proposal for responder.
      Mar 29 23:26:56 racoon: ERROR: no policy found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=in

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Looks like it's failing negotiation somewhere because of a settings mismatch.

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by

          That looks like some settings mismatch to me. Recheck your tunneldefinitions on both ends.

          1 Reply Last reply Reply Quote 0
          • C
            chrisreston
            last edited by

            I have checked and checked and still get that error! What else could it be? I changed it over now using a different internet connection at home and am getting the following error now! I really thought this would be easy, I like pfsense but this is driving me nutts. I just want to get this tunnel up to connect a remote office to a main office!

            Mar 31 00:59:25 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
            Mar 31 00:58:55 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
            Mar 31 00:58:24 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
            Mar 31 00:57:54 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
            Mar 31 00:57:22 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
            Mar 31 00:56:52 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
            Mar 31 00:56:21 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
            Mar 31 00:55:51 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
            Mar 31 00:55:18 racoon: []: ERROR: 66.17.!.! give up to get IPsec-SA due to time up to wait.
            Mar 31 00:54:48 racoon: []: INFO: initiate new phase 2 negotiation: 192.168.1.101[0]<=>66.17.!.![0]
            Mar 31 00:54:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/16[0] 192.168.0.0/22[0] proto=any dir=out

            1 Reply Last reply Reply Quote 0
            • C
              chrisreston
              last edited by

              one thing this is the error i get at the remote location, the server at the main office shows nothing under the ipsec log

              1 Reply Last reply Reply Quote 0
              • C
                chrisreston
                last edited by

                could it be the two subnets?

                main network is 192.168.0.0
                255.255.252.0

                remote is 192.168.1.0
                255.255.255.0

                Thanks

                1 Reply Last reply Reply Quote 0
                • C
                  chrisreston
                  last edited by

                  Changed ip and now i get this again! Im getting ready to give up this is so frustrating. I have done ipsec on Cisco before

                  Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.0/26[0] 192.168.0.0/22[0] proto=any dir=out
                  Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.1/32[0] 128.168.1.0/26[0] proto=any dir=out
                  Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 128.168.1.0/26[0] proto=any dir=in
                  Mar 30 19:10:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 128.168.1.0/26[0] 128.168.1.1/32[0] proto=any dir=in

                  1 Reply Last reply Reply Quote 0
                  • C
                    chrisreston
                    last edited by

                    Back to this! Im getting ready to throw in the towl in go buy a firewall for both places…

                    Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 192.168.0.0/22[0] proto=any dir=out
                    Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any dir=out
                    Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 172.16.10.0/24[0] proto=any dir=in
                    Mar 30 21:32:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any dir=in

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      @chrisreston:

                      could it be the two subnets?

                      main network is 192.168.0.0
                      255.255.252.0

                      remote is 192.168.1.0
                      255.255.255.0

                      That might be why the negotiation is failing, even if it were successful it's not going to work with those two subnets. 192.168.1.0/24 is within 192.168.0.0/22, the latter subnet will think the remote subnet is on its local network, hence it won't work.

                      Not sure if negotiation would actually fail in that circumstance, but it would make sense if it did.

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by

                        @cmb:

                        @chrisreston:

                        could it be the two subnets?

                        main network is 192.168.0.0
                        255.255.252.0

                        remote is 192.168.1.0
                        255.255.255.0

                        That might be why the negotiation is failing, even if it were successful it's not going to work with those two subnets. 192.168.1.0/24 is within 192.168.0.0/22, the latter subnet will think the remote subnet is on its local network, hence it won't work.

                        Not sure if negotiation would actually fail in that circumstance, but it would make sense if it did.

                        Actually that will work. I use such a setup to route traffic from remote home offices through the mainlocation:

                        From the SPD-List at the mainlocation (10 remote locations):
                        192.168.10.0/24 - 192.168.0.0/18 
                        192.168.51.0/24 - 192.168.0.0/18
                        192.168.57.0/24 - 192.168.0.0/18
                        192.168.9.0/24 - 192.168.0.0/18
                        192.168.43.0/24 - 192.168.0.0/18
                        …

                        The mainlocation that holds the 192.168.0.0/18 subnet in ipsec has some local subnets like 192.168.2.0/24 and others inside the /18-range that can all be reached from the home offices. Additionally the homeoffices can talk to each other. The traffic gets routed through the mainlocation and there are no tunnels from one homeoffice to another. This is the sam situation with overlapping/conflicting subnets.

                        1 Reply Last reply Reply Quote 0
                        • C
                          chrisreston
                          last edited by

                          Getting this again someone plese help…
                          I have two pfsense firewalls both with public ips on is at a remote location the other is at a main location. I have checked all settings over and over and they are correct!

                          Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/16[0] 192.168.0.0/22[0] proto=any dir=out
                          Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.1/32[0] 10.0.0.0/16[0] proto=any dir=out
                          Mar 31 15:32:18 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.0.0/22[0] 10.0.0.0/16[0] proto=any dir=in
                          Mar 31 15:32:18 racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/16[0] 10.0.0.1/32[0] proto=any dir=in

                          1 Reply Last reply Reply Quote 0
                          • H
                            hoba
                            last edited by

                            Please provide info on how the tunnels are setup on each side.

                            1 Reply Last reply Reply Quote 0
                            • C
                              chrisreston
                              last edited by

                              Heres the info

                              Remote Location

                              Interface = WAN
                              Local Subnet
                              Type - LAN Subnet

                              Remote Subnet
                              192.168.0.0 /22

                              Remote Gateway
                              66.17.X.X

                              Description
                              Remote

                              Phase1

                              Negotiation Mode
                              Agressive

                              My Identifier
                              My IP Address

                              Encryption Agorithm
                              SHA1

                              DH Key Group
                              2

                              Lifetime
                              28800

                              Authentication Method
                              Pre SHared Key

                              Pre Shared Key
                              St0rmw1nd

                              Phase2

                              Protocol
                              ESP

                              Encryption Alogorithms
                              Rijndael(AES)

                              Has Algorithms
                              SHA1

                              PS Key Group
                              2

                              Lifetime
                              84400

                              MAIN SITE
                              Interface = SPARKPLUG (second WAN, I have tried both)
                              Local Subnet
                              Type - LAN Subnet

                              Remote Subnet
                              10.0.0.0 /16

                              Remote Gateway
                              168.158.X.X

                              Description
                              Main
                              Phase1

                              Negotiation Mode
                              Agressive

                              My Identifier
                              My IP Address

                              Encryption Agorithm
                              SHA1

                              DH Key Group
                              2

                              Lifetime
                              28800

                              Authentication Method
                              Pre SHared Key

                              Pre Shared Key
                              St0rmw1nd

                              Phase2

                              Protocol
                              ESP

                              Encryption Alogorithms
                              Rijndael(AES)

                              Has Algorithms
                              SHA1

                              PS Key Group
                              2

                              Lifetime
                              84400

                              1 Reply Last reply Reply Quote 0
                              • C
                                chrisreston
                                last edited by

                                What i am trying to do is connect my remote office to my main office bot have pfsense installed. I want to be able to get my DHCP from the Main office as well. I just need a tunnel between the two PFsense firewalls in order to connect the two  and make it as one network. Am I missing something here?

                                1 Reply Last reply Reply Quote 0
                                • C
                                  chrisreston
                                  last edited by

                                  now im getting this error

                                  Mar 31 17:38:07 racoon: INFO: delete phase 2 handler.
                                  Mar 31 17:38:07 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 168.158.228.10[0]->66.17.85.18[0]
                                  Mar 31 17:37:36 racoon: INFO: begin Aggressive mode.
                                  Mar 31 17:37:36 racoon: INFO: initiate new phase 1 negotiation: 66.17.85.18[500]<=>168.158.228.10[500]
                                  Mar 31 17:37:36 racoon: INFO: IPsec-SA request for 168.158.228.10 queued due to no phase1 found.

                                  would it be easier to just go by a linksys router?

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    hoba
                                    last edited by

                                    as you are doing this on a multiwan, die you add static routes for the site with the multiwan to the remote IP/32 via the gateway on wan2? There's a thread about that exact same issue already around at the forum.

                                    I now understand the logs too: the one system is trying to talk to the other system with the dual wan on wan2 but the dual wan system answers at wan1 due to the missing route.

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      chrisreston
                                      last edited by

                                      I guess I am confused, what if I just have the remote site look for wan1 instead? Would I add the static route in the rules section?

                                      1 Reply Last reply Reply Quote 0
                                      • H
                                        hoba
                                        last edited by

                                        I both firewalls have the tunnels at wan you don't need static routes as it will use the defaultgateway then.

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          chrisreston
                                          last edited by

                                          still had issues that way.. also one note is that i am using the firewall as a dhcp server on the remote site. I have a dhcp server on the main site. How can I just link the two firewalls and use everything at the main site such as dhcp for the remote site? I am wanting to have the two sites as if they are 1

                                          1 Reply Last reply Reply Quote 0
                                          • H
                                            hoba
                                            last edited by

                                            You can work with dhcprelay to do that though I probably wouldn't do it that way. If the tunnel fails your clients won't be able to get dhcp. I would set up a second dhcp at the remote office (could be the pfSense) but assign the mainlocations dns server as the first dns to the clients. This way lookups should work forward and backward. As second dns you could assign the local dns forwarder of the pfSense so clients would still be able to access the internet even if the tunnel is down.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.