Ipsec errors please help need this up Monday
-
Ok I am now using a sonicwall firewall at the remote location and the pfsense at the main. I have set everything up and now I am getting the following errors.
Apr 1 11:31:35 racoon: ERROR: failed to pre-process packet.
Apr 1 11:31:35 racoon: ERROR: failed to get sainfo.
Apr 1 11:31:35 racoon: ERROR: failed to get sainfo.
Apr 1 11:31:35 racoon: INFO: respond new phase 2 negotiation: 66.93.X.X[0]<=>168.158.X.X[0]
Apr 1 11:31:34 racoon: INFO: ISAKMP-SA established 66.93.X.X[500]-168.158.X.X[500] spi:a84321dfbb05a217:2a9e8c8e5d8a57a4
Apr 1 11:31:34 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Apr 1 11:31:34 racoon: WARNING: No ID match.
Apr 1 11:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 1 11:31:34 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 1 11:31:34 racoon: INFO: begin Aggressive mode. -
You just made things more complicated. Try this guide, maybe it will help you http://doc.m0n0.ch/handbook-single/#id2608734
-
In my experience you should never use aggressive mode with IPSEC. 1) It's less secure 2) Some of the check and balances (to include the mechanism for logging it) are missing. Use Main mode. If you need some closer to realtime help, email the support mailing list or you may be able to use the IRC channel.
Curtis
-
Chris,
Would a lilnksys be easier? NO. Setting up tunnels with anything other than PfSense is difficuilt. I used 10 different router and firewalls. PfSense has been the simplist to setup and get working. I have netgear, symantec vpn100 and 320's in service all work but some can really pull your hair out.I had this happen several times to me. It looks like you have a couple of things going on. I would make sure that you have your phase 1 settings correct. I recently had a similiar issue. I found that one end had was using agressive instead of MAIN. I ended up removing all settings on that router and rebuilding the tunnel after flashing the firmware.
Send me a email to ron.carter@cartersweb.net and see what I can do to give you a hand. I do agree with clamasters use MAIN mode. I can give you a call tomorrow after 6:00 PM east coast time. We should be able to get it to work with out too much trouble.
I have my PFSense firewall up for over a year now with limited problems most have been self inflicted. But I have been able to recover. The forum is a great place to get issues resolved and too get help.
RC
-
hoba,
could you please link to the existing thread for multiwan ipsec vpn route issue.
I'm not able to find it by using search form.
thanks.
-
Not sure which thread exactly you mean but that topic is covered multiple time like for example here: http://forum.pfsense.org/index.php/topic,8476.msg47573.html#msg47573
However I don't think that this has something to do with the issue we are seeing here.