Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IP Sec VPN between two pfsense boxes with static IP's

    Scheduled Pinned Locked Moved IPsec
    8 Posts 2 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stoney32
      last edited by

      I am not exactly sure what I am doing wrong but I have followed the tutorial on the wiki and have been unable to get the tunnel up between the two pfsense boxes.  I tried just basic settings so I could get it up but have been unable to connect to each other.  I would like to be able to use the tunnel for secure access to a data center. So any advice would be very helpful.  This is what my setup looks like pfsense–->cisco router--->WAN--->Cisco Router--->Pfsense and both WAN IP's are static.  I want to be able to have a permanent IPSec tunnel between them.  Some tips on the best way to achieve this would be nice

      Thanks

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Do the ciscos in front of you do nat or firewalling? Anything in the systemlogs of the pfSenses?

        1 Reply Last reply Reply Quote 0
        • S
          Stoney32
          last edited by

          I am now trying to get this running just from a client to a pfsense and I can not get it to work I am not sure what I am doing wrong

          1 Reply Last reply Reply Quote 0
          • S
            Stoney32
            last edited by

            am I missing something because I get no response from the pfsense box at all and I understood all the entries were made when you enabled ipsec

            1 Reply Last reply Reply Quote 0
            • S
              Stoney32
              last edited by

              Do I have to set up firewall rulles for this to work?  This is frustrating me because from the info I found it seems you enable it and it should work not sure what noob mistake I am making lol

              1 Reply Last reply Reply Quote 0
              • S
                Stoney32
                last edited by

                This is the log from shrew trying to connect

                config loaded for site '192.168.10.1'
                configuring client settings …
                attached to key daemon ...
                peer configured
                iskamp proposal configured
                esp proposal configured
                client configured
                local id configured
                remote id configured
                pre-shared key configured
                bringing up tunnel ...
                gateway not responding
                tunnel disabled
                detached from key daemon ...

                1 Reply Last reply Reply Quote 0
                • S
                  Stoney32
                  last edited by

                  this is the syslog for pfsense

                  racoon: ERROR: phase1 negotiation failed due to time up. f4a68900f9a99c27:42b5b53ba608ead3
                  racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
                  racoon: INFO: received Vendor ID: CISCO-UNITY
                  racoon: INFO: received Vendor ID: DPD
                  racoon: INFO: received broken Microsoft ID: FRAGMENTATION
                  racoon: INFO: received Vendor ID: RFC 3947
                  racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
                  racoon: INFO: begin Aggressive mode.
                  racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.10.1[500]<=>192.168.10.254[500]

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    @Stoney32:

                    this is the syslog for pfsense

                    racoon: ERROR: phase1 negotiation failed due to time up. f4a68900f9a99c27:42b5b53ba608ead3
                    racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
                    racoon: INFO: received Vendor ID: CISCO-UNITY
                    racoon: INFO: received Vendor ID: DPD
                    racoon: INFO: received broken Microsoft ID: FRAGMENTATION
                    racoon: INFO: received Vendor ID: RFC 3947
                    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
                    racoon: INFO: begin Aggressive mode.
                    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.10.1[500]<=>192.168.10.254[500]

                    Can you try that from a different WAN? Looks like you have some mtu issues there. Maybe try lowering the mtu at interfaces>wan at the box that your client is behind.

                    You don't have to setup firewallrules for IPSEC to work. This is done behind the scenes when enabling IPSEC. However, you have to setup rules for traffic coming through the tunnel (firewall>rules, ipsec tab) but that'S the next step. This wouldn't prevent the tunnel from being established but block traffic that is coming though the tunnel once it is establiched.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.