IP Sec VPN between two pfsense boxes with static IP's



  • I am not exactly sure what I am doing wrong but I have followed the tutorial on the wiki and have been unable to get the tunnel up between the two pfsense boxes.  I tried just basic settings so I could get it up but have been unable to connect to each other.  I would like to be able to use the tunnel for secure access to a data center. So any advice would be very helpful.  This is what my setup looks like pfsense–->cisco router--->WAN--->Cisco Router--->Pfsense and both WAN IP's are static.  I want to be able to have a permanent IPSec tunnel between them.  Some tips on the best way to achieve this would be nice

    Thanks



  • Do the ciscos in front of you do nat or firewalling? Anything in the systemlogs of the pfSenses?



  • I am now trying to get this running just from a client to a pfsense and I can not get it to work I am not sure what I am doing wrong



  • am I missing something because I get no response from the pfsense box at all and I understood all the entries were made when you enabled ipsec



  • Do I have to set up firewall rulles for this to work?  This is frustrating me because from the info I found it seems you enable it and it should work not sure what noob mistake I am making lol



  • This is the log from shrew trying to connect

    config loaded for site '192.168.10.1'
    configuring client settings …
    attached to key daemon ...
    peer configured
    iskamp proposal configured
    esp proposal configured
    client configured
    local id configured
    remote id configured
    pre-shared key configured
    bringing up tunnel ...
    gateway not responding
    tunnel disabled
    detached from key daemon ...



  • this is the syslog for pfsense

    racoon: ERROR: phase1 negotiation failed due to time up. f4a68900f9a99c27:42b5b53ba608ead3
    racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
    racoon: INFO: received Vendor ID: CISCO-UNITY
    racoon: INFO: received Vendor ID: DPD
    racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    racoon: INFO: received Vendor ID: RFC 3947
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    racoon: INFO: begin Aggressive mode.
    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.10.1[500]<=>192.168.10.254[500]



  • @Stoney32:

    this is the syslog for pfsense

    racoon: ERROR: phase1 negotiation failed due to time up. f4a68900f9a99c27:42b5b53ba608ead3
    racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
    racoon: INFO: received Vendor ID: CISCO-UNITY
    racoon: INFO: received Vendor ID: DPD
    racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    racoon: INFO: received Vendor ID: RFC 3947
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    racoon: INFO: begin Aggressive mode.
    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.10.1[500]<=>192.168.10.254[500]

    Can you try that from a different WAN? Looks like you have some mtu issues there. Maybe try lowering the mtu at interfaces>wan at the box that your client is behind.

    You don't have to setup firewallrules for IPSEC to work. This is done behind the scenes when enabling IPSEC. However, you have to setup rules for traffic coming through the tunnel (firewall>rules, ipsec tab) but that'S the next step. This wouldn't prevent the tunnel from being established but block traffic that is coming though the tunnel once it is establiched.


Locked