IP Sec VPN between two pfsense boxes with static IP's
-
I am not exactly sure what I am doing wrong but I have followed the tutorial on the wiki and have been unable to get the tunnel up between the two pfsense boxes. I tried just basic settings so I could get it up but have been unable to connect to each other. I would like to be able to use the tunnel for secure access to a data center. So any advice would be very helpful. This is what my setup looks like pfsense–->cisco router--->WAN--->Cisco Router--->Pfsense and both WAN IP's are static. I want to be able to have a permanent IPSec tunnel between them. Some tips on the best way to achieve this would be nice
Thanks
-
Do the ciscos in front of you do nat or firewalling? Anything in the systemlogs of the pfSenses?
-
I am now trying to get this running just from a client to a pfsense and I can not get it to work I am not sure what I am doing wrong
-
am I missing something because I get no response from the pfsense box at all and I understood all the entries were made when you enabled ipsec
-
Do I have to set up firewall rulles for this to work? This is frustrating me because from the info I found it seems you enable it and it should work not sure what noob mistake I am making lol
-
This is the log from shrew trying to connect
config loaded for site '192.168.10.1'
configuring client settings …
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
gateway not responding
tunnel disabled
detached from key daemon ... -
this is the syslog for pfsense
racoon: ERROR: phase1 negotiation failed due to time up. f4a68900f9a99c27:42b5b53ba608ead3
racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
racoon: INFO: received Vendor ID: CISCO-UNITY
racoon: INFO: received Vendor ID: DPD
racoon: INFO: received broken Microsoft ID: FRAGMENTATION
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO: begin Aggressive mode.
racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.10.1[500]<=>192.168.10.254[500] -
this is the syslog for pfsense
racoon: ERROR: phase1 negotiation failed due to time up. f4a68900f9a99c27:42b5b53ba608ead3
racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
racoon: INFO: received Vendor ID: CISCO-UNITY
racoon: INFO: received Vendor ID: DPD
racoon: INFO: received broken Microsoft ID: FRAGMENTATION
racoon: INFO: received Vendor ID: RFC 3947
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO: begin Aggressive mode.
racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.10.1[500]<=>192.168.10.254[500]Can you try that from a different WAN? Looks like you have some mtu issues there. Maybe try lowering the mtu at interfaces>wan at the box that your client is behind.
You don't have to setup firewallrules for IPSEC to work. This is done behind the scenes when enabling IPSEC. However, you have to setup rules for traffic coming through the tunnel (firewall>rules, ipsec tab) but that'S the next step. This wouldn't prevent the tunnel from being established but block traffic that is coming though the tunnel once it is establiched.