IPSec service not starting



  • Hello, I have two pf Senses and I setup the LAN interface so I can make a IPSec connexion. I use on one pfSense 10.10.6.1 and fr the second 192.168.11.1. I made The VPN tunnel with the same options on the both sides. I made a firewall rule to allow all trafic on LAN, full access. after I rebooted the pfsenses I go to Status -> Services and the racoon IPSEC VPN is stopped. I try to start the service but it don't start. What can I do? How cand I start the VPN service? Do you have any ideea?

    Lucian



  • Can you give us some details how your tunnels are set up?



  • I setup IPSec on LAN not WAN because I want test the tunnels first. I used the same options on the both pfsenses. First I made a firewall rule on both pfsenses to allow all traffic on all ports in the LAN tab. I also made a rule after setup IPSec on IPSec tab to allow all trafiic on all ports. I made the setup for WAN and I put a static IP address and the IPSec service start running. Now after setup IPSec with the following choices:

    • Mode  Tunnel
    • Interface      LAN
    • Local subnet  Network
        Addresses 192.168.11.0/24
    • Remote subnet 10.10.6.0/24
    • Remote gateway 10.10.6.12
    • Description  VPN to 10.10.6.12
    • Negotiation mode  Aggressive
    • My identifier  Domain name same on both
    • Encryption algorithm  Blowfish
    • Hash algorithm    MD5
    • DH key group  1
    • Lifetime  28800
    • Authentication method    Pre-shared key
    • Pre-Shared Key same on both sides
    • Protocol ESP
    • Encryption algorithms Blowfish
    • Hash algorithms  MD5
    • PFS key group 1
    • Lifetime    86400
    • Automatically ping host  the other tunnel side 10.10.6.1

    After reboot I go to system logs an IPSec I get the following errors:

    Apr 18 17:51:27 racoon: ERROR: failed to begin ipsec sa negotication.
    Apr 18 17:51:27 racoon: ERROR: phase1 negotiation failed due to send error. 33a8e908ddc2701c:0000000000000000
    Apr 18 17:51:27 racoon: ERROR: sendfromto failed
    Apr 18 17:51:27 racoon: INFO: begin Identity Protection mode.
    Apr 18 17:51:27 racoon: [VPN spre 10.10.6.12]: INFO: initiate new phase 1 negotiation: 192.168.11.12[500]<=>10.10.6.12[500]
    Apr 18 17:51:27 racoon: [VPN spre 10.10.6.12]: INFO: IPsec-SA request for 10.10.6.12 queued due to no phase1 found.

    I will look for more informations and I will try to make different setups. but I don't understand what I'm doing wrong. Thank you!

    Lucian



  • @luci2200:

    • Remote subnet 10.10.6.0/24
    • Remote gateway 10.10.6.12
      ...

    The remote gateway is inside the remote subnet? How should that work? You are confusing the system. I guess the ipsec service refuses to start with such a nonsense config  ;)

    You really should just set it up the way it should be in the end, wan to wan. It's dead simple, really.



  • Hello, The service is up and running after I setup the WAN interfaces. Was my mistake. It was for the first time when I had to setup a VPN. Noe I know what I did wrong!  ;) The VPN now is running. Thank you!

    Lucian


Locked