IPSec service not starting
-
Hello, I have two pf Senses and I setup the LAN interface so I can make a IPSec connexion. I use on one pfSense 10.10.6.1 and fr the second 192.168.11.1. I made The VPN tunnel with the same options on the both sides. I made a firewall rule to allow all trafic on LAN, full access. after I rebooted the pfsenses I go to Status -> Services and the racoon IPSEC VPN is stopped. I try to start the service but it don't start. What can I do? How cand I start the VPN service? Do you have any ideea?
Lucian
-
Can you give us some details how your tunnels are set up?
-
I setup IPSec on LAN not WAN because I want test the tunnels first. I used the same options on the both pfsenses. First I made a firewall rule on both pfsenses to allow all traffic on all ports in the LAN tab. I also made a rule after setup IPSec on IPSec tab to allow all trafiic on all ports. I made the setup for WAN and I put a static IP address and the IPSec service start running. Now after setup IPSec with the following choices:
- Mode Tunnel
- Interface LAN
- Local subnet Network
Addresses 192.168.11.0/24 - Remote subnet 10.10.6.0/24
- Remote gateway 10.10.6.12
- Description VPN to 10.10.6.12
- Negotiation mode Aggressive
- My identifier Domain name same on both
- Encryption algorithm Blowfish
- Hash algorithm MD5
- DH key group 1
- Lifetime 28800
- Authentication method Pre-shared key
- Pre-Shared Key same on both sides
- Protocol ESP
- Encryption algorithms Blowfish
- Hash algorithms MD5
- PFS key group 1
- Lifetime 86400
- Automatically ping host the other tunnel side 10.10.6.1
After reboot I go to system logs an IPSec I get the following errors:
Apr 18 17:51:27 racoon: ERROR: failed to begin ipsec sa negotication.
Apr 18 17:51:27 racoon: ERROR: phase1 negotiation failed due to send error. 33a8e908ddc2701c:0000000000000000
Apr 18 17:51:27 racoon: ERROR: sendfromto failed
Apr 18 17:51:27 racoon: INFO: begin Identity Protection mode.
Apr 18 17:51:27 racoon: [VPN spre 10.10.6.12]: INFO: initiate new phase 1 negotiation: 192.168.11.12[500]<=>10.10.6.12[500]
Apr 18 17:51:27 racoon: [VPN spre 10.10.6.12]: INFO: IPsec-SA request for 10.10.6.12 queued due to no phase1 found.I will look for more informations and I will try to make different setups. but I don't understand what I'm doing wrong. Thank you!
Lucian
-
…
- Remote subnet 10.10.6.0/24
- Remote gateway 10.10.6.12
...
The remote gateway is inside the remote subnet? How should that work? You are confusing the system. I guess the ipsec service refuses to start with such a nonsense config ;)
You really should just set it up the way it should be in the end, wan to wan. It's dead simple, really.
-
Hello, The service is up and running after I setup the WAN interfaces. Was my mistake. It was for the first time when I had to setup a VPN. Noe I know what I did wrong! ;) The VPN now is running. Thank you!
Lucian