IPsec tunnel between dhcp and NATed PFsense boxes



  • Hey Folks,
    I have a tricky one…
    For the past 24 months I have had a working tunnel b/t SiteA (static IP) and SiteB (static, but PF was behind a 1:1 NAT).

    Recently SiteA had to move to a DHCP connection on the WAN side. That was a fairly smooth transition, however it has left me without a working IPsec tunnel. I am hoping there is a user error quotient here and that the combination of NAT and DHCP is not a deal breaker.

    Again, both SiteA and SiteB are PFsense, both running 1.2

    SiteA(DHCP) ---internet--Cisco Router(Public IP)...1:1nat...SiteB

    There is no port blocking b/t the cisco router and SiteB's pfsense

    The first question I have is what to use for identifier? In the logs of SiteB (see below) it seems to be trying to use the WAN IP (which is a private IP).

    I'll post the logs below. Thanks in advance for any thoughts, tips or suggestions!

    SiteA IPsec Log:

    Last 50 IPSEC log entries
    Apr 24 17:51:46 	racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 24 17:51:46 	racoon: INFO: fe80::218:1ff:fe30:c961%dc0[500] used as isakmp port (fd=28)
    Apr 24 17:51:46 	racoon: INFO: 72.84.xxx.zzz[500] used as isakmp port (fd=27)
    Apr 24 17:51:46 	racoon: INFO: 10.1.2.1[500] used as isakmp port (fd=26)
    Apr 24 17:51:46 	racoon: INFO: fe80::280:c8ff:feb9:6d8e%dc1[500] used as isakmp port (fd=25)
    Apr 24 17:51:46 	racoon: INFO: 10.1.20.1[500] used as isakmp port (fd=24)
    Apr 24 17:51:46 	racoon: INFO: fe80::280:c8ff:feb9:6d8f%dc2[500] used as isakmp port (fd=23)
    Apr 24 17:51:46 	racoon: INFO: 10.1.1.1[500] used as isakmp port (fd=22)
    Apr 24 17:51:46 	racoon: INFO: fe80::230:48ff:fe41:135%fxp1[500] used as isakmp port (fd=21)
    Apr 24 17:51:46 	racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=20)
    Apr 24 17:51:46 	racoon: INFO: ::1[500] used as isakmp port (fd=19)
    Apr 24 17:51:46 	racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=18)
    Apr 24 17:51:46 	racoon: INFO: fe80::218:1ff:fe30:c961%tun0[500] used as isakmp port (fd=17)
    Apr 24 17:51:46 	racoon: INFO: 10.50.1.1[500] used as isakmp port (fd=16)
    Apr 24 17:43:52 	racoon: INFO: unsupported PF_KEY message REGISTER
    Apr 24 17:43:52 	racoon: INFO: fe80::218:1ff:fe30:c961%dc0[500] used as isakmp port (fd=27)
    Apr 24 17:43:52 	racoon: INFO: 72.84.xxx.zzz[500] used as isakmp port (fd=26)
    Apr 24 17:43:52 	racoon: INFO: 10.1.2.1[500] used as isakmp port (fd=25)
    Apr 24 17:43:52 	racoon: INFO: fe80::280:c8ff:feb9:6d8e%dc1[500] used as isakmp port (fd=24)
    Apr 24 17:43:52 	racoon: INFO: 10.1.20.1[500] used as isakmp port (fd=23)
    Apr 24 17:43:52 	racoon: INFO: fe80::280:c8ff:feb9:6d8f%dc2[500] used as isakmp port (fd=22)
    

    SiteB's Log:

    Last 50 IPSEC log entries
    Apr 24 14:15:08 	racoon: [Richmond]: INFO: phase2 sa deleted 172.15.1.2-72.84.xxx.zzz
    Apr 24 14:15:07 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Apr 24 14:15:07 	racoon: [Richmond]: INFO: phase2 sa expired 172.15.1.2-72.84.xxx.zzz
    Apr 24 14:14:40 	racoon: [Richmond]: INFO: phase2 sa deleted 172.15.1.2-72.84.xxx.zzz
    Apr 24 14:14:39 	racoon: INFO: begin Aggressive mode.
    Apr 24 14:14:39 	racoon: [Richmond]: INFO: initiate new phase 1 negotiation: 172.15.1.2[500]<=>72.84.xxx.zzz[500]
    Apr 24 14:14:39 	racoon: [Richmond]: INFO: IPsec-SA request for 72.84.xxx.zzz queued due to no phase1 found.
    Apr 24 14:14:39 	racoon: [Richmond]: INFO: phase2 sa expired 172.15.1.2-72.84.xxx.zzz
    Apr 24 14:14:28 	racoon: ERROR: phase1 negotiation failed due to time up. 8e634588f2063f20:0000000000000000
    Apr 24 14:14:09 	racoon: INFO: delete phase 2 handler.
    Apr 24 14:14:09 	racoon: [Richmond]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 72.84.xxx.zzz[0]->172.15.1.2[0]
    Apr 24 14:14:09 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Apr 24 14:14:09 	racoon: [Richmond]: INFO: phase2 sa expired 172.15.1.2-72.84.xxx.zzz
    Apr 24 14:13:39 	racoon: [Richmond]: INFO: phase2 sa deleted 172.15.1.2-72.84.xxx.zzz
    Apr 24 14:13:38 	racoon: INFO: begin Aggressive mode.
    Apr 24 14:13:38 	racoon: [Richmond]: INFO: initiate new phase 1 negotiation: 172.15.1.2[500]<=>72.84.xxx.zzz[500]
    Apr 24 14:13:38 	racoon: [Richmond]: INFO: IPsec-SA request for 72.84.xxx.zzz queued due to no phase1 found.
    Apr 24 14:13:38 	racoon: [Richmond]: INFO: phase2 sa expired 172.15.1.2-72.84.xxx.zzz
    Apr 24 14:13:32 	racoon: ERROR: phase1 negotiation failed due to time up. 1b79f713d733e7b0:0000000000000000
    Apr 24 14:13:13 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Apr 24 14:13:13 	racoon: INFO: delete phase 2 handler.
    Apr 24 14:13:13 	racoon: [Richmond]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 72.84.xxx.zzz[0]->172.15.1.2[0]
    Apr 24 14:12:43 	racoon: [Richmond]: INFO: phase2 sa deleted 172.15.1.2-72.84.xxx.zzz
    Apr 24 14:12:42 	racoon: INFO: begin Aggressive mode.
    Apr 24 14:12:42 	racoon: [Richmond]: INFO: initiate new phase 1 negotiation: 172.15.1.2[500]<=>72.84.xxx.zzz[500]
    Apr 24 14:12:42 	racoon: [Richmond]: INFO: IPsec-SA request for 72.84.xxx.zzz queued due to no phase1 found.
    Apr 24 14:12:42 	racoon: [Richmond]: INFO: phase2 sa expired 172.15.1.2-72.84.xxx.zzz
    Apr 24 14:12:28 	racoon: ERROR: phase1 negotiation failed due to time up. 5e13eeca2f6b5b9e:0000000000000000
    Apr 24 14:12:13 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Apr 24 14:12:09 	racoon: INFO: delete phase 2 handler.
    


  • Create an identifier at siteA-pfSense and make siteB-pfSense use it. You'll have to use aggressive mode for this. Btw, this won't work reliably if siteA's IP is changing. Dynamic to Dynamic Tunnels are not supported.



  • Hoba - thanks for the quick reply

    So just set the identifier to anything I want on siteA, ABC123 for example and use ABC123 as the same identifier on SiteB?
    That's how it is setup now (including set to Aggressive). I've been using domain name (abc.com) for both, I'll try the other options and see what I get.

    The good news is that this is dynamic to static, but the static is behind a NAT … and, knock on wood, the dynamic has not changed once in several months...



  • Here I am, three months and still no site-to-site VPN…
    I've given up on each (IPsec and OVPN) and switched back and fourth so many times that I'm starting to think there is just something wrong with the hardware involved.

    I'm back trying to make IPsec work - according to the logs, SiteB is still failing to complete phase 2 ...

    As for identifier, the only thing I think I can use is user FQDN ... so I made up: vpn@nsnet.local and I'm using that on both sides.

    Anyone have any ideas?



  • I cannot explain it but things just started working…
    I didn't make any changes, but after letting it sit a few days, the tunnel just came up on its own.

    Thanks for all the great help from this thread - I'm sure it was something from here that was the cure!


Log in to reply