2 tunnels : same remote config, but 2 different local subnets



  • Hello,

    I have two IPSEC tunnels created.

    The remote parameters for both tunnels are exactly the same.

    The only difference between the 2 tunnels is the local subnet. First tunnel is for local subnet 192.168.1.0, second tunnel is for local subnet 192.168.2.0

    They both look ON (green) on the Ipsec Overview Status.

    But I always have the following error message :


    racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 10.76.20.92/32[0] proto=any dir=out
    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 10.76.20.92/32[0] proto=any dir=out
    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
    racoon: ERROR: such policy already exists. anyway replace it: 10.76.20.92/32[0] 192.168.2.0/24[0] proto=any dir=in
    racoon: ERROR: such policy already exists. anyway replace it: 10.76.20.92/32[0] 192.168.1.0/24[0] proto=any dir=in
    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in


    Does pfsense allow to create tunnels that similar (i mean tunnels that differ only with local subnet) ?

    And if so, will these errors message "lead" to some communication errors ?

    Thank you.

    (pfsense 1.2)



  • from the same wan ip with a different subnet on one side you need different FQDN´s. Parallel Tunnel with the same WAN IP runs only in the aggressive mode. The FQDN Name is your free choice….

    Example:

    192.168.6.0/24 ----> FQDN : dmz@pfsense.org --> 192.168.10.0/24 (Same WAN IP)
    192.168.6.0/24 -----> FQDN : lan@pfsense.org --> 192.168.20.0/24 (Same WAN IP)



  • Sorry if this is dumb question but I am doing the same thing and was looking for a little more details.

    I have the following:

    MAN1 going to pfsense WAN w/ lan 172.16.22.0
    MAN1 going to pfsense WAN w/ lan2 10.50.75.0

    The MAN1 has one pub IP and one lan subnet, the WAN on other end has 2 lan subnets.

    I tried to set the pfsense side that had 2 lan subnets to use My identifier: User FQDN: casa@mydomain.com on the first one and phones@mydomain.com on the second one however the VPN's went down and stayed dead. Do I need to set the other side to match on the User FQDN or did I miss something?

    I am running 1.2final,

    Thx



  • Yes, you need on both endpoint the same FQDN-identifier but different lan subnets, that´s the trick



  • So because only 1 end has multi subnets this wont work? or am I missunderstanding and so long as I use FQDN and they match on both sides for both tunnels (each tunnel uniq FQDN of course) I am good?

    One end has 1 pub and 1 lan subnet, other has 1 pub and 2 lan subnets.

    Right now I have the original posters problem but they do work, just is a mess.


Log in to reply