OpenVPN route over IPSec?
-
So we have our HQ pfSense and our DC pfSense. HQ pfSense has and IPSec to DC and then also OpenVPN.
HQ(192.168.2.0/24) <---IpSec---> DC(192.168.30.0/24) HQ(192.168.2.0/24 <---OpenVPN--->Users Home(10.0.8.0/24)The User can talk with everything on the 2.0/24 with 0 issues. However they can not speak with the 30.0/24 network at all. We've tried:
push "route 192.168.30.0 255.255.255.0";In OpenVPN > Settings > Advanced Configuration to No Avail.
Any ideas on why this would not work?
-
The IPsec tunnel needs a Phase 2 entry on both sides for the 192.168.30.x to/from 10.0.8.x path.
-
The IPsec tunnel needs a Phase 2 entry on both sides for the 192.168.30.x to/from 10.0.8.x path.
Thanks for the response Jim.
Here is what we've done:
DC pfSense(192.168.30.x)(See Screenshot):
Tunnel - LAN - 192.168.2.0/24 - ESP - AES(256) - SHA1 Tunnel - LAN - 10.0.8.0/24 - ESP - AES(256) - SHA1HQ pfSense(192.168.2.0/24 & 10.0.8.0)(See Screenshot):
Tunnel - VN(.2 nic) - 192.168.30.0/24 - ESP - AES(256) - SHA1 Tunnel - 10.0.8.0/24 - 192.168.30.0/24 - ESP - AES(256) - SHA1When we do this the IPSec breaks.
Are the new phase 2's setup properly?
-
Looks OK. How does it break?
-
Looks OK. How does it break?
Thanks for the response. I tested it again last night and here is what happens:
HQ pfSense(2.x) Enabled the phase2 and apply - IPSec still working but cant ping DC Network(30.x) from OpenVPN client.
DC pfSense(30.x) Enabled the phase2 and apply - All hell breaks loose!
Aug 6 23:24:43 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER Aug 6 23:24:43 jtcolofw racoon: ERROR: pfkey DELETE received: ESP DC-IP[500]->HQ-IP[500] spi=3439811675(0xcd075c5b) Aug 6 23:24:43 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=190368626(0xb58cb72) Aug 6 23:24:43 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=265860341(0xfd8b4f5) Aug 6 23:24:43 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:24:43 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange. Aug 6 23:24:43 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:24:43 jtcolofw racoon: ERROR: failed to get sainfo. Aug 6 23:24:43 jtcolofw racoon: ERROR: failed to get sainfo. Aug 6 23:24:43 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1). Aug 6 23:24:43 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER Aug 6 23:24:43 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:24:47 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:24:47 jtcolofw racoon: INFO: IPsec-SA established: ESP DC-IP[500]->HQ-IP[500] spi=47858997(0x2da4535) Aug 6 23:24:47 jtcolofw racoon: INFO: IPsec-SA established: ESP DC-IP[500]->HQ-IP[500] spi=3411040327(0xcb505847) Aug 6 23:24:47 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange. Aug 6 23:24:53 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange. Aug 6 23:25:03 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange. Aug 6 23:25:13 jtcolofw racoon: ERROR: HQ-IP give up to get IPsec-SA due to time up to wait. Aug 6 23:25:15 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:25:15 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange. Aug 6 23:25:25 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange. Aug 6 23:25:35 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange. Aug 6 23:25:39 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER Aug 6 23:25:39 jtcolofw racoon: ERROR: pfkey DELETE received: ESP DC-IP[500]->HQ-IP[500] spi=3411040327(0xcb505847) Aug 6 23:25:39 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=47858997(0x2da4535) Aug 6 23:25:39 jtcolofw racoon: ERROR: pfkey DELETE received: ESP HQ-IP[500]->DC-IP[500] spi=223732504(0xd55e318) Aug 6 23:25:39 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER Aug 6 23:25:39 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:25:39 jtcolofw racoon: ERROR: failed to get sainfo. Aug 6 23:25:39 jtcolofw racoon: ERROR: failed to get sainfo. Aug 6 23:25:39 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1). Aug 6 23:25:40 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:25:43 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:25:43 jtcolofw racoon: ERROR: failed to get sainfo. Aug 6 23:25:43 jtcolofw racoon: ERROR: failed to get sainfo. Aug 6 23:25:43 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1). Aug 6 23:25:51 jtcolofw racoon: [HQ-IP] ERROR: notification PAYLOAD-MALFORMED received in informational exchange. Aug 6 23:25:51 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:25:51 jtcolofw racoon: ERROR: failed to get sainfo. Aug 6 23:25:51 jtcolofw racoon: ERROR: failed to get sainfo. Aug 6 23:25:51 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1). Aug 6 23:26:01 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange. Aug 6 23:26:04 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:26:04 jtcolofw racoon: ERROR: failed to get sainfo. Aug 6 23:26:04 jtcolofw racoon: ERROR: failed to get sainfo. Aug 6 23:26:04 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1). Aug 6 23:26:10 jtcolofw racoon: ERROR: HQ-IP give up to get IPsec-SA due to time up to wait. Aug 6 23:26:12 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500] Aug 6 23:26:14 jtcolofw racoon: [HQ-IP] INFO: DPD: remote (ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2) seems to be dead. Aug 6 23:26:14 jtcolofw racoon: INFO: purging ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2. Aug 6 23:26:14 jtcolofw racoon: INFO: purged IPsec-SA spi=225969223. Aug 6 23:26:14 jtcolofw racoon: INFO: purged ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2. Aug 6 23:26:14 jtcolofw racoon: INFO: ISAKMP-SA deleted DC-IP[500]-HQ-IP[500] spi:5e5ce4a5c125bd14:fcd270cb4c9238f2 Aug 6 23:26:19 jtcolofw racoon: INFO: IPsec-SA request for HQ-IP queued due to no phase1 found. Aug 6 23:26:19 jtcolofw racoon: INFO: initiate new phase 1 negotiation: DC-IP[500]<=>HQ-IP[500] -
The error messages are indicative of a Phase 2 mismatch. Something must not line up like it wants. You can enabled debug mode for IPsec to maybe get better info. From the log messages it looks like you're still on pfSense 2.1.x or earlier, so it's a little tricky to get useful debugging info from the logs as it's very chatty.
-
The DC pfSense is still on 2.1
HQ is on 2.2.2
I will turn on the extra IPsec debugging and report back.
Thanks.
