Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN route over IPSec?

    OpenVPN
    2
    7
    1206
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Ipeek last edited by

      So we have our HQ pfSense and our DC pfSense. HQ pfSense has and IPSec to DC and then also OpenVPN.

      HQ(192.168.2.0/24) <---IpSec---> DC(192.168.30.0/24)
      
      HQ(192.168.2.0/24 <---OpenVPN--->Users Home(10.0.8.0/24)
      

      The User can talk with everything on the 2.0/24 with 0 issues. However they can not speak with the 30.0/24 network at all. We've tried:

      push "route 192.168.30.0 255.255.255.0";
      

      In OpenVPN > Settings > Advanced Configuration to No Avail.

      Any ideas on why this would not work?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        The IPsec tunnel needs a Phase 2 entry on both sides for the 192.168.30.x to/from 10.0.8.x path.

        1 Reply Last reply Reply Quote 0
        • I
          Ipeek last edited by

          @jimp:

          The IPsec tunnel needs a Phase 2 entry on both sides for the 192.168.30.x to/from 10.0.8.x path.

          Thanks for the response Jim.

          Here is what we've done:

          DC pfSense(192.168.30.x)(See Screenshot):

          
          Tunnel - LAN - 192.168.2.0/24 - ESP - AES(256) - SHA1
          Tunnel - LAN - 10.0.8.0/24       - ESP - AES(256) - SHA1
          

          HQ pfSense(192.168.2.0/24 & 10.0.8.0)(See Screenshot):

          Tunnel - VN(.2 nic)   - 192.168.30.0/24 - ESP - AES(256) - SHA1
          Tunnel - 10.0.8.0/24  - 192.168.30.0/24 - ESP - AES(256) - SHA1
          

          When we do this the IPSec breaks.

          Are the new phase 2's setup properly?




          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Looks OK. How does it break?

            1 Reply Last reply Reply Quote 0
            • I
              Ipeek last edited by

              @jimp:

              Looks OK. How does it break?

              Thanks for the response. I tested it again last night and here is what happens:

              HQ pfSense(2.x) Enabled the phase2 and apply - IPSec still working but cant ping DC Network(30.x) from OpenVPN client.

              DC pfSense(30.x) Enabled the phase2 and apply - All hell breaks loose!

              
              Aug  6 23:24:43 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
              Aug  6 23:24:43 jtcolofw racoon: ERROR: pfkey DELETE received: ESP DC-IP[500]->HQ-IP[500] spi=3439811675(0xcd075c5b)
              Aug  6 23:24:43 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=190368626(0xb58cb72)
              Aug  6 23:24:43 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=265860341(0xfd8b4f5)
              Aug  6 23:24:43 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:24:43 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
              Aug  6 23:24:43 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:24:43 jtcolofw racoon: ERROR: failed to get sainfo.
              Aug  6 23:24:43 jtcolofw racoon: ERROR: failed to get sainfo.
              Aug  6 23:24:43 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
              Aug  6 23:24:43 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
              Aug  6 23:24:43 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:24:47 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:24:47 jtcolofw racoon: INFO: IPsec-SA established: ESP DC-IP[500]->HQ-IP[500] spi=47858997(0x2da4535)
              Aug  6 23:24:47 jtcolofw racoon: INFO: IPsec-SA established: ESP DC-IP[500]->HQ-IP[500] spi=3411040327(0xcb505847)
              Aug  6 23:24:47 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
              Aug  6 23:24:53 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
              Aug  6 23:25:03 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
              Aug  6 23:25:13 jtcolofw racoon: ERROR: HQ-IP give up to get IPsec-SA due to time up to wait.
              Aug  6 23:25:15 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:25:15 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
              Aug  6 23:25:25 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
              Aug  6 23:25:35 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
              Aug  6 23:25:39 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
              Aug  6 23:25:39 jtcolofw racoon: ERROR: pfkey DELETE received: ESP DC-IP[500]->HQ-IP[500] spi=3411040327(0xcb505847)
              Aug  6 23:25:39 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=47858997(0x2da4535)
              Aug  6 23:25:39 jtcolofw racoon: ERROR: pfkey DELETE received: ESP HQ-IP[500]->DC-IP[500] spi=223732504(0xd55e318)
              Aug  6 23:25:39 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
              Aug  6 23:25:39 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:25:39 jtcolofw racoon: ERROR: failed to get sainfo.
              Aug  6 23:25:39 jtcolofw racoon: ERROR: failed to get sainfo.
              Aug  6 23:25:39 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
              Aug  6 23:25:40 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:25:43 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:25:43 jtcolofw racoon: ERROR: failed to get sainfo.
              Aug  6 23:25:43 jtcolofw racoon: ERROR: failed to get sainfo.
              Aug  6 23:25:43 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
              Aug  6 23:25:51 jtcolofw racoon: [HQ-IP] ERROR: notification PAYLOAD-MALFORMED received in informational exchange.
              Aug  6 23:25:51 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:25:51 jtcolofw racoon: ERROR: failed to get sainfo.
              Aug  6 23:25:51 jtcolofw racoon: ERROR: failed to get sainfo.
              Aug  6 23:25:51 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
              Aug  6 23:26:01 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
              Aug  6 23:26:04 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:26:04 jtcolofw racoon: ERROR: failed to get sainfo.
              Aug  6 23:26:04 jtcolofw racoon: ERROR: failed to get sainfo.
              Aug  6 23:26:04 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
              Aug  6 23:26:10 jtcolofw racoon: ERROR: HQ-IP give up to get IPsec-SA due to time up to wait.
              Aug  6 23:26:12 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
              Aug  6 23:26:14 jtcolofw racoon: [HQ-IP] INFO: DPD: remote (ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2) seems to be dead.
              Aug  6 23:26:14 jtcolofw racoon: INFO: purging ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2.
              Aug  6 23:26:14 jtcolofw racoon: INFO: purged IPsec-SA spi=225969223.
              Aug  6 23:26:14 jtcolofw racoon: INFO: purged ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2.
              Aug  6 23:26:14 jtcolofw racoon: INFO: ISAKMP-SA deleted DC-IP[500]-HQ-IP[500] spi:5e5ce4a5c125bd14:fcd270cb4c9238f2
              Aug  6 23:26:19 jtcolofw racoon: INFO: IPsec-SA request for HQ-IP queued due to no phase1 found.
              Aug  6 23:26:19 jtcolofw racoon: INFO: initiate new phase 1 negotiation: DC-IP[500]<=>HQ-IP[500]
              
              
              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                The error messages are indicative of a Phase 2 mismatch. Something must not line up like it wants. You can enabled debug mode for IPsec to maybe get better info. From the log messages it looks like you're still on pfSense 2.1.x or earlier, so it's a little tricky to get useful debugging info from the logs as it's very chatty.

                1 Reply Last reply Reply Quote 0
                • I
                  Ipeek last edited by

                  The DC pfSense is still on 2.1

                  HQ is on 2.2.2

                  I will turn on the extra IPsec debugging and report back.

                  Thanks.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense Plus
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy