4. OpenVPN route over IPSec?

OpenVPN route over IPSec?

  • I

    So we have our HQ pfSense and our DC pfSense. HQ pfSense has and IPSec to DC and then also OpenVPN.

    HQ(192.168.2.0/24) <---IpSec---> DC(192.168.30.0/24)

HQ(192.168.2.0/24 <---OpenVPN--->Users Home(10.0.8.0/24)

    The User can talk with everything on the 2.0/24 with 0 issues. However they can not speak with the 30.0/24 network at all. We've tried:

    push "route 192.168.30.0 255.255.255.0";

    In OpenVPN > Settings > Advanced Configuration to No Avail.

    Any ideas on why this would not work?

    0
  • Rebel Alliance Developer Netgate

    The IPsec tunnel needs a Phase 2 entry on both sides for the 192.168.30.x to/from 10.0.8.x path.

    0
  • I

    @jimp:

    The IPsec tunnel needs a Phase 2 entry on both sides for the 192.168.30.x to/from 10.0.8.x path.

    Thanks for the response Jim.

    Here is what we've done:

    DC pfSense(192.168.30.x)(See Screenshot):

    
Tunnel - LAN - 192.168.2.0/24 - ESP - AES(256) - SHA1
Tunnel - LAN - 10.0.8.0/24       - ESP - AES(256) - SHA1

    HQ pfSense(192.168.2.0/24 & 10.0.8.0)(See Screenshot):

    Tunnel - VN(.2 nic)   - 192.168.30.0/24 - ESP - AES(256) - SHA1
Tunnel - 10.0.8.0/24  - 192.168.30.0/24 - ESP - AES(256) - SHA1

    When we do this the IPSec breaks.

    Are the new phase 2's setup properly?




    0
  • Rebel Alliance Developer Netgate

    Looks OK. How does it break?

    0
  • I

    @jimp:

    Looks OK. How does it break?

    Thanks for the response. I tested it again last night and here is what happens:

    HQ pfSense(2.x) Enabled the phase2 and apply - IPSec still working but cant ping DC Network(30.x) from OpenVPN client.

    DC pfSense(30.x) Enabled the phase2 and apply - All hell breaks loose!

    
Aug  6 23:24:43 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
Aug  6 23:24:43 jtcolofw racoon: ERROR: pfkey DELETE received: ESP DC-IP[500]->HQ-IP[500] spi=3439811675(0xcd075c5b)
Aug  6 23:24:43 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=190368626(0xb58cb72)
Aug  6 23:24:43 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=265860341(0xfd8b4f5)
Aug  6 23:24:43 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:24:43 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
Aug  6 23:24:43 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:24:43 jtcolofw racoon: ERROR: failed to get sainfo.
Aug  6 23:24:43 jtcolofw racoon: ERROR: failed to get sainfo.
Aug  6 23:24:43 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Aug  6 23:24:43 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
Aug  6 23:24:43 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:24:47 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:24:47 jtcolofw racoon: INFO: IPsec-SA established: ESP DC-IP[500]->HQ-IP[500] spi=47858997(0x2da4535)
Aug  6 23:24:47 jtcolofw racoon: INFO: IPsec-SA established: ESP DC-IP[500]->HQ-IP[500] spi=3411040327(0xcb505847)
Aug  6 23:24:47 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
Aug  6 23:24:53 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
Aug  6 23:25:03 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
Aug  6 23:25:13 jtcolofw racoon: ERROR: HQ-IP give up to get IPsec-SA due to time up to wait.
Aug  6 23:25:15 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:25:15 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
Aug  6 23:25:25 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
Aug  6 23:25:35 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
Aug  6 23:25:39 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
Aug  6 23:25:39 jtcolofw racoon: ERROR: pfkey DELETE received: ESP DC-IP[500]->HQ-IP[500] spi=3411040327(0xcb505847)
Aug  6 23:25:39 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=47858997(0x2da4535)
Aug  6 23:25:39 jtcolofw racoon: ERROR: pfkey DELETE received: ESP HQ-IP[500]->DC-IP[500] spi=223732504(0xd55e318)
Aug  6 23:25:39 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
Aug  6 23:25:39 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:25:39 jtcolofw racoon: ERROR: failed to get sainfo.
Aug  6 23:25:39 jtcolofw racoon: ERROR: failed to get sainfo.
Aug  6 23:25:39 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Aug  6 23:25:40 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:25:43 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:25:43 jtcolofw racoon: ERROR: failed to get sainfo.
Aug  6 23:25:43 jtcolofw racoon: ERROR: failed to get sainfo.
Aug  6 23:25:43 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Aug  6 23:25:51 jtcolofw racoon: [HQ-IP] ERROR: notification PAYLOAD-MALFORMED received in informational exchange.
Aug  6 23:25:51 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:25:51 jtcolofw racoon: ERROR: failed to get sainfo.
Aug  6 23:25:51 jtcolofw racoon: ERROR: failed to get sainfo.
Aug  6 23:25:51 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Aug  6 23:26:01 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
Aug  6 23:26:04 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:26:04 jtcolofw racoon: ERROR: failed to get sainfo.
Aug  6 23:26:04 jtcolofw racoon: ERROR: failed to get sainfo.
Aug  6 23:26:04 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Aug  6 23:26:10 jtcolofw racoon: ERROR: HQ-IP give up to get IPsec-SA due to time up to wait.
Aug  6 23:26:12 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
Aug  6 23:26:14 jtcolofw racoon: [HQ-IP] INFO: DPD: remote (ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2) seems to be dead.
Aug  6 23:26:14 jtcolofw racoon: INFO: purging ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2.
Aug  6 23:26:14 jtcolofw racoon: INFO: purged IPsec-SA spi=225969223.
Aug  6 23:26:14 jtcolofw racoon: INFO: purged ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2.
Aug  6 23:26:14 jtcolofw racoon: INFO: ISAKMP-SA deleted DC-IP[500]-HQ-IP[500] spi:5e5ce4a5c125bd14:fcd270cb4c9238f2
Aug  6 23:26:19 jtcolofw racoon: INFO: IPsec-SA request for HQ-IP queued due to no phase1 found.
Aug  6 23:26:19 jtcolofw racoon: INFO: initiate new phase 1 negotiation: DC-IP[500]<=>HQ-IP[500]
    0
  • Rebel Alliance Developer Netgate

    The error messages are indicative of a Phase 2 mismatch. Something must not line up like it wants. You can enabled debug mode for IPsec to maybe get better info. From the log messages it looks like you're still on pfSense 2.1.x or earlier, so it's a little tricky to get useful debugging info from the logs as it's very chatty.

    0
  • I

    The DC pfSense is still on 2.1

    HQ is on 2.2.2

    I will turn on the extra IPsec debugging and report back.

    Thanks.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy