Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN route over IPSec?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Ipeek
      last edited by

      So we have our HQ pfSense and our DC pfSense. HQ pfSense has and IPSec to DC and then also OpenVPN.

      HQ(192.168.2.0/24) <---IpSec---> DC(192.168.30.0/24)

HQ(192.168.2.0/24 <---OpenVPN--->Users Home(10.0.8.0/24)

      The User can talk with everything on the 2.0/24 with 0 issues. However they can not speak with the 30.0/24 network at all. We've tried:

      push "route 192.168.30.0 255.255.255.0";

      In OpenVPN > Settings > Advanced Configuration to No Avail.

      Any ideas on why this would not work?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The IPsec tunnel needs a Phase 2 entry on both sides for the 192.168.30.x to/from 10.0.8.x path.

        Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • I
          Ipeek
          last edited by

          @jimp:

          The IPsec tunnel needs a Phase 2 entry on both sides for the 192.168.30.x to/from 10.0.8.x path.

          Thanks for the response Jim.

          Here is what we've done:

          DC pfSense(192.168.30.x)(See Screenshot):

          
Tunnel - LAN - 192.168.2.0/24 - ESP - AES(256) - SHA1
Tunnel - LAN - 10.0.8.0/24Ā  Ā  Ā   - ESP - AES(256) - SHA1

          HQ pfSense(192.168.2.0/24 & 10.0.8.0)(See Screenshot):

          Tunnel - VN(.2 nic)Ā   - 192.168.30.0/24 - ESP - AES(256) - SHA1
Tunnel - 10.0.8.0/24Ā  - 192.168.30.0/24 - ESP - AES(256) - SHA1

          When we do this the IPSec breaks.

          Are the new phase 2's setup properly?

          30.1remote.png
          30.1remote.png_thumb
          2-7local.png
          2-7local.png_thumb

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Looks OK. How does it break?

            Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • I
              Ipeek
              last edited by

              @jimp:

              Looks OK. How does it break?

              Thanks for the response. I tested it again last night and here is what happens:

              HQ pfSense(2.x) Enabled the phase2 and apply - IPSec still working but cant ping DC Network(30.x) from OpenVPN client.

              DC pfSense(30.x) Enabled the phase2 and apply - All hell breaks loose!

              
AugĀ  6 23:24:43 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
AugĀ  6 23:24:43 jtcolofw racoon: ERROR: pfkey DELETE received: ESP DC-IP[500]->HQ-IP[500] spi=3439811675(0xcd075c5b)
AugĀ  6 23:24:43 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=190368626(0xb58cb72)
AugĀ  6 23:24:43 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=265860341(0xfd8b4f5)
AugĀ  6 23:24:43 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:24:43 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
AugĀ  6 23:24:43 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:24:43 jtcolofw racoon: ERROR: failed to get sainfo.
AugĀ  6 23:24:43 jtcolofw racoon: ERROR: failed to get sainfo.
AugĀ  6 23:24:43 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
AugĀ  6 23:24:43 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
AugĀ  6 23:24:43 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:24:47 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:24:47 jtcolofw racoon: INFO: IPsec-SA established: ESP DC-IP[500]->HQ-IP[500] spi=47858997(0x2da4535)
AugĀ  6 23:24:47 jtcolofw racoon: INFO: IPsec-SA established: ESP DC-IP[500]->HQ-IP[500] spi=3411040327(0xcb505847)
AugĀ  6 23:24:47 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
AugĀ  6 23:24:53 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
AugĀ  6 23:25:03 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
AugĀ  6 23:25:13 jtcolofw racoon: ERROR: HQ-IP give up to get IPsec-SA due to time up to wait.
AugĀ  6 23:25:15 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:25:15 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
AugĀ  6 23:25:25 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
AugĀ  6 23:25:35 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
AugĀ  6 23:25:39 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
AugĀ  6 23:25:39 jtcolofw racoon: ERROR: pfkey DELETE received: ESP DC-IP[500]->HQ-IP[500] spi=3411040327(0xcb505847)
AugĀ  6 23:25:39 jtcolofw racoon: ERROR: no iph2 found: ESP HQ-IP[500]->DC-IP[500] spi=47858997(0x2da4535)
AugĀ  6 23:25:39 jtcolofw racoon: ERROR: pfkey DELETE received: ESP HQ-IP[500]->DC-IP[500] spi=223732504(0xd55e318)
AugĀ  6 23:25:39 jtcolofw racoon: INFO: unsupported PF_KEY message REGISTER
AugĀ  6 23:25:39 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:25:39 jtcolofw racoon: ERROR: failed to get sainfo.
AugĀ  6 23:25:39 jtcolofw racoon: ERROR: failed to get sainfo.
AugĀ  6 23:25:39 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
AugĀ  6 23:25:40 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:25:43 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:25:43 jtcolofw racoon: ERROR: failed to get sainfo.
AugĀ  6 23:25:43 jtcolofw racoon: ERROR: failed to get sainfo.
AugĀ  6 23:25:43 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
AugĀ  6 23:25:51 jtcolofw racoon: [HQ-IP] ERROR: notification PAYLOAD-MALFORMED received in informational exchange.
AugĀ  6 23:25:51 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:25:51 jtcolofw racoon: ERROR: failed to get sainfo.
AugĀ  6 23:25:51 jtcolofw racoon: ERROR: failed to get sainfo.
AugĀ  6 23:25:51 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
AugĀ  6 23:26:01 jtcolofw racoon: [HQ-IP] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
AugĀ  6 23:26:04 jtcolofw racoon: INFO: respond new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:26:04 jtcolofw racoon: ERROR: failed to get sainfo.
AugĀ  6 23:26:04 jtcolofw racoon: ERROR: failed to get sainfo.
AugĀ  6 23:26:04 jtcolofw racoon: [HQ-IP] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
AugĀ  6 23:26:10 jtcolofw racoon: ERROR: HQ-IP give up to get IPsec-SA due to time up to wait.
AugĀ  6 23:26:12 jtcolofw racoon: INFO: initiate new phase 2 negotiation: DC-IP[500]<=>HQ-IP[500]
AugĀ  6 23:26:14 jtcolofw racoon: [HQ-IP] INFO: DPD: remote (ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2) seems to be dead.
AugĀ  6 23:26:14 jtcolofw racoon: INFO: purging ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2.
AugĀ  6 23:26:14 jtcolofw racoon: INFO: purged IPsec-SA spi=225969223.
AugĀ  6 23:26:14 jtcolofw racoon: INFO: purged ISAKMP-SA spi=5e5ce4a5c125bd14:fcd270cb4c9238f2.
AugĀ  6 23:26:14 jtcolofw racoon: INFO: ISAKMP-SA deleted DC-IP[500]-HQ-IP[500] spi:5e5ce4a5c125bd14:fcd270cb4c9238f2
AugĀ  6 23:26:19 jtcolofw racoon: INFO: IPsec-SA request for HQ-IP queued due to no phase1 found.
AugĀ  6 23:26:19 jtcolofw racoon: INFO: initiate new phase 1 negotiation: DC-IP[500]<=>HQ-IP[500]
              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The error messages are indicative of a Phase 2 mismatch. Something must not line up like it wants. You can enabled debug mode for IPsec to maybe get better info. From the log messages it looks like you're still on pfSense 2.1.x or earlier, so it's a little tricky to get useful debugging info from the logs as it's very chatty.

                Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • I
                  Ipeek
                  last edited by

                  The DC pfSense is still on 2.1

                  HQ is on 2.2.2

                  I will turn on the extra IPsec debugging and report back.

                  Thanks.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.