First timer/newbie IPSec VPN….

Reply to First timer/newbie IPSec VPN…. on Fri, 23 May 2008 18:50:19 GMT

NoDoze — Fri, 23 May 2008 18:50:19 GMT

Cool!

Thanks!

Reply to First timer/newbie IPSec VPN…. on Fri, 23 May 2008 18:34:17 GMT

heiko — Fri, 23 May 2008 18:34:17 GMT

mobile client ipsec issue in 1.2 –> in 1.21 that is fixed

Reply to First timer/newbie IPSec VPN…. on Fri, 23 May 2008 17:08:29 GMT

NoDoze — Fri, 23 May 2008 17:08:29 GMT

WOOT! 'bout half an hour later we have CONNECTION! YES!
Thank you! Thank you! Thank you!

…All I did was just let it sit idle... the error log cleared out....I pinged, and then the logs showed CONNECTION ESTABLISHED!

YES!

So...why does it take so long for it to connect....?

Thanks for the help!

Reply to First timer/newbie IPSec VPN…. on Fri, 23 May 2008 15:27:26 GMT

NoDoze — Fri, 23 May 2008 15:27:26 GMT

Yup!…. both 1.2...

Are you saying for the dynamic setup "mobile clients" needs to be enabled...?

Well, I do have it enabled...on both sides....but it still isn't making the tunnel...

Any other ideas...?

Reply to First timer/newbie IPSec VPN…. on Fri, 23 May 2008 12:35:15 GMT

heiko — Fri, 23 May 2008 12:35:15 GMT

both on 1.2? / Unknown Gateway says that comes from a dynamic endpoint, nothing more

I would work for example on the static side with the option "mobile clients enable" so the pf on the dynamic side
works as it should. ;)

Reply to First timer/newbie IPSec VPN…. on Thu, 22 May 2008 23:04:26 GMT

NoDoze — Thu, 22 May 2008 23:04:26 GMT

Ok, just to see if I could get it to work…I setup another IPsec tunnel, this time an internal one...
...I still get the same errors in the logs:

May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.1.0/24[0] proto=any dir=out
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.1/32[0] 192.168.25.0/24[0] proto=any dir=out
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.25.0/24[0] proto=any dir=in
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.25.1/32[0] proto=any dir=in

Can anyone make sense of this? (no pun intended)

Thanks!

Reply to First timer/newbie IPSec VPN…. on Thu, 22 May 2008 21:21:31 GMT

NoDoze — Thu, 22 May 2008 21:21:31 GMT

PF to PF both sides…
the office is a static, the home a dynamic, but has never changed in 4 years.
PF on both sides are setup static.

Reply to First timer/newbie IPSec VPN…. on Thu, 22 May 2008 21:13:31 GMT

heiko — Thu, 22 May 2008 21:13:31 GMT

all ipsec endpoints are pfsense? if this so, are there are static or dynamic?

Reply to First timer/newbie IPSec VPN…. on Thu, 22 May 2008 20:56:26 GMT

NoDoze — Thu, 22 May 2008 20:56:26 GMT

Ok, disregurad that last post… It went back to the way it was...

Seams like PF keeps trying to make the connection but gets different responses?

Anyways, I still can't get it to work...

Reply to First timer/newbie IPSec VPN…. on Thu, 22 May 2008 19:37:21 GMT

NoDoze — Thu, 22 May 2008 19:37:21 GMT

I reduced the lifetime on both ends, and now get this error in the logs:

On the home side:


May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.5/32[0] 192.168.2.0/24[0] proto=any dir=out 
May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.5/32[0] proto=any dir=in

On the office side:


May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out 
May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in

So for some reason the liftime reduced the errors to one pair set on each side, whereas earlier is was two pair sets on each side.

Still get nothing on the SAD and Overview. Just says "No IPsec security associations."
Which leads me to beleive I'm leaving somthing out…?

Help!

Thanks!

Reply to First timer/newbie IPSec VPN…. on Thu, 22 May 2008 17:36:09 GMT

NoDoze — Thu, 22 May 2008 17:36:09 GMT

OOooooohhhhh….! I always get those two mixed up...sorry...

I made the changes 192.168.1.0 for the office and 192.168.2.0 for home, but still a no go...

I'm getting these eror in the log:

May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in

What does it mean?

Reply to First timer/newbie IPSec VPN…. on Thu, 22 May 2008 07:23:31 GMT

heiko — Thu, 22 May 2008 07:23:31 GMT

Remote subnet 255.255.252.0 / 32 !!!

The Remote subnet is for example 192.168.1.1, your lan subnet of the other side and not the "subnet mask" ;)

Reply to First timer/newbie IPSec VPN…. on Wed, 21 May 2008 20:31:40 GMT

NoDoze — Wed, 21 May 2008 20:31:40 GMT

Uhmmm… Not sure what you're asking... I just copy/pasted from the pfsense VPN:IPsec window my settings...

I basically followed the directions from: http://doc.pfsense.org/index.php/VPN_Capability_IPSec

Reply to First timer/newbie IPSec VPN…. on Wed, 21 May 2008 20:04:55 GMT

heiko — Wed, 21 May 2008 20:04:55 GMT

what is Remote subnet 255.255.252.0 / 32 ??

Reply to First timer/newbie IPSec VPN…. on Wed, 21 May 2008 17:55:29 GMT

NoDoze — Wed, 21 May 2008 17:55:29 GMT

Here are my settings… They are almost identical on both ends.

Office
VPN: IPsec: Edit tunnel

Mode Tunnel
Interface WAN
Local subnet Type: LAN subnet
Remote subnet 255.255.252.0 / 32
Remote gateway 76.XX.XX.115
Description Home

Phase 1 proposal (Authentication)
Negotiation mode aggressive
My identifier My IP address
Encryption algorithm Blowfish
Hash algorithm SHA1
Must match the setting chosen on the remote side.
DH key group 1
Lifetime 28800
Authentication method Pre-shared key
Pre-Shared Key XXXXXXyadayadayadaXXXXX

Phase 2 proposal (SA/Key Exchange)
Protocol ESP
Encryption algorithms Blowfish
Hash algorithms SHA1
PFS key group off
Lifetime 28800

Home
VPN: IPsec: Edit tunnel

Mode Tunnel
Interface WAN
Local subnet Type: LAN subnet
Remote subnet 255.255.255.224 / 32
Remote gateway 71.XX.XX.162
Description Office

Phase 1 proposal (Authentication)
Negotiation mode aggressive
My identifier My IP address
Encryption algorithm Blowfish
Hash algorithm SHA1
Must match the setting chosen on the remote side.
DH key group 1
Lifetime 28800
Authentication method Pre-shared key
Pre-Shared Key XXXXXXyadayadayadaXXXXX

Phase 2 proposal (SA/Key Exchange)
Protocol ESP
Encryption algorithms Blowfish
Hash algorithms SHA1
PFS key group off
Lifetime 28800

Reply to First timer/newbie IPSec VPN…. on Tue, 13 May 2008 07:34:01 GMT

heiko — Tue, 13 May 2008 07:34:01 GMT

@NoDoze:

Am I missing something here?
Is there more to it?

Thanks!

Please give us more informations about your ipsec config

Reply to First timer/newbie IPSec VPN…. on Tue, 13 May 2008 05:29:50 GMT

moffl — Tue, 13 May 2008 05:29:50 GMT

I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.

If you only have a SPD and not a SAD then you have no tunnel. In my experience Security Association Database (SAD) tells you that you are associated. If you have nothing in overview then i would say tunnel is not working

What is the difference between SAD and SPD anyways…?

Security Policy Database = SPD
Security Association Database = SAD

Thanks!