First timer/newbie IPSec VPN….



  • I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.

    Am I missing something here?
    Is there more to it?

    What is the difference between SAD and SPD anyways...?

    Thanks!



  • I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.

    If you only have a SPD and not a SAD then you have no tunnel. In my experience Security Association Database (SAD) tells you that you are associated. If you have nothing in overview then i would say tunnel is not working

    What is the difference between SAD and SPD anyways…?

    Security Policy Database = SPD
    Security Association Database = SAD

    Thanks!



  • @NoDoze:

    Am I missing something here?
    Is there more to it?

    Thanks!

    Please give us more informations about your ipsec config



  • Here are my settings… They are almost identical on both ends.

    Office
    VPN: IPsec: Edit tunnel

    Mode Tunnel
    Interface  WAN
    Local subnet Type: LAN subnet
    Remote subnet  255.255.252.0 /  32
    Remote gateway  76.XX.XX.115
    Description  Home

    Phase 1 proposal (Authentication)
    Negotiation mode  aggressive
    My identifier  My IP address
    Encryption algorithm  Blowfish
    Hash algorithm  SHA1
    Must match the setting chosen on the remote side. 
    DH key group  1
    Lifetime  28800
    Authentication method  Pre-shared key
    Pre-Shared Key  XXXXXXyadayadayadaXXXXX

    Phase 2 proposal (SA/Key Exchange)
    Protocol  ESP
    Encryption algorithms  Blowfish
    Hash algorithms  SHA1
    PFS key group  off
    Lifetime  28800

    Home
    VPN: IPsec: Edit tunnel

    Mode Tunnel
    Interface  WAN
    Local subnet Type: LAN subnet
    Remote subnet  255.255.255.224 /  32
    Remote gateway  71.XX.XX.162
    Description  Office

    Phase 1 proposal (Authentication)
    Negotiation mode  aggressive
    My identifier  My IP address
    Encryption algorithm  Blowfish
    Hash algorithm  SHA1
    Must match the setting chosen on the remote side. 
    DH key group  1
    Lifetime  28800
    Authentication method  Pre-shared key
    Pre-Shared Key  XXXXXXyadayadayadaXXXXX

    Phase 2 proposal (SA/Key Exchange)
    Protocol  ESP
    Encryption algorithms  Blowfish
    Hash algorithms  SHA1
    PFS key group  off
    Lifetime  28800



  • what is Remote subnet  255.255.252.0 /  32 ??



  • Uhmmm… Not sure what you're asking... I just copy/pasted from the pfsense VPN:IPsec window my settings...

    I basically followed the directions from: http://doc.pfsense.org/index.php/VPN_Capability_IPSec



  • Remote subnet  255.255.252.0 /  32 !!!

    The Remote subnet is for example 192.168.1.1, your lan subnet of the other side and not the "subnet mask" ;)



  • OOooooohhhhh….! I always get those two mixed up...sorry...

    I made the changes 192.168.1.0 for the office and 192.168.2.0 for home, but still a no go...

    I'm getting these eror in the log:

    May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
    May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
    May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
    May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in

    What does it mean?



  • I reduced the lifetime on both ends, and now get this error in the logs:

    On the home side:

    
    May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.5/32[0] 192.168.2.0/24[0] proto=any dir=out 
    May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.5/32[0] proto=any dir=in 
    
    

    On the office side:

    
    May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out 
    May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in 
    
    

    So for some reason the liftime reduced the errors to one pair set on each side, whereas earlier is was two pair sets on each side.

    Still get nothing on the SAD and Overview. Just says "No IPsec security associations."
    Which leads me to beleive I'm leaving somthing out…?

    Help!

    Thanks!



  • Ok, disregurad that last post… It went back to the way it was...

    Seams like PF keeps trying to make the connection but gets different responses?

    Anyways, I still can't get it to work...



  • all ipsec endpoints are pfsense? if this so, are there are static or dynamic?



  • PF to PF both sides…
    the office is a static, the home a dynamic, but has never changed in 4 years.
    PF on both sides are setup static.



  • Ok, just to see if I could get it to work…I setup another IPsec tunnel, this time an internal one...
    ...I still get the same errors in the logs:

    May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.1.0/24[0] proto=any dir=out
    May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.1/32[0] 192.168.25.0/24[0] proto=any dir=out
    May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.25.0/24[0] proto=any dir=in
    May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.25.1/32[0] proto=any dir=in

    Can anyone make sense of this? (no pun intended)

    Thanks!



  • both on 1.2? / Unknown Gateway says that comes from a dynamic endpoint, nothing more

    I would work for example on the static side with the option "mobile clients enable" so the pf on the dynamic side
    works as it should. ;)



  • Yup!…. both 1.2...

    Are you saying for the dynamic setup "mobile clients" needs to be enabled...?

    Well, I do have it enabled...on both sides....but it still isn't making the tunnel...

    Any other ideas...?



  • WOOT! 'bout half an hour later we have CONNECTION! YES!
    Thank you! Thank you! Thank you!

    …All I did was just let it sit idle... the error log cleared out....I pinged, and then the logs showed CONNECTION ESTABLISHED!

    YES!

    So...why does it take so long for it to connect....?

    Thanks for the help!



  • mobile client ipsec issue in 1.2 –> in 1.21 that is fixed



  • Cool!

    Thanks!


Log in to reply