Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    First timer/newbie IPSec VPN….

    IPsec
    3
    18
    10.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NoDoze
      last edited by

      I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.

      Am I missing something here?
      Is there more to it?

      What is the difference between SAD and SPD anyways...?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • M
        moffl
        last edited by

        I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.

        If you only have a SPD and not a SAD then you have no tunnel. In my experience Security Association Database (SAD) tells you that you are associated. If you have nothing in overview then i would say tunnel is not working

        What is the difference between SAD and SPD anyways…?

        Security Policy Database = SPD
        Security Association Database = SAD

        Thanks!

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          @NoDoze:

          Am I missing something here?
          Is there more to it?

          Thanks!

          Please give us more informations about your ipsec config

          1 Reply Last reply Reply Quote 0
          • N
            NoDoze
            last edited by

            Here are my settings… They are almost identical on both ends.

            Office
            VPN: IPsec: Edit tunnel

            Mode Tunnel
            Interface  WAN
            Local subnet Type: LAN subnet
            Remote subnet  255.255.252.0 /  32
            Remote gateway  76.XX.XX.115
            Description  Home

            Phase 1 proposal (Authentication)
            Negotiation mode  aggressive
            My identifier  My IP address
            Encryption algorithm  Blowfish
            Hash algorithm  SHA1
            Must match the setting chosen on the remote side. 
            DH key group  1
            Lifetime  28800
            Authentication method  Pre-shared key
            Pre-Shared Key  XXXXXXyadayadayadaXXXXX

            Phase 2 proposal (SA/Key Exchange)
            Protocol  ESP
            Encryption algorithms  Blowfish
            Hash algorithms  SHA1
            PFS key group  off
            Lifetime  28800

            Home
            VPN: IPsec: Edit tunnel

            Mode Tunnel
            Interface  WAN
            Local subnet Type: LAN subnet
            Remote subnet  255.255.255.224 /  32
            Remote gateway  71.XX.XX.162
            Description  Office

            Phase 1 proposal (Authentication)
            Negotiation mode  aggressive
            My identifier  My IP address
            Encryption algorithm  Blowfish
            Hash algorithm  SHA1
            Must match the setting chosen on the remote side. 
            DH key group  1
            Lifetime  28800
            Authentication method  Pre-shared key
            Pre-Shared Key  XXXXXXyadayadayadaXXXXX

            Phase 2 proposal (SA/Key Exchange)
            Protocol  ESP
            Encryption algorithms  Blowfish
            Hash algorithms  SHA1
            PFS key group  off
            Lifetime  28800

            1 Reply Last reply Reply Quote 0
            • H
              heiko
              last edited by

              what is Remote subnet  255.255.252.0 /  32 ??

              1 Reply Last reply Reply Quote 0
              • N
                NoDoze
                last edited by

                Uhmmm… Not sure what you're asking... I just copy/pasted from the pfsense VPN:IPsec window my settings...

                I basically followed the directions from: http://doc.pfsense.org/index.php/VPN_Capability_IPSec

                1 Reply Last reply Reply Quote 0
                • H
                  heiko
                  last edited by

                  Remote subnet  255.255.252.0 /  32 !!!

                  The Remote subnet is for example 192.168.1.1, your lan subnet of the other side and not the "subnet mask" ;)

                  1 Reply Last reply Reply Quote 0
                  • N
                    NoDoze
                    last edited by

                    OOooooohhhhh….! I always get those two mixed up...sorry...

                    I made the changes 192.168.1.0 for the office and 192.168.2.0 for home, but still a no go...

                    I'm getting these eror in the log:

                    May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
                    May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
                    May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
                    May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in

                    What does it mean?

                    1 Reply Last reply Reply Quote 0
                    • N
                      NoDoze
                      last edited by

                      I reduced the lifetime on both ends, and now get this error in the logs:

                      On the home side:

                      
                      May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.5/32[0] 192.168.2.0/24[0] proto=any dir=out 
                      May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.5/32[0] proto=any dir=in 
                      
                      

                      On the office side:

                      
                      May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out 
                      May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in 
                      
                      

                      So for some reason the liftime reduced the errors to one pair set on each side, whereas earlier is was two pair sets on each side.

                      Still get nothing on the SAD and Overview. Just says "No IPsec security associations."
                      Which leads me to beleive I'm leaving somthing out…?

                      Help!

                      Thanks!

                      1 Reply Last reply Reply Quote 0
                      • N
                        NoDoze
                        last edited by

                        Ok, disregurad that last post… It went back to the way it was...

                        Seams like PF keeps trying to make the connection but gets different responses?

                        Anyways, I still can't get it to work...

                        1 Reply Last reply Reply Quote 0
                        • H
                          heiko
                          last edited by

                          all ipsec endpoints are pfsense? if this so, are there are static or dynamic?

                          1 Reply Last reply Reply Quote 0
                          • N
                            NoDoze
                            last edited by

                            PF to PF both sides…
                            the office is a static, the home a dynamic, but has never changed in 4 years.
                            PF on both sides are setup static.

                            1 Reply Last reply Reply Quote 0
                            • N
                              NoDoze
                              last edited by

                              Ok, just to see if I could get it to work…I setup another IPsec tunnel, this time an internal one...
                              ...I still get the same errors in the logs:

                              May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.1.0/24[0] proto=any dir=out
                              May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.1/32[0] 192.168.25.0/24[0] proto=any dir=out
                              May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.25.0/24[0] proto=any dir=in
                              May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.25.1/32[0] proto=any dir=in

                              Can anyone make sense of this? (no pun intended)

                              Thanks!

                              1 Reply Last reply Reply Quote 0
                              • H
                                heiko
                                last edited by

                                both on 1.2? / Unknown Gateway says that comes from a dynamic endpoint, nothing more

                                I would work for example on the static side with the option "mobile clients enable" so the pf on the dynamic side
                                works as it should. ;)

                                1 Reply Last reply Reply Quote 0
                                • N
                                  NoDoze
                                  last edited by

                                  Yup!…. both 1.2...

                                  Are you saying for the dynamic setup "mobile clients" needs to be enabled...?

                                  Well, I do have it enabled...on both sides....but it still isn't making the tunnel...

                                  Any other ideas...?

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    NoDoze
                                    last edited by

                                    WOOT! 'bout half an hour later we have CONNECTION! YES!
                                    Thank you! Thank you! Thank you!

                                    …All I did was just let it sit idle... the error log cleared out....I pinged, and then the logs showed CONNECTION ESTABLISHED!

                                    YES!

                                    So...why does it take so long for it to connect....?

                                    Thanks for the help!

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      heiko
                                      last edited by

                                      mobile client ipsec issue in 1.2 –> in 1.21 that is fixed

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        NoDoze
                                        last edited by

                                        Cool!

                                        Thanks!

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.