First timer/newbie IPSec VPN….

NoDoze

I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.

Am I missing something here?
Is there more to it?

What is the difference between SAD and SPD anyways...?

Thanks!

moffl

I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.

If you only have a SPD and not a SAD then you have no tunnel. In my experience Security Association Database (SAD) tells you that you are associated. If you have nothing in overview then i would say tunnel is not working

What is the difference between SAD and SPD anyways…?

Security Policy Database = SPD
Security Association Database = SAD

Thanks!

heiko

@NoDoze:

Am I missing something here?
Is there more to it?

Thanks!

Please give us more informations about your ipsec config

NoDoze

Here are my settings… They are almost identical on both ends.

Office
VPN: IPsec: Edit tunnel

Mode Tunnel
Interface  WAN
Local subnet Type: LAN subnet
Remote subnet  255.255.252.0 /  32
Remote gateway  76.XX.XX.115
Description  Home

Phase 1 proposal (Authentication)
Negotiation mode  aggressive
My identifier  My IP address
Encryption algorithm  Blowfish
Hash algorithm  SHA1
Must match the setting chosen on the remote side. 
DH key group  1
Lifetime  28800
Authentication method  Pre-shared key
Pre-Shared Key  XXXXXXyadayadayadaXXXXX

Phase 2 proposal (SA/Key Exchange)
Protocol  ESP
Encryption algorithms  Blowfish
Hash algorithms  SHA1
PFS key group  off
Lifetime  28800

Home
VPN: IPsec: Edit tunnel

Mode Tunnel
Interface  WAN
Local subnet Type: LAN subnet
Remote subnet  255.255.255.224 /  32
Remote gateway  71.XX.XX.162
Description  Office

Phase 1 proposal (Authentication)
Negotiation mode  aggressive
My identifier  My IP address
Encryption algorithm  Blowfish
Hash algorithm  SHA1
Must match the setting chosen on the remote side. 
DH key group  1
Lifetime  28800
Authentication method  Pre-shared key
Pre-Shared Key  XXXXXXyadayadayadaXXXXX

Phase 2 proposal (SA/Key Exchange)
Protocol  ESP
Encryption algorithms  Blowfish
Hash algorithms  SHA1
PFS key group  off
Lifetime  28800

heiko

what is Remote subnet  255.255.252.0 /  32 ??

NoDoze

Uhmmm… Not sure what you're asking... I just copy/pasted from the pfsense VPN:IPsec window my settings...

I basically followed the directions from: http://doc.pfsense.org/index.php/VPN_Capability_IPSec

heiko

Remote subnet  255.255.252.0 /  32 !!!

The Remote subnet is for example 192.168.1.1, your lan subnet of the other side and not the "subnet mask" ;)

NoDoze

OOooooohhhhh….! I always get those two mixed up...sorry...

I made the changes 192.168.1.0 for the office and 192.168.2.0 for home, but still a no go...

I'm getting these eror in the log:

May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in

What does it mean?

NoDoze

I reduced the lifetime on both ends, and now get this error in the logs:

On the home side:

May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.5/32[0] 192.168.2.0/24[0] proto=any dir=out 
May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.5/32[0] proto=any dir=in 

On the office side:

May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out 
May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in 

So for some reason the liftime reduced the errors to one pair set on each side, whereas earlier is was two pair sets on each side.

Still get nothing on the SAD and Overview. Just says "No IPsec security associations."
Which leads me to beleive I'm leaving somthing out…?

Help!

Thanks!

NoDoze

Ok, disregurad that last post… It went back to the way it was...

Seams like PF keeps trying to make the connection but gets different responses?

Anyways, I still can't get it to work...

heiko

all ipsec endpoints are pfsense? if this so, are there are static or dynamic?

NoDoze

PF to PF both sides…
the office is a static, the home a dynamic, but has never changed in 4 years.
PF on both sides are setup static.

NoDoze

Ok, just to see if I could get it to work…I setup another IPsec tunnel, this time an internal one...
...I still get the same errors in the logs:

May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.1.0/24[0] proto=any dir=out
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.1/32[0] 192.168.25.0/24[0] proto=any dir=out
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.25.0/24[0] proto=any dir=in
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.25.1/32[0] proto=any dir=in

Can anyone make sense of this? (no pun intended)

Thanks!

heiko

both on 1.2? / Unknown Gateway says that comes from a dynamic endpoint, nothing more

I would work for example on the static side with the option "mobile clients enable" so the pf on the dynamic side
works as it should. ;)

NoDoze

Yup!…. both 1.2...

Are you saying for the dynamic setup "mobile clients" needs to be enabled...?

Well, I do have it enabled...on both sides....but it still isn't making the tunnel...

Any other ideas...?

NoDoze

WOOT! 'bout half an hour later we have CONNECTION! YES!
Thank you! Thank you! Thank you!

…All I did was just let it sit idle... the error log cleared out....I pinged, and then the logs showed CONNECTION ESTABLISHED!

YES!

So...why does it take so long for it to connect....?

Thanks for the help!

heiko

mobile client ipsec issue in 1.2 –> in 1.21 that is fixed

NoDoze

Cool!

Thanks!