First timer/newbie IPSec VPN….
-
I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.
Am I missing something here?
Is there more to it?What is the difference between SAD and SPD anyways...?
Thanks!
-
I followed http://doc.pfsense.org/index.php/VPN_Capability_IPSec and have this all setup…. But when I go to the overview section...it's blank! I only have the tunnel I created in the SPD section.
If you only have a SPD and not a SAD then you have no tunnel. In my experience Security Association Database (SAD) tells you that you are associated. If you have nothing in overview then i would say tunnel is not working
What is the difference between SAD and SPD anyways…?
Security Policy Database = SPD
Security Association Database = SADThanks!
-
Am I missing something here?
Is there more to it?Thanks!
Please give us more informations about your ipsec config
-
Here are my settings… They are almost identical on both ends.
Office
VPN: IPsec: Edit tunnelMode Tunnel
Interface WAN
Local subnet Type: LAN subnet
Remote subnet 255.255.252.0 / 32
Remote gateway 76.XX.XX.115
Description HomePhase 1 proposal (Authentication)
Negotiation mode aggressive
My identifier My IP address
Encryption algorithm Blowfish
Hash algorithm SHA1
Must match the setting chosen on the remote side.
DH key group 1
Lifetime 28800
Authentication method Pre-shared key
Pre-Shared Key XXXXXXyadayadayadaXXXXXPhase 2 proposal (SA/Key Exchange)
Protocol ESP
Encryption algorithms Blowfish
Hash algorithms SHA1
PFS key group off
Lifetime 28800Home
VPN: IPsec: Edit tunnelMode Tunnel
Interface WAN
Local subnet Type: LAN subnet
Remote subnet 255.255.255.224 / 32
Remote gateway 71.XX.XX.162
Description OfficePhase 1 proposal (Authentication)
Negotiation mode aggressive
My identifier My IP address
Encryption algorithm Blowfish
Hash algorithm SHA1
Must match the setting chosen on the remote side.
DH key group 1
Lifetime 28800
Authentication method Pre-shared key
Pre-Shared Key XXXXXXyadayadayadaXXXXXPhase 2 proposal (SA/Key Exchange)
Protocol ESP
Encryption algorithms Blowfish
Hash algorithms SHA1
PFS key group off
Lifetime 28800 -
what is Remote subnet 255.255.252.0 / 32 ??
-
Uhmmm… Not sure what you're asking... I just copy/pasted from the pfsense VPN:IPsec window my settings...
I basically followed the directions from: http://doc.pfsense.org/index.php/VPN_Capability_IPSec
-
Remote subnet 255.255.252.0 / 32 !!!
The Remote subnet is for example 192.168.1.1, your lan subnet of the other side and not the "subnet mask" ;)
-
OOooooohhhhh….! I always get those two mixed up...sorry...
I made the changes 192.168.1.0 for the office and 192.168.2.0 for home, but still a no go...
I'm getting these eror in the log:
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
May 22 10:32:53 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=inWhat does it mean?
-
I reduced the lifetime on both ends, and now get this error in the logs:
On the home side:
May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.5/32[0] 192.168.2.0/24[0] proto=any dir=out May 22 12:26:10 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.5/32[0] proto=any dir=inOn the office side:
May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out May 22 12:26:07 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=inSo for some reason the liftime reduced the errors to one pair set on each side, whereas earlier is was two pair sets on each side.
Still get nothing on the SAD and Overview. Just says "No IPsec security associations."
Which leads me to beleive I'm leaving somthing out…?Help!
Thanks!
-
Ok, disregurad that last post… It went back to the way it was...
Seams like PF keeps trying to make the connection but gets different responses?
Anyways, I still can't get it to work...
-
all ipsec endpoints are pfsense? if this so, are there are static or dynamic?
-
PF to PF both sides…
the office is a static, the home a dynamic, but has never changed in 4 years.
PF on both sides are setup static. -
Ok, just to see if I could get it to work…I setup another IPsec tunnel, this time an internal one...
...I still get the same errors in the logs:May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.1.0/24[0] proto=any dir=out
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.1/32[0] 192.168.25.0/24[0] proto=any dir=out
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.25.0/24[0] proto=any dir=in
May 22 22:58:49 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.25.0/24[0] 192.168.25.1/32[0] proto=any dir=inCan anyone make sense of this? (no pun intended)
Thanks!
-
both on 1.2? / Unknown Gateway says that comes from a dynamic endpoint, nothing more
I would work for example on the static side with the option "mobile clients enable" so the pf on the dynamic side
works as it should. ;) -
Yup!…. both 1.2...
Are you saying for the dynamic setup "mobile clients" needs to be enabled...?
Well, I do have it enabled...on both sides....but it still isn't making the tunnel...
Any other ideas...?
-
WOOT! 'bout half an hour later we have CONNECTION! YES!
Thank you! Thank you! Thank you!…All I did was just let it sit idle... the error log cleared out....I pinged, and then the logs showed CONNECTION ESTABLISHED!
YES!
So...why does it take so long for it to connect....?
Thanks for the help!
-
mobile client ipsec issue in 1.2 –> in 1.21 that is fixed
-
Cool!
Thanks!