Pfsense - Non pfsense IPSEC VPN…. not working....

lakshmiteam

SITE 1: pfsense Site configurations

IPSEC LOG
–--------------------------------------------------------------------------------------------------------------------------------------------------------------
Jun 10 18:28:53 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, e9dc1ca70b2dc3fd:8520ad9aff81c957:0000de67
Jun 10 18:29:13 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, e9dc1ca70b2dc3fd:8520ad9aff81c957:0000de67
Jun 10 18:29:31 racoon: INFO: IPsec-SA request for <remote wan="" ip="">queued due to no phase1 found.
Jun 10 18:29:31 racoon: INFO: initiate new phase 1 negotiation: <local wan="" ip="">[500]<=><remote wan="" ip="">[500]
Jun 10 18:29:31 racoon: INFO: begin Identity Protection mode.
Jun 10 18:29:32 racoon: INFO: ISAKMP-SA established <local wan="" ip="">[500]-<remote wan="" ip="">[500] spi:693853fdee4af112:624406974eefe13a
Jun 10 18:29:33 racoon: INFO: initiate new phase 2 negotiation: <local wan="" ip="">[500]<=><remote wan="" ip="">[500]
Jun 10 18:29:34 racoon: INFO: IPsec-SA established: ESP/Tunnel <remote wan="" ip="">[0]-><local wan="" ip="">[0] spi=146602712(0x8bcfad8)
Jun 10 18:29:34 racoon: INFO: IPsec-SA established: ESP/Tunnel <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=2968668213(0xb0f24835)
–--------------------------------------------------------------------------------------------------------------------------------------------------------------
Jun 10 18:35:00 racoon: INFO: unsupported PF_KEY message REGISTER
Jun 10 18:35:00 racoon: ERROR: pfkey DELETE received: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=146602712(0x8bcfad8)
Jun 10 18:35:00 racoon: ERROR: no iph2 found: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=2968668213(0xb0f24835)
Jun 10 18:35:07 racoon: INFO: initiate new phase 2 negotiation: <local wan="" ip="">[500]<=><remote wan="" ip="">[500]
Jun 10 18:35:08 racoon: INFO: IPsec-SA established: ESP/Tunnel <remote wan="" ip="">[0]-><local wan="" ip="">[0] spi=74461528(0x4703158)
Jun 10 18:35:08 racoon: INFO: IPsec-SA established: ESP/Tunnel <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=1235378140(0x49a25fdc)
Jun 10 18:35:08 racoon: ERROR: unknown Informational exchange received.
–--------------------------------------------------------------------------------------------------------------------------------------------------------------
Jun 10 18:41:33 racoon: INFO: unsupported PF_KEY message REGISTER
Jun 10 18:41:33 racoon: ERROR: pfkey DELETE received: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=74461528(0x4703158)
Jun 10 18:41:33 racoon: ERROR: no iph2 found: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=1235378140(0x49a25fdc)
–--------------------------------------------------------------------------------------------------------------------------------------------------------------

SPD.CONF

spdadd <remote lan="">/8 any -P in discard;
spdadd <remote lan="">/8  any -P out discard;
spdadd <local lan="">/24 <remote lan="">/8 any -P out ipsec esp/tunnel/<local wan="" ip="">-<remote wan="" ip="">/unique;
spdadd <remote lan="">/8 <local lan="">/24 any -P in ipsec esp/tunnel/<remote wan="" ip="">-<local wan="" ip="">/unique;

RACOON.CONF

remote  <remote wan="" ip="">{
exchange_mode main;
my_identifier address "<local wan="" ip="">";

peers_identifier address <remote wan="" ip="">;
initial_contact on;
support_proxy on;
proposal_check obey;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 28800 secs;
}
lifetime time 28800 secs;
}

sainfo address <local lan="" ip="">/24 any address <remote lan="" ip="">/8 any {
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
pfs_group 2;
lifetime time 28800 secs;
}

SITE 2:  NON pfsense Site configuration

(Reffered as REMOTE site in the above pfsense site configuration)

AUTHMETH = 1
BANDPOLICY = 0
CERTMODE = 0
DEVINDEX = 0
DHGROUP1 = 2
DHGROUP2 = 2
DIR = 0
DST[0] = <lan ip="">/8  –---- Local address in Remote site - Non pfsense Device
ENC1 = 2
ENC2 = 2
HASH1 = 1
HASH2 = 1
KEEPSECONDSA = 1
LIFETIME1 = 28800
LIFETIME1KB = 0
LIFETIME1KBMAX = 0
LIFETIME1KBMIN = 0
LIFETIME1MAX = 28800
LIFETIME1MIN = 28800
LIFETIME2 = 28800
LIFETIME2KB = 0
LIFETIME2KBMAX = 0
LIFETIME2KBMIN = 0
LIFETIME2MAX = 28800
LIFETIME2MIN = 28800
LOCALADDR = <static wan="" address="">--- non pfsense site
NOHW = 0
PARTNERCERT =
PARTNERCERTCOND =
PEERADDR = <wan ip="">------- pfsense site WAN IP
RAWIPSEC =
REPLAYSIZE = 0
SERVERCERT =
SRC[0] = <lan ip="">/8  –---------- pfsense site LAN IP
TOSPOLICY = 256
WANTROOT =

Back in pfsense device site

When I ping using
ping -c 3 -S <local lan="" ip=""><remote lan="" ip="">it is not pinging......

Any clues where am I going wrong ? Local Site is pfSense and Remote site it is non pfsense device.</remote></local></lan></wan></static></lan></remote></local></remote></local></remote></local></remote></local></remote></remote></local></remote></local></remote></remote></remote></local></remote></local></remote></local></local></remote></remote></local></remote></local></remote></local></remote></local></local></remote></remote></local></remote></local></remote></local></remote>

lakshmiteam

Connection is getting established and then it is getting disconnected…... As the Keep alive is not able to reply.  How do I specify the "nexthop" value in pfsense ? Probably, I may get it right, if I can specify the NEXTHOP....

Any clues ?

heiko

Please retest with "my identfier = my ipaddress = BLANK" on the pfsense side…

lakshmiteam

Thanks for your reply Heiko…
I have enclosed the screen shot of the VPN Page... this is my settings..... Still not able to ping

heiko

Again, is this a test ipsec situation and you are on one switch?

lakshmiteam

No Boss…. Pfsense device is UAE and the other device is in Germany..... not a test environment....

heiko

Do you have rules for icmp on your lan side? The lan rule tab manages the outgoing traffic, the ipsec rule tab manages the incoming traffic from the other ipsec endpoints.

And "ERROR: no iph2 found" , is this a NAT Traversal scenario? NAT-T will be supported in 1.3, not 1.2. Your next hop on your pfsense-ipsec is your WAN IP, all routes for ipsec
will be generated behind the scenes.

lakshmiteam

ICMP is allowed…. as there is one more tunnel established with another pfsense device.... and it is working fine... no problem.... The one which is not working is with non pfsense device on the other side....

heiko

What hardware/software system is the non pfsense system?

• Did you try other and different lifetimes for phase 1/2?
• Is compression enabled on the non pfsense device, if yes, please disable.
• Can you test with "agressive" mode
• try AH, not ESP for testing

Regards
Heiko

lakshmiteam

Thanks for those Tips. I will test it out and keep posted. The non pfsense device is in different continent and those people (New Business Partners) are reluctant to give any details…. Trying to get (extract) more information about the other side....

lakshmiteam

Solved….. after going through the settings (Got them finally) on the other (Non PFSENSE) side... found that ICMP port is blocked.... So, keep alive fails and the tunnel gets closed.... and ping is not possible....

heiko

fine