Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense - Non pfsense IPSEC VPN…. not working....

    Scheduled Pinned Locked Moved IPsec
    12 Posts 2 Posters 22.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lakshmiteam
      last edited by

      SITE 1: pfsense Site configurations

      IPSEC LOG
      –--------------------------------------------------------------------------------------------------------------------------------------------------------------
      Jun 10 18:28:53 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, e9dc1ca70b2dc3fd:8520ad9aff81c957:0000de67
      Jun 10 18:29:13 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, e9dc1ca70b2dc3fd:8520ad9aff81c957:0000de67
      Jun 10 18:29:31 racoon: INFO: IPsec-SA request for <remote wan="" ip="">queued due to no phase1 found.
      Jun 10 18:29:31 racoon: INFO: initiate new phase 1 negotiation: <local wan="" ip="">[500]<=><remote wan="" ip="">[500]
      Jun 10 18:29:31 racoon: INFO: begin Identity Protection mode.
      Jun 10 18:29:32 racoon: INFO: ISAKMP-SA established <local wan="" ip="">[500]-<remote wan="" ip="">[500] spi:693853fdee4af112:624406974eefe13a
      Jun 10 18:29:33 racoon: INFO: initiate new phase 2 negotiation: <local wan="" ip="">[500]<=><remote wan="" ip="">[500]
      Jun 10 18:29:34 racoon: INFO: IPsec-SA established: ESP/Tunnel <remote wan="" ip="">[0]-><local wan="" ip="">[0] spi=146602712(0x8bcfad8)
      Jun 10 18:29:34 racoon: INFO: IPsec-SA established: ESP/Tunnel <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=2968668213(0xb0f24835)
      –--------------------------------------------------------------------------------------------------------------------------------------------------------------
      Jun 10 18:35:00 racoon: INFO: unsupported PF_KEY message REGISTER
      Jun 10 18:35:00 racoon: ERROR: pfkey DELETE received: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=146602712(0x8bcfad8)
      Jun 10 18:35:00 racoon: ERROR: no iph2 found: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=2968668213(0xb0f24835)
      Jun 10 18:35:07 racoon: INFO: initiate new phase 2 negotiation: <local wan="" ip="">[500]<=><remote wan="" ip="">[500]
      Jun 10 18:35:08 racoon: INFO: IPsec-SA established: ESP/Tunnel <remote wan="" ip="">[0]-><local wan="" ip="">[0] spi=74461528(0x4703158)
      Jun 10 18:35:08 racoon: INFO: IPsec-SA established: ESP/Tunnel <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=1235378140(0x49a25fdc)
      Jun 10 18:35:08 racoon: ERROR: unknown Informational exchange received.
      –--------------------------------------------------------------------------------------------------------------------------------------------------------------
      Jun 10 18:41:33 racoon: INFO: unsupported PF_KEY message REGISTER
      Jun 10 18:41:33 racoon: ERROR: pfkey DELETE received: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=74461528(0x4703158)
      Jun 10 18:41:33 racoon: ERROR: no iph2 found: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=1235378140(0x49a25fdc)
      –--------------------------------------------------------------------------------------------------------------------------------------------------------------

      SPD.CONF

      spdadd <remote lan="">/8 any -P in discard;
      spdadd <remote lan="">/8  any -P out discard;
      spdadd <local lan="">/24 <remote lan="">/8 any -P out ipsec esp/tunnel/<local wan="" ip="">-<remote wan="" ip="">/unique;
      spdadd <remote lan="">/8 <local lan="">/24 any -P in ipsec esp/tunnel/<remote wan="" ip="">-<local wan="" ip="">/unique;

      RACOON.CONF

      remote  <remote wan="" ip="">{
      exchange_mode main;
      my_identifier address "<local wan="" ip="">";

      peers_identifier address <remote wan="" ip="">;
      initial_contact on;
      support_proxy on;
      proposal_check obey;

      proposal {
      encryption_algorithm 3des;
      hash_algorithm md5;
      authentication_method pre_shared_key;
      dh_group 2;
      lifetime time 28800 secs;
      }
      lifetime time 28800 secs;
      }

      sainfo address <local lan="" ip="">/24 any address <remote lan="" ip="">/8 any {
      encryption_algorithm 3des;
      authentication_algorithm hmac_md5;
      compression_algorithm deflate;
      pfs_group 2;
      lifetime time 28800 secs;
      }

      SITE 2:  NON pfsense Site configuration

      (Reffered as REMOTE site in the above pfsense site configuration)

      AUTHMETH = 1
      BANDPOLICY = 0
      CERTMODE = 0
      DEVINDEX = 0
      DHGROUP1 = 2
      DHGROUP2 = 2
      DIR = 0
      DST[0] = <lan ip="">/8  –---- Local address in Remote site - Non pfsense Device
      ENC1 = 2
      ENC2 = 2
      HASH1 = 1
      HASH2 = 1
      KEEPSECONDSA = 1
      LIFETIME1 = 28800
      LIFETIME1KB = 0
      LIFETIME1KBMAX = 0
      LIFETIME1KBMIN = 0
      LIFETIME1MAX = 28800
      LIFETIME1MIN = 28800
      LIFETIME2 = 28800
      LIFETIME2KB = 0
      LIFETIME2KBMAX = 0
      LIFETIME2KBMIN = 0
      LIFETIME2MAX = 28800
      LIFETIME2MIN = 28800
      LOCALADDR = <static wan="" address="">--- non pfsense site
      NOHW = 0
      PARTNERCERT =
      PARTNERCERTCOND =
      PEERADDR = <wan ip="">------- pfsense site WAN IP
      RAWIPSEC =
      REPLAYSIZE = 0
      SERVERCERT =
      SRC[0] = <lan ip="">/8  –---------- pfsense site LAN IP
      TOSPOLICY = 256
      WANTROOT =

      Back in pfsense device site

      When I ping using
      ping -c 3 -S <local lan="" ip=""><remote lan="" ip="">it is not pinging......

      Any clues where am I going wrong ? Local Site is pfSense and Remote site it is non pfsense device.</remote></local></lan></wan></static></lan></remote></local></remote></local></remote></local></remote></local></remote></remote></local></remote></local></remote></remote></remote></local></remote></local></remote></local></local></remote></remote></local></remote></local></remote></local></remote></local></local></remote></remote></local></remote></local></remote></local></remote>

      1 Reply Last reply Reply Quote 0
      • L
        lakshmiteam
        last edited by

        Connection is getting established and then it is getting disconnected…... As the Keep alive is not able to reply.  How do I specify the "nexthop" value in pfsense ? Probably, I may get it right, if I can specify the NEXTHOP....

        Any clues ?

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          Please retest with "my identfier = my ipaddress = BLANK" on the pfsense side…

          1 Reply Last reply Reply Quote 0
          • L
            lakshmiteam
            last edited by

            Thanks for your reply Heiko…
            I have enclosed the screen shot of the VPN Page... this is my settings..... Still not able to ping

            vpn.jpg
            vpn.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • H
              heiko
              last edited by

              Again, is this a test ipsec situation and you are on one switch?

              1 Reply Last reply Reply Quote 0
              • L
                lakshmiteam
                last edited by

                No Boss…. Pfsense device is UAE and the other device is in Germany..... not a test environment....

                1 Reply Last reply Reply Quote 0
                • H
                  heiko
                  last edited by

                  Do you have rules for icmp on your lan side? The lan rule tab manages the outgoing traffic, the ipsec rule tab manages the incoming traffic from the other ipsec endpoints.

                  And "ERROR: no iph2 found" , is this a NAT Traversal scenario? NAT-T will be supported in 1.3, not 1.2. Your next hop on your pfsense-ipsec is your WAN IP, all routes for ipsec
                  will be generated behind the scenes.

                  1 Reply Last reply Reply Quote 0
                  • L
                    lakshmiteam
                    last edited by

                    ICMP is allowed…. as there is one more tunnel established with another pfsense device.... and it is working fine... no problem.... The one which is not working is with non pfsense device on the other side....

                    1 Reply Last reply Reply Quote 0
                    • H
                      heiko
                      last edited by

                      What hardware/software system is the non pfsense system?

                      • Did you try other and different lifetimes for phase 1/2?
                      • Is compression enabled on the non pfsense device, if yes, please disable.
                      • Can you test with "agressive" mode
                      • try AH, not ESP for testing

                      Regards
                      Heiko

                      1 Reply Last reply Reply Quote 0
                      • L
                        lakshmiteam
                        last edited by

                        Thanks for those Tips. I will test it out and keep posted. The non pfsense device is in different continent and those people (New Business Partners) are reluctant to give any details…. Trying to get (extract) more information about the other side....

                        1 Reply Last reply Reply Quote 0
                        • L
                          lakshmiteam
                          last edited by

                          Solved….. after going through the settings (Got them finally) on the other (Non PFSENSE) side... found that ICMP port is blocked.... So, keep alive fails and the tunnel gets closed.... and ping is not possible....

                          1 Reply Last reply Reply Quote 0
                          • H
                            heiko
                            last edited by

                            fine

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.