Pfsense - Non pfsense IPSEC VPN…. not working....
-
SITE 1: pfsense Site configurations
IPSEC LOG
–--------------------------------------------------------------------------------------------------------------------------------------------------------------
Jun 10 18:28:53 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, e9dc1ca70b2dc3fd:8520ad9aff81c957:0000de67
Jun 10 18:29:13 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, e9dc1ca70b2dc3fd:8520ad9aff81c957:0000de67
Jun 10 18:29:31 racoon: INFO: IPsec-SA request for <remote wan="" ip="">queued due to no phase1 found.
Jun 10 18:29:31 racoon: INFO: initiate new phase 1 negotiation: <local wan="" ip="">[500]<=><remote wan="" ip="">[500]
Jun 10 18:29:31 racoon: INFO: begin Identity Protection mode.
Jun 10 18:29:32 racoon: INFO: ISAKMP-SA established <local wan="" ip="">[500]-<remote wan="" ip="">[500] spi:693853fdee4af112:624406974eefe13a
Jun 10 18:29:33 racoon: INFO: initiate new phase 2 negotiation: <local wan="" ip="">[500]<=><remote wan="" ip="">[500]
Jun 10 18:29:34 racoon: INFO: IPsec-SA established: ESP/Tunnel <remote wan="" ip="">[0]-><local wan="" ip="">[0] spi=146602712(0x8bcfad8)
Jun 10 18:29:34 racoon: INFO: IPsec-SA established: ESP/Tunnel <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=2968668213(0xb0f24835)
–--------------------------------------------------------------------------------------------------------------------------------------------------------------
Jun 10 18:35:00 racoon: INFO: unsupported PF_KEY message REGISTER
Jun 10 18:35:00 racoon: ERROR: pfkey DELETE received: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=146602712(0x8bcfad8)
Jun 10 18:35:00 racoon: ERROR: no iph2 found: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=2968668213(0xb0f24835)
Jun 10 18:35:07 racoon: INFO: initiate new phase 2 negotiation: <local wan="" ip="">[500]<=><remote wan="" ip="">[500]
Jun 10 18:35:08 racoon: INFO: IPsec-SA established: ESP/Tunnel <remote wan="" ip="">[0]-><local wan="" ip="">[0] spi=74461528(0x4703158)
Jun 10 18:35:08 racoon: INFO: IPsec-SA established: ESP/Tunnel <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=1235378140(0x49a25fdc)
Jun 10 18:35:08 racoon: ERROR: unknown Informational exchange received.
–--------------------------------------------------------------------------------------------------------------------------------------------------------------
Jun 10 18:41:33 racoon: INFO: unsupported PF_KEY message REGISTER
Jun 10 18:41:33 racoon: ERROR: pfkey DELETE received: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=74461528(0x4703158)
Jun 10 18:41:33 racoon: ERROR: no iph2 found: ESP <local wan="" ip="">[0]-><remote wan="" ip="">[0] spi=1235378140(0x49a25fdc)
–--------------------------------------------------------------------------------------------------------------------------------------------------------------SPD.CONF
spdadd <remote lan="">/8 any -P in discard;
spdadd <remote lan="">/8 any -P out discard;
spdadd <local lan="">/24 <remote lan="">/8 any -P out ipsec esp/tunnel/<local wan="" ip="">-<remote wan="" ip="">/unique;
spdadd <remote lan="">/8 <local lan="">/24 any -P in ipsec esp/tunnel/<remote wan="" ip="">-<local wan="" ip="">/unique;RACOON.CONF
remote <remote wan="" ip="">{
exchange_mode main;
my_identifier address "<local wan="" ip="">";peers_identifier address <remote wan="" ip="">;
initial_contact on;
support_proxy on;
proposal_check obey;proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 28800 secs;
}
lifetime time 28800 secs;
}sainfo address <local lan="" ip="">/24 any address <remote lan="" ip="">/8 any {
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
pfs_group 2;
lifetime time 28800 secs;
}SITE 2: NON pfsense Site configuration
(Reffered as REMOTE site in the above pfsense site configuration)
AUTHMETH = 1
BANDPOLICY = 0
CERTMODE = 0
DEVINDEX = 0
DHGROUP1 = 2
DHGROUP2 = 2
DIR = 0
DST[0] = <lan ip="">/8 –---- Local address in Remote site - Non pfsense Device
ENC1 = 2
ENC2 = 2
HASH1 = 1
HASH2 = 1
KEEPSECONDSA = 1
LIFETIME1 = 28800
LIFETIME1KB = 0
LIFETIME1KBMAX = 0
LIFETIME1KBMIN = 0
LIFETIME1MAX = 28800
LIFETIME1MIN = 28800
LIFETIME2 = 28800
LIFETIME2KB = 0
LIFETIME2KBMAX = 0
LIFETIME2KBMIN = 0
LIFETIME2MAX = 28800
LIFETIME2MIN = 28800
LOCALADDR = <static wan="" address="">--- non pfsense site
NOHW = 0
PARTNERCERT =
PARTNERCERTCOND =
PEERADDR = <wan ip="">------- pfsense site WAN IP
RAWIPSEC =
REPLAYSIZE = 0
SERVERCERT =
SRC[0] = <lan ip="">/8 –---------- pfsense site LAN IP
TOSPOLICY = 256
WANTROOT =Back in pfsense device site
When I ping using
ping -c 3 -S <local lan="" ip=""><remote lan="" ip="">it is not pinging......Any clues where am I going wrong ? Local Site is pfSense and Remote site it is non pfsense device.</remote></local></lan></wan></static></lan></remote></local></remote></local></remote></local></remote></local></remote></remote></local></remote></local></remote></remote></remote></local></remote></local></remote></local></local></remote></remote></local></remote></local></remote></local></remote></local></local></remote></remote></local></remote></local></remote></local></remote>
-
Connection is getting established and then it is getting disconnected…... As the Keep alive is not able to reply. How do I specify the "nexthop" value in pfsense ? Probably, I may get it right, if I can specify the NEXTHOP....
Any clues ?
-
Please retest with "my identfier = my ipaddress = BLANK" on the pfsense side…
-
Thanks for your reply Heiko…
I have enclosed the screen shot of the VPN Page... this is my settings..... Still not able to ping
-
Again, is this a test ipsec situation and you are on one switch?
-
No Boss…. Pfsense device is UAE and the other device is in Germany..... not a test environment....
-
Do you have rules for icmp on your lan side? The lan rule tab manages the outgoing traffic, the ipsec rule tab manages the incoming traffic from the other ipsec endpoints.
And "ERROR: no iph2 found" , is this a NAT Traversal scenario? NAT-T will be supported in 1.3, not 1.2. Your next hop on your pfsense-ipsec is your WAN IP, all routes for ipsec
will be generated behind the scenes. -
ICMP is allowed…. as there is one more tunnel established with another pfsense device.... and it is working fine... no problem.... The one which is not working is with non pfsense device on the other side....
-
What hardware/software system is the non pfsense system?
- Did you try other and different lifetimes for phase 1/2?
- Is compression enabled on the non pfsense device, if yes, please disable.
- Can you test with "agressive" mode
- try AH, not ESP for testing
Regards
Heiko -
Thanks for those Tips. I will test it out and keep posted. The non pfsense device is in different continent and those people (New Business Partners) are reluctant to give any details…. Trying to get (extract) more information about the other side....
-
Solved….. after going through the settings (Got them finally) on the other (Non PFSENSE) side... found that ICMP port is blocked.... So, keep alive fails and the tunnel gets closed.... and ping is not possible....
-
fine