Few newbie questions



  • hello gents
    I`m trying to setup IPSEC tunnel between 2 pfSense box for test, but don't having success.
    here configuration :
    pf1 box :
    WAN : 10.1.1.10
    LAN : 192.168.1.1 
    IPsec settings:
    Interface : WAN
    Local subnet : LAN subnet
    Remote subnet : 192.168.100.0 /24
    Remote gateway: 10.1.1.20
    Negotiation mode : main
    My identifier : My IP adress
    Encryption algorithm : 3DES
    Hash algorithm : MD5
    DH key group : 2
    Lifetime : 1400
    Authentication method : Preshared Key
    Pre-Shared Key: 1234567890
    Protocol :ESP
    Encryption algorithms : 3DES
    Hash algorithms : SHA1 , MD5
    PFS key group: 2
    Lifetime : 86400

    pf2 box :
    WAN : 10.1.1.20
    LAN : 192.168.100.1
    IPsec settings:
    Interface : WAN
    Local subnet : LAN subnet
    Remote subnet : 192.168.1.0 /24
    Remote gateway: 10.1.1.10
    Negotiation mode : main
    My identifier : My IP adress
    Encryption algorithm : 3DES
    Hash algorithm : MD5
    DH key group : 2
    Lifetime : 1400
    Authentication method : Preshared Key
    Pre-Shared Key: 1234567890
    Protocol :ESP
    Encryption algorithms : 3DES
    Hash algorithms : SHA1 , MD5
    PFS key group: 2
    Lifetime : 86400

    and nothing happen …

    there few error on both boxes
    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.100.1/32[0] proto=any dir=out
    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.100.1/32[0] 192.168.1.1/32[0] proto=any dir=in
    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in

    so , i dont have any idea where is a "trouble" …





  • thanks , i have checked that b4 but that didnt help
    also noticed in logs :
    racoon: INFO: unsupported PF_KEY message REGISTER , what does it mean ?



  • is this a ipsec-test and you are running this setup on one switch?



  • yes , on one switch



  • please try a crossover cable for the wan ports or a second switch and try again



  • i`ll try it tomorrow and repost any result , btw what the difference is if both boxes are on one switch ?



  • ok , problem solved  8)
    after new test all working.
    but why IPSEC configuration dont work in one switch enviroment ?



  • ;)
    regards
    heiko


Log in to reply