Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-To-Site couldn't ping, recreated, now won't connect

    Scheduled Pinned Locked Moved
    IPsec
    2
    3
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fribert
      last edited by

      Hi Guys

      Ok, I want to tie my home-pfsense to my work-pfsense with a VPN tunnel, to be able to do rsync securely.

      I created an identical setup on the two pfsense machines, and when I checked the status, the tunnel was established.
      But I couldn't ping via the tunnel.

      So I removed the config and started all over on the ipsec setup. But after I've done this, it won't connect the tunnel (according to status->ipsec)???

      I hope somebody can tell me I did something stupid :-)

      This is the system log of the pfsense here at home:
      Jul 18 09:57:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.11.12.0/24[0] 10.93.16.0/24[0] proto=any dir=out
      Jul 18 09:57:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.11.12.25/32[0] 10.11.12.0/24[0] proto=any dir=out
      Jul 18 09:57:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.93.16.0/24[0] 10.11.12.0/24[0] proto=any dir=in
      Jul 18 09:57:05 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.11.12.0/24[0] 10.11.12.25/32[0] proto=any dir=in
      Jul 18 09:57:05 racoon: [Self]: INFO: 10.11.12.25[500] used as isakmp port (fd=19)
      Jul 18 09:57:05 racoon: INFO: fe80::240:63ff:fef4:aac7%vr0[500] used as isakmp port (fd=18)
      Jul 18 09:57:05 racoon: [Self]: INFO: 87.61.18.194[500] used as isakmp port (fd=17)
      Jul 18 09:57:05 racoon: INFO: fe80::202:b3ff:fe00:5300%fxp0[500] used as isakmp port (fd=16)
      Jul 18 09:57:05 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jul 18 09:57:05 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Jul 18 09:57:05 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Jul 18 09:57:05 racoon: INFO: unsupported PF_KEY message REGISTER
      Jul 18 09:57:05 racoon: [Self]: INFO: 10.11.12.25[500] used as isakmp port (fd=19)
      Jul 18 09:57:05 racoon: INFO: fe80::240:63ff:fef4:aac7%vr0[500] used as isakmp port (fd=18)
      Jul 18 09:57:05 racoon: [Self]: INFO: 87.61.18.194[500] used as isakmp port (fd=17)
      Jul 18 09:57:05 racoon: INFO: fe80::202:b3ff:fe00:5300%fxp0[500] used as isakmp port (fd=16)
      Jul 18 09:57:05 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jul 18 09:57:05 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Jul 18 09:57:05 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Jul 18 09:57:02 racoon: ERROR: such policy already exists. anyway replace it: 10.11.12.0/24[0] 10.93.16.0/24[0] proto=any dir=out
      Jul 18 09:57:02 racoon: ERROR: such policy already exists. anyway replace it: 10.11.12.25/32[0] 10.11.12.0/24[0] proto=any dir=out
      Jul 18 09:57:02 racoon: ERROR: such policy already exists. anyway replace it: 10.93.16.0/24[0] 10.11.12.0/24[0] proto=any dir=in
      Jul 18 09:57:02 racoon: ERROR: such policy already exists. anyway replace it: 10.11.12.0/24[0] 10.11.12.25/32[0] proto=any dir=in
      Jul 18 09:57:02 racoon: [Self]: INFO: 10.11.12.25[500] used as isakmp port (fd=19)
      Jul 18 09:57:02 racoon: INFO: fe80::240:63ff:fef4:aac7%vr0[500] used as isakmp port (fd=18)
      Jul 18 09:57:02 racoon: [Self]: INFO: 87.61.18.194[500] used as isakmp port (fd=17)
      Jul 18 09:57:02 racoon: INFO: fe80::202:b3ff:fe00:5300%fxp0[500] used as isakmp port (fd=16)
      Jul 18 09:57:02 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jul 18 09:57:02 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Jul 18 09:57:02 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Jul 18 09:57:02 racoon: INFO: unsupported PF_KEY message REGISTER
      Jul 18 09:57:02 racoon: [Self]: INFO: 10.11.12.25[500] used as isakmp port (fd=19)
      Jul 18 09:57:02 racoon: INFO: fe80::240:63ff:fef4:aac7%vr0[500] used as isakmp port (fd=18)
      Jul 18 09:57:02 racoon: [Self]: INFO: 87.61.18.194[500] used as isakmp port (fd=17)
      Jul 18 09:57:02 racoon: INFO: fe80::202:b3ff:fe00:5300%fxp0[500] used as isakmp port (fd=16)
      Jul 18 09:57:02 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jul 18 09:57:02 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Jul 18 09:57:02 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Jul 18 09:56:19 racoon: ERROR: such policy already exists. anyway replace it: 10.11.12.0/24[0] 10.93.16.0/24[0] proto=any dir=out
      Jul 18 09:56:19 racoon: ERROR: such policy already exists. anyway replace it: 10.11.12.25/32[0] 10.11.12.0/24[0] proto=any dir=out
      Jul 18 09:56:19 racoon: ERROR: such policy already exists. anyway replace it: 10.93.16.0/24[0] 10.11.12.0/24[0] proto=any dir=in
      Jul 18 09:56:19 racoon: ERROR: such policy already exists. anyway replace it: 10.11.12.0/24[0] 10.11.12.25/32[0] proto=any dir=in
      Jul 18 09:56:19 racoon: [Self]: INFO: 10.11.12.25[500] used as isakmp port (fd=19)
      Jul 18 09:56:19 racoon: INFO: fe80::240:63ff:fef4:aac7%vr0[500] used as isakmp port (fd=18)
      Jul 18 09:56:19 racoon: [Self]: INFO: 87.61.18.194[500] used as isakmp port (fd=17)
      Jul 18 09:56:19 racoon: INFO: fe80::202:b3ff:fe00:5300%fxp0[500] used as isakmp port (fd=16)
      Jul 18 09:56:19 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jul 18 09:56:19 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Jul 18 09:56:19 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Jul 18 09:56:19 racoon: INFO: unsupported PF_KEY message REGISTER

      This is the systemlog of the pfsense at work:
      Jul 18 10:04:19 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.93.16.0/20[0] 10.11.12.0/24[0] proto=any dir=out
      Jul 18 10:04:19 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.93.18.254/32[0] 10.93.16.0/20[0] proto=any dir=out
      Jul 18 10:04:19 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.11.12.0/24[0] 10.93.16.0/20[0] proto=any dir=in
      Jul 18 10:04:19 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy already exists. anyway replace it: 10.93.16.0/20[0] 10.93.18.254/32[0] proto=any dir=in
      Jul 18 10:04:19 racoon: [Self]: INFO: 10.93.18.254[500] used as isakmp port (fd=19)
      Jul 18 10:04:19 racoon: INFO: fe80::230:5ff:fe35:e756%dc0[500] used as isakmp port (fd=18)
      Jul 18 10:04:19 racoon: [Self]: INFO: 87.54.52.142[500] used as isakmp port (fd=17)
      Jul 18 10:04:19 racoon: INFO: fe80::204:75ff:fecd:fa6d%xl0[500] used as isakmp port (fd=16)
      Jul 18 10:04:19 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jul 18 10:04:19 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Jul 18 10:04:19 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Jul 18 10:04:19 racoon: INFO: unsupported PF_KEY message REGISTER
      Jul 18 10:04:19 racoon: [Self]: INFO: 10.93.18.254[500] used as isakmp port (fd=19)
      Jul 18 10:04:19 racoon: INFO: fe80::230:5ff:fe35:e756%dc0[500] used as isakmp port (fd=18)
      Jul 18 10:04:19 racoon: [Self]: INFO: 87.54.52.142[500] used as isakmp port (fd=17)
      Jul 18 10:04:19 racoon: INFO: fe80::204:75ff:fecd:fa6d%xl0[500] used as isakmp port (fd=16)
      Jul 18 10:04:19 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jul 18 10:04:19 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Jul 18 10:04:19 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Jul 18 10:04:18 racoon: ERROR: such policy already exists. anyway replace it: 10.93.16.0/20[0] 10.11.12.0/24[0] proto=any dir=out
      Jul 18 10:04:18 racoon: ERROR: such policy already exists. anyway replace it: 10.93.18.254/32[0] 10.93.16.0/20[0] proto=any dir=out
      Jul 18 10:04:18 racoon: ERROR: such policy already exists. anyway replace it: 10.11.12.0/24[0] 10.93.16.0/20[0] proto=any dir=in
      Jul 18 10:04:18 racoon: ERROR: such policy already exists. anyway replace it: 10.93.16.0/20[0] 10.93.18.254/32[0] proto=any dir=in
      Jul 18 10:04:18 racoon: [Self]: INFO: 10.93.18.254[500] used as isakmp port (fd=19)
      Jul 18 10:04:18 racoon: INFO: fe80::230:5ff:fe35:e756%dc0[500] used as isakmp port (fd=18)
      Jul 18 10:04:18 racoon: [Self]: INFO: 87.54.52.142[500] used as isakmp port (fd=17)
      Jul 18 10:04:18 racoon: INFO: fe80::204:75ff:fecd:fa6d%xl0[500] used as isakmp port (fd=16)
      Jul 18 10:04:18 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jul 18 10:04:18 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Jul 18 10:04:18 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Jul 18 10:04:18 racoon: INFO: unsupported PF_KEY message REGISTER
      Jul 18 10:04:18 racoon: [Self]: INFO: 10.93.18.254[500] used as isakmp port (fd=19)
      Jul 18 10:04:18 racoon: INFO: fe80::230:5ff:fe35:e756%dc0[500] used as isakmp port (fd=18)
      Jul 18 10:04:18 racoon: [Self]: INFO: 87.54.52.142[500] used as isakmp port (fd=17)
      Jul 18 10:04:18 racoon: INFO: fe80::204:75ff:fecd:fa6d%xl0[500] used as isakmp port (fd=16)
      Jul 18 10:04:18 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jul 18 10:04:18 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Jul 18 10:04:18 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Jul 18 09:56:53 racoon: ERROR: such policy already exists. anyway replace it: 10.93.16.0/20[0] 10.11.12.0/24[0] proto=any dir=out
      Jul 18 09:56:53 racoon: ERROR: such policy already exists. anyway replace it: 10.93.18.254/32[0] 10.93.16.0/20[0] proto=any dir=out
      Jul 18 09:56:53 racoon: ERROR: such policy already exists. anyway replace it: 10.11.12.0/24[0] 10.93.16.0/20[0] proto=any dir=in
      Jul 18 09:56:53 racoon: ERROR: such policy already exists. anyway replace it: 10.93.16.0/20[0] 10.93.18.254/32[0] proto=any dir=in
      Jul 18 09:56:53 racoon: [Self]: INFO: 10.93.18.254[500] used as isakmp port (fd=19)
      Jul 18 09:56:53 racoon: INFO: fe80::230:5ff:fe35:e756%dc0[500] used as isakmp port (fd=18)
      Jul 18 09:56:53 racoon: [Self]: INFO: 87.54.52.142[500] used as isakmp port (fd=17)
      Jul 18 09:56:53 racoon: INFO: fe80::204:75ff:fecd:fa6d%xl0[500] used as isakmp port (fd=16)
      Jul 18 09:56:53 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jul 18 09:56:53 racoon: INFO: ::1[500] used as isakmp port (fd=14)
      Jul 18 09:56:53 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
      Jul 18 09:56:53 racoon: INFO: unsupported PF_KEY message REGISTER

      1.jpg
      1.jpg_thumb
      2.jpg
      2.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • G
        geoff2010
        last edited by

        I had this happen once.  I would suggest deleting BOTH IPSec definitions on both Pfsense machines and starting over.  Please ensure you 'apply' the delete before recreating new ones.  I created my tunnles and screwed up a config on one.  Once they entered an error state I was never able to get them to play nice again… just needed to start over.

        In regards to the PING, make sure you add firewall rules under the IPSec tab.  The source will need to be the remote network.  If you already had firewall rules then perhaps someone else can chime in as to why packets may not route properly.

        -Geoff

        1 Reply Last reply Reply Quote 0
        • F
          fribert
          last edited by

          Ok, I'll try to start over.
          I didn't create firewall rules, which was probably why it didn't work originally, thanks for the heads-up.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.