[pfSense Support] PFSense 1.2.3 IPSEC Tunnel dropped, no re-connect
Have a site-site tunnel between home and work. Had issues getting the tunnels to work initially. Once they were up they were stable for a few weeks. Rebooted the home router this morning and the tunnel does not come back up. Went into IPSEC and re-saved the tunnels and still does not come up. Get this error ERROR: phase2 negotiation failed due to time up waiting for phase1 Jul 17 09:01:11 racoon: *[]*: INFO: initiate new phase 1 negotiation: HOME WAN[500]=OFFICE WAN[500] Jul 17 09:01:11 racoon: INFO: begin Aggressive mode. Jul 17 09:01:36 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jul 17 09:01:44 racoon: *[]*: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP OFFICE WAN[0]-HOME WAN[0] Jul 17 09:01:44 racoon: INFO: delete phase 2 handler. Jul 17 09:02:01 racoon: ERROR: phase1 negotiation failed due to time up. dd42e11e42fc3dcb: Puzzled why it would work until a reboot. IPSEC status shows *No IPsec security associations.* I tried to delete the tunnels under SPD, resave the ipsec settings. The spd gets recreated but still no tunnel and the above messages. * *
Re: [pfSense Support] PFSense 1.2.3 IPSEC Tunnel dropped, no re-connect
On Sat, Jul 17, 2010 at 10:09 AM, Paul Peziol joyride...@gmail.com wrote: Have a site-site tunnel between home and work. Had issues getting the tunnels to work initially. Once they were up they were stable for a few weeks. Rebooted the home router this morning and the tunnel does not come back up. Went into IPSEC and re-saved the tunnels and still does not come up. Get this error ERROR: phase2 negotiation failed due to time up waiting for phase1 Jul 17 09:01:11 racoon: *[]*: INFO: initiate new phase 1 negotiation: HOME WAN[500]=OFFICE WAN[500] Jul 17 09:01:11 racoon: INFO: begin Aggressive mode. Jul 17 09:01:36 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jul 17 09:01:44 racoon: *[]*: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP OFFICE WAN[0]-HOME WAN[0] Jul 17 09:01:44 racoon: INFO: delete phase 2 handler. Jul 17 09:02:01 racoon: ERROR: phase1 negotiation failed due to time up. dd42e11e42fc3dcb: Puzzled why it would work until a reboot. IPSEC status shows *No IPsec security associations.* I tried to delete the tunnels under SPD, resave the ipsec settings. The spd gets recreated but still no tunnel and the above messages. * * You say between home and work. Is it possible that you have a dynamic IP at home and a reboot of your modem pulled down a new IP address? This could potentially have disrupted the IPSec tunnel.
Re: [pfSense Support] PFSense 1.2.3 IPSEC Tunnel dropped, no re-connect
I do have a dynamic ip but have set the tunnels with dyndns. Verified the ip thats in the logs to make sure it matches the current ip. On Sat, Jul 17, 2010 at 9:43 AM, Jesse Vollmar vollm...@gmail.com wrote: On Sat, Jul 17, 2010 at 10:09 AM, Paul Peziol joyride...@gmail.comwrote: Have a site-site tunnel between home and work. Had issues getting the tunnels to work initially. Once they were up they were stable for a few weeks. Rebooted the home router this morning and the tunnel does not come back up. Went into IPSEC and re-saved the tunnels and still does not come up. Get this error ERROR: phase2 negotiation failed due to time up waiting for phase1 Jul 17 09:01:11 racoon: *[]*: INFO: initiate new phase 1 negotiation: HOME WAN[500]=OFFICE WAN[500] Jul 17 09:01:11 racoon: INFO: begin Aggressive mode. Jul 17 09:01:36 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jul 17 09:01:44 racoon: *[]*: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP OFFICE WAN[0]-HOME WAN[0] Jul 17 09:01:44 racoon: INFO: delete phase 2 handler. Jul 17 09:02:01 racoon: ERROR: phase1 negotiation failed due to time up. dd42e11e42fc3dcb: Puzzled why it would work until a reboot. IPSEC status shows *No IPsec security associations.* I tried to delete the tunnels under SPD, resave the ipsec settings. The spd gets recreated but still no tunnel and the above messages. * * You say between home and work. Is it possible that you have a dynamic IP at home and a reboot of your modem pulled down a new IP address? This could potentially have disrupted the IPSec tunnel.
Re: [pfSense Support] PFSense 1.2.3 IPSEC Tunnel dropped, no re-connect
On Sat, Jul 17, 2010 at 10:55 AM, Paul Peziol joyride...@gmail.com wrote: I do have a dynamic ip but have set the tunnels with dyndns. Verified the ip thats in the logs to make sure it matches the current ip. It's looking like it is not even getting past phase 1 negotiation with the other site. You might have done this already, but make sure that your negotiation modes (aggressive or main) match on both devices, and that the other settings like your DH key group, encryption algorithm, and hash algorithm match as well. On Sat, Jul 17, 2010 at 9:43 AM, Jesse Vollmar vollm...@gmail.com wrote: On Sat, Jul 17, 2010 at 10:09 AM, Paul Peziol joyride...@gmail.comwrote: Have a site-site tunnel between home and work. Had issues getting the tunnels to work initially. Once they were up they were stable for a few weeks. Rebooted the home router this morning and the tunnel does not come back up. Went into IPSEC and re-saved the tunnels and still does not come up. Get this error ERROR: phase2 negotiation failed due to time up waiting for phase1 Jul 17 09:01:11 racoon: *[]*: INFO: initiate new phase 1 negotiation: HOME WAN[500]=OFFICE WAN[500] Jul 17 09:01:11 racoon: INFO: begin Aggressive mode. Jul 17 09:01:36 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jul 17 09:01:44 racoon: *[] *: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP OFFICE WAN[0]-HOME WAN[0] Jul 17 09:01:44 racoon: INFO: delete phase 2 handler. Jul 17 09:02:01 racoon: ERROR: phase1 negotiation failed due to time up. dd42e11e42fc3dcb: Puzzled why it would work until a reboot. IPSEC status shows *No IPsec security associations.* I tried to delete the tunnels under SPD, resave the ipsec settings. The spd gets recreated but still no tunnel and the above messages. * * You say between home and work. Is it possible that you have a dynamic IP at home and a reboot of your modem pulled down a new IP address? This could potentially have disrupted the IPSec tunnel.
[pfSense Support] Bridge 3 OPT Interfaces to do this or is pfSense not capable?
(Bought the pfsense book and it doesn't cover this subject very well) I'm trying to figure out if this is actually doable on pfSense 1.2.3 or 2.0. I have a main /30 that 3 other networks are routed to on a single ethernet. I'm currently using a Cisco ASA that has the 3 other networks assigned to individual interfaces, all routed to the main interface which is routed to the /30. All hosts behind the firewall have and need public IP addresses (NAT is out of the question and beyond the scope of this post). The thing that I'm trying to figure out is can pfSense work in a mode (like bridged) to replace this ASA, allowing for the hosts behind the firewall to retain their public IP addresses AND have the ability to communicate with each other? ASCii Diagram (first public IP octets changed for obvious reasons) Networks Interfaces | | ---WAN- 10.92.75.110/30 (Main IP) -- pfSense (fw1) - igb0 -- Static 10.92.75.110/30 WAN 10.69.93.190/26 --| | 10.69.93.222/27 --|-- All of these are | 10.69.87.0/24 --| routed to main IP | | igb1 -- OPT1 | | igb2 -- OPT2 | | igb3 -- OPT3 | | bce0 -- LAN | | bce1 -- Free If pfsense can't do this, then what if I were to keep the ASA behind a pfsense machine, and bridge a single OPT interface with WAN, and have that OPT interface run to my current WAN (outside) interface on the ASA? Would that work or is it still a no go? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bridge 3 OPT Interfaces to do this or is pfSense not capable?
On Sat, Jul 17, 2010 at 8:25 PM, Gino O'Donnell gino@gmail.com wrote: (Bought the pfsense book and it doesn't cover this subject very well) I'm trying to figure out if this is actually doable on pfSense 1.2.3 or 2.0. I have a main /30 that 3 other networks are routed to on a single ethernet. I'm currently using a Cisco ASA that has the 3 other networks assigned to individual interfaces, all routed to the main interface which is routed to the /30. All hosts behind the firewall have and need public IP addresses (NAT is out of the question and beyond the scope of this post). The thing that I'm trying to figure out is can pfSense work in a mode (like bridged) to replace this ASA, allowing for the hosts behind the firewall to retain their public IP addresses AND have the ability to communicate with each other? Yes but bridged is not what you want, you just want to route the public IPs no differently than you're doing on the ASA. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bridge 3 OPT Interfaces to do this or is pfSense not capable?
On Sat, Jul 17, 2010 at 8:32 PM, Chris Buechler cbuech...@gmail.com wrote: On Sat, Jul 17, 2010 at 8:25 PM, Gino O'Donnell gino@gmail.com wrote: (Bought the pfsense book and it doesn't cover this subject very well) I'm trying to figure out if this is actually doable on pfSense 1.2.3 or 2.0. I have a main /30 that 3 other networks are routed to on a single ethernet. I'm currently using a Cisco ASA that has the 3 other networks assigned to individual interfaces, all routed to the main interface which is routed to the /30. All hosts behind the firewall have and need public IP addresses (NAT is out of the question and beyond the scope of this post). The thing that I'm trying to figure out is can pfSense work in a mode (like bridged) to replace this ASA, allowing for the hosts behind the firewall to retain their public IP addresses AND have the ability to communicate with each other? Yes but bridged is not what you want, you just want to route the public IPs no differently than you're doing on the ASA. Note that is in the book, in the Routing chapter, under Routing Public IPs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bridge 3 OPT Interfaces to do this or is pfSense not capable?
Yes but bridged is not what you want, you just want to route the public IPs no differently than you're doing on the ASA. Note that is in the book, in the Routing chapter, under Routing Public IPs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Chapter 8.2, got it .. thanks Chris! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org