Does Beta2 have fixed
mobile IPSEC problem that was related with ipsec-tools-0.6.5?
De: Tommaso Di
Donato [mailto:[EMAIL PROTECTED]
Enviada em: quinta-feira, 2 de
março de 2006 12:58
Para: support@pfsense.com
Assunto: Re: [pfSense Support]
Problem with ipsec tunnel
Yes it is.. and those
rules are already present!
Thank you again, I'll let you know.
On 3/2/06, John
Cianfarani <
[EMAIL PROTECTED]> wrote:
For the rules I was speaking about the cisco do you know if
these run IOS? I'm not sure if these adsl device run that or just a gui.
If it's IOS the rules would be something like:
permit esp any any
permit any any eq isakmp
John
From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 02, 2006
9:22 AM
On
3/2/06, John Cianfarani <[EMAIL PROTECTED]>
wrote:
Ah it was late last night misread part of that, no more 3am
replies. :P
Eh eh,
same habits.. don't worry!
On the cisco's are you forwarding the appropriate ports
(protocol 50/51 ESP/AH, and UDP 500) to the inside pfsense boxes?
At the moment, I am forwarding only 500/udp, because of 2 problems: the first
is that I am not so good in Cisco programming, so I do not know how to forward
AH&ESP (but I think that I could solve this problem with a bit of
google'ng). The second is that I looked for 4500/udp port listening, and I
found nothing. So.. I thought that there was a problem (or a misconfiguration
in racoon). Now I enabled 4500/udp, this night I'll test again..
In any of your rules are you allowing udp isakmp and esp to
the host? They might even have a ipsec passthrough option to do this.
I think that psSense does it automatically. Am i wrong?
Or you are speaking about the routers?
No.. you're welcome! Thank you again!
Tom
On
3/2/06, John Cianfarani <[EMAIL PROTECTED]>
wrote:
1. Even though you need to NAT for your inside hosts IPSec is
listening on the WAN
interface.
I'm
sorry... I cannot understand the point..
PC -------- pfSense -------- Cisco 827 ----------internet
Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of
course, in pfsense I can see racoon listening on wan interface (only on
500/udp, ton on 4500/udp)
2. Not sure but my guess would be no (without a lot of easy configuration
changes)
You mean you guess there is no port 4500?
One think that was reversed in previous builds (not sure if
is changed in 2-20) is the "Prefer old IPSec Sa" checkbox under
System-Advnced. Bill found that in the code pfsense already tries old
sa's first, so when you check this box it will make it prefer NEW Sa's.
That was the heart of a lot of my Ipsec troubles.
mmh, I tried both ways... no differences...
Do you have the WAN as the local endpoint and LAN Subnet as
the Local subnet on each side? As I believe there still is an issue with
ipsec-tools if you are trying to do host to host setup. (/32s)
Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box here
in order to send logs...
What are you using as your local identified IP or FQDN?
I tried both. Obviously, changing psk accordingly...
Once you get a session up can you do a "ping –c 5 –S
<your pfsense lan ip> <remote pfsense lan ip>" from the Diag
-> Command Prompt tab?
Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side.
I think this night I'll do some other test, using as second endpoint a linux
box (i am more familiar with linux ipsec implementation).
Ah, by the way.. when I see a SPD or a SA established, sould something be
wisible with netstat -rn?
Thank you again...
Hi guys!
Yesterday I tried to setup a vpn tunnel between me and a friend. The we had
mainly 2 problems: first, we both have dynamic IP (but this could be solved for
example looking at the ip given by the provider, and setting upt the tunnel
with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte
both NATed..
I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile
(following the marvellous tutorial), using dyndns record, etc. But I had
problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic
passing. NO traffic dropped un firewall logs.... On the routers, we redirected
only port 500/UDP from the router to the pfsense boxes...
So, my question are:
1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive
mode, PSK)? In early ipsec-over-udp implementation, I can remember there were
some problems in such a configuration
2) if it is possible, have I to redirect other ports? In linux ipsec
implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense
box I cannot see such a port open....
3) ..and in the end.. am I missing something? I do not have my box with me now,
but I can recall the settings very well..
I'm using 02-20 SNAPSHOT.
Thank you, guys.. very much.
Tom
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.1.1/272 - Release Date: 1/3/2006
|