I don’t see a release of 0.6.5
released yet on their webpage… unless it’s recently available in
their cvs…
Did you try checking the “Prefer Old
SA option” (whose value is reverse making it prefer new sa’s see
previous thread between me and bill) since checking this my tunnels have been
very stable.
John
From: Pedro Paulo de
Magalhaes Oliveira Junior [mailto:[EMAIL PROTECTED]
Sent: Friday, March 03, 2006 10:16
AM
To: support@pfsense.com
Subject: RES: [pfSense Support]
Problem with ipsec tunnel
Does Beta2 have fixed mobile IPSEC problem
that was related with ipsec-tools-0.6.5?
De:
Tommaso Di Donato [mailto:[EMAIL PROTECTED]
Enviada em: quinta-feira, 2 de
março de 2006 12:58
Para: support@pfsense.com
Assunto: Re: [pfSense Support] Problem
with ipsec tunnel
Yes it is..
and those rules are already present!
Thank you again, I'll let you know.
On 3/2/06, John Cianfarani <
[EMAIL PROTECTED]> wrote:
For the rules I was speaking about the cisco do
you know if these run IOS? I'm not sure if these adsl device run that or just a
gui.
If it's IOS the rules would be something like:
permit esp any any
permit any any eq isakmp
John
From:
Tommaso Di Donato [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 02, 2006
9:22 AM
On
3/2/06, John Cianfarani <[EMAIL PROTECTED]>
wrote:
Ah it was late last night misread part of that,
no more 3am replies. :P
Eh
eh, same habits.. don't worry!
On the cisco's are you forwarding the appropriate
ports (protocol 50/51 ESP/AH, and UDP 500) to the inside pfsense boxes?
At the moment, I am forwarding only 500/udp, because of 2 problems: the first
is that I am not so good in Cisco programming, so I do not know how to forward
AH&ESP (but I think that I could solve this problem with a bit of
google'ng). The second is that I looked for 4500/udp port listening, and I
found nothing. So.. I thought that there was a problem (or a misconfiguration
in racoon). Now I enabled 4500/udp, this night I'll test again..
In any of your rules are you allowing udp isakmp
and esp to the host? They might even have a ipsec passthrough option to do
this.
I think that psSense does it automatically. Am i wrong?
Or you are speaking about the routers?
No.. you're welcome! Thank you again!
Tom
On
3/2/06, John Cianfarani <[EMAIL PROTECTED]>
wrote:
1. Even though you need to NAT for your inside
hosts IPSec is listening on the WAN
interface.
I'm
sorry... I cannot understand the point..
PC -------- pfSense -------- Cisco 827 ----------internet
Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of
course, in pfsense I can see racoon listening on wan interface (only on
500/udp, ton on 4500/udp)
2. Not sure but my guess would be no (without a
lot of easy configuration changes)
You mean you guess there is no port 4500?
One think that was reversed in previous builds
(not sure if is changed in 2-20) is the "Prefer old IPSec Sa"
checkbox under System-Advnced. Bill found that in the code pfsense
already tries old sa's first, so when you check this box it will make it prefer
NEW Sa's. That was the heart of a lot of my Ipsec troubles.
mmh, I tried both ways... no differences...
Do you have the WAN as the local endpoint and LAN
Subnet as the Local subnet on each side? As I believe there still is an issue
with ipsec-tools if you are trying to do host to host setup. (/32s)
Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box here
in order to send logs...
What are you using as your local identified IP or
FQDN?
I tried both. Obviously, changing psk accordingly...
Once you get a session up can you do a "ping
–c 5 –S <your pfsense lan ip> <remote pfsense lan
ip>" from the Diag -> Command Prompt tab?
Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side.
I think this night I'll do some other test, using as second endpoint a linux
box (i am more familiar with linux ipsec implementation).
Ah, by the way.. when I see a SPD or a SA established, sould something be
wisible with netstat -rn?
Thank you again...
Hi
guys!
Yesterday I tried to setup a vpn tunnel between me and a friend. The we had
mainly 2 problems: first, we both have dynamic IP (but this could be solved for
example looking at the ip given by the provider, and setting upt the tunnel
with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte
both NATed..
I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile
(following the marvellous tutorial), using dyndns record, etc. But I had
problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic
passing. NO traffic dropped un firewall logs.... On the routers, we redirected
only port 500/UDP from the router to the pfsense boxes...
So, my question are:
1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive
mode, PSK)? In early ipsec-over-udp implementation, I can remember there were
some problems in such a configuration
2) if it is possible, have I to redirect other ports? In linux ipsec
implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense
box I cannot see such a port open....
3) ..and in the end.. am I missing something? I do not have my box with me now,
but I can recall the settings very well..
I'm using 02-20 SNAPSHOT.
Thank you, guys.. very much.
Tom
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.1.1/272 - Release Date: 1/3/2006
|
