RE: [pfSense Support] Simple Ipsec VPN Not working

Holger Bauer Fri, 01 Dec 2006 20:40:41 -0800

>From a short look this looks like a parameter mismatch somewhere.
Recheck all parameters and passphrases at both ends.


Holger 

-----Original Message-----
From: Jason W. Allen [mailto:[EMAIL PROTECTED] 
Sent: Friday, December 01, 2006 7:29 PM
To: [email protected]
Subject: [pfSense Support] Simple Ipsec VPN Not working

Hello All,

I'm trying to setup a simple IPSec VPN and I'm having some issues.  I'm
new to VPN's so I'm probably missing something.

-LAN (192.168.40.0/24)--| pfsense(left) |--WAN (10.1.10.250) ------- WAN
(10.1.10.131)--| pfsense(right) |---LAN (192.168.50.0/24)

IPSec Tunnel config for Left:
  Interface: WAN
  Local Subnet: LAN subnet
  Remote Subnet: 192.168.50.0 / 24
  Remote Gateway: 10.1.10.131
Phase 1
  Negotiation Mode: aggressive
  My Idenifier: MY IP Address
  Encryption Algorithm: Blowfish
  Hash Algorithm: SHA1
  DH Group: 2
  Lifetime: 28800
  Authentication Method: Pre-Shared Key
  Preshared Key: abc123!
Phase 2
  Protocol: ESP
  Encryption Algorithm: Blowfish
  Hash Algorithm: SHA1
  PFS Group: 2
  Lifetime: 86400

IPSec Tunnel config for Right:
  Interface: WAN
  Local Subnet: LAN subnet
  Remote Subnet: 192.168.40.0 / 24
  Remote Gateway: 10.1.10.250
Phase 1
  Negotiation Mode: aggressive
  My Idenifier: MY IP Address
  Encryption Algorithm: Blowfish
  Hash Algorithm: SHA1
  DH Group: 2
  Lifetime: 28800
  Authentication Method: Pre-Shared Key
  Preshared Key: abc123!
Phase 2
  Protocol: ESP
  Encryption Algorithm: Blowfish
  Hash Algorithm: SHA1
  PFS Group: 2
  Lifetime: 86400

Now when I try to ping from the left network to the right nothing
happens and these are the logs I get.

RIGHT: 
Dec 1 13:04:19  racoon: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net)
Dec 1 13:04:19  racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1
25
Oct 2004 (http://www.openssl.org/)
Dec 1 13:04:19  racoon: INFO: 192.168.50.130[500] used as isakmp port
(fd=13)
Dec 1 13:04:19  racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
Invalid argument
Dec 1 13:04:19  racoon: INFO: 10.1.10.145[500] used as isakmp port
(fd=14)
... Same two lines repeated 12 times (WARNING & INFO)
Dec 1 13:04:19  racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
Invalid argument
Dec 1 13:04:19  racoon: INFO: fe80::1%lo0[500] used as isakmp port
(fd=21)
Dec 1 13:04:19  racoon: INFO: ::1[500] used as isakmp port (fd=22)
Dec 1 13:04:19  racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=23)
Dec 1 13:04:19  racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
Invalid argument
Dec 1 13:04:19  racoon: INFO: fe80::200:24ff:fec7:4c53%sis6[500] used as
isakmp port (fd=24)
Dec 1 13:04:19  racoon: INFO: 192.168.55.1[500] used as isakmp port
(fd=25)
Dec 1 13:04:19  racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
Invalid argument
Dec 1 13:04:19  racoon: INFO: fe80::200:24ff:fec7:815d%sis1[500] used as
isakmp port (fd=26)
Dec 1 13:04:19  racoon: INFO: 192.168.50.131[500] used as isakmp port
(fd=27)
Dec 1 13:04:19  racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
Invalid argument
Dec 1 13:04:19  racoon: INFO: fe80::200:24ff:fec7:815c%sis0[500] used as
isakmp port (fd=28)
Dec 1 13:04:19  racoon: INFO: 10.1.10.131[500] used as isakmp port
(fd=29)
Dec 1 13:04:19  racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
Invalid argument
Dec 1 13:05:13  racoon: INFO: IPsec-SA request for 10.1.10.250 queued
due to
no phase1 found.
Dec 1 13:05:13  racoon: INFO: initiate new phase 1 negotiation:
10.1.10.131[500]<=>10.1.10.250[500]
Dec 1 13:05:13  racoon: INFO: begin Aggressive mode.
Dec 1 13:05:14  racoon: INFO: received Vendor ID: DPD
Dec 1 13:05:14  racoon: NOTIFY: couldn't find the proper pskey, try to
get
one by the peer's address.
Dec 1 13:05:14  racoon: INFO: ISAKMP-SA established
10.1.10.131[500]-10.1.10.250[500] spi:4c4f191d79b58c36:86991c42785d5ac8
Dec 1 13:05:14  racoon: INFO: initiate new phase 2 negotiation:
10.1.10.131[500]<=>10.1.10.250[500]
Dec 1 13:05:44  racoon: ERROR: 10.1.10.250 give up to get IPsec-SA due
to
time up to wait.
Dec 1 13:05:47  racoon: INFO: initiate new phase 2 negotiation:
10.1.10.131[500]<=>10.1.10.250[500]
Dec 1 13:06:17  racoon: ERROR: 10.1.10.250 give up to get IPsec-SA due
to
time up to wait.
Dec 1 13:06:20  racoon: INFO: initiate new phase 2 negotiation:
10.1.10.131[500]<=>10.1.10.250[500]

LEFT:
Dec 1 13:03:50  racoon: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net)
Dec 1 13:03:50  racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1
25
Oct 2004 (http://www.openssl.org/)
Dec 1 13:03:50  racoon: INFO: fe80::1%lo0[500] used as isakmp port
(fd=13)
Dec 1 13:03:50  racoon: INFO: ::1[500] used as isakmp port (fd=14)
Dec 1 13:03:50  racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Dec 1 13:03:50  racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
Invalid argument
Dec 1 13:03:50  racoon: INFO: fe80::200:24ff:fec7:7eb1%sis1[500] used as
isakmp port (fd=16)
Dec 1 13:03:50  racoon: INFO: 192.168.40.1[500] used as isakmp port
(fd=17)
Dec 1 13:03:50  racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
Invalid argument
Dec 1 13:03:50  racoon: INFO: fe80::200:24ff:fec7:7eb0%sis0[500] used as
isakmp port (fd=18)
Dec 1 13:03:50  racoon: INFO: 10.1.10.250[500] used as isakmp port
(fd=19)
Dec 1 13:03:50  racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
Invalid argument
Dec 1 13:04:51  racoon: INFO: respond new phase 1 negotiation:
10.1.10.250[500]<=>10.1.10.131[500]
Dec 1 13:04:51  racoon: INFO: begin Aggressive mode.
Dec 1 13:04:51  racoon: INFO: received Vendor ID: DPD
Dec 1 13:04:51  racoon: NOTIFY: couldn't find the proper pskey, try to
get
one by the peer's address.
Dec 1 13:04:51  racoon: INFO: ISAKMP-SA established
10.1.10.250[500]-10.1.10.131[500] spi:4c4f191d79b58c36:86991c42785d5ac8
Dec 1 13:05:25  racoon: INFO: respond new phase 2 negotiation:
10.1.10.250[500]<=>10.1.10.131[500]
Dec 1 13:05:25  racoon: ERROR: failed to get sainfo.
Dec 1 13:05:25  racoon: ERROR: failed to get sainfo.
Dec 1 13:05:25  racoon: ERROR: failed to pre-process packet.
... Same 4 lines repeated (INFO, ERROR, ERROR & ERROR)

Like I said I'm probably missing something really stupid, so go easy on
a newbie. 

TIA
--Jason W. Allen



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Simple Ipsec VPN Not working

Reply via email to