I changed the My Identifier on the tunnel definition to IP Address and
then specified 75.44.169.169. I clicked save and apply. When I did
this, the tunnel still did not work. In addition, all mention of the
tunnel stopped in the IPSEC logs.
I have confirmed that I can ping the 75.44.169.169 IP from the remote
gateway and that it is the OPT2 IP for the pfsense box. I also
confirmed that I can ssh into the pfsense machine using the above IP
address.
Are there any special firewall or NAT rules that I need to set up the
OPT2 interface to get it to accept an IPSEC tunnel? I noticed that, for
WAN at least, that those rules are automatically created and are not
visible on the rules page.
Vaughn
Scott Ullrich wrote:
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
I've set up a test tunnel between my office and my customer site. The
VPN tunnel will work correctly when the pfsense interface is the WAN
interface. When I change the interface to the OPT interface, It doesn't
seem to work. Here are some log entries.
racoon: ERROR: phase1 negotiation failed due to time up.
8c35cc8f9a4378c0:0000000000000000
Mar 29 13:36:29 racoon: INFO: delete phase 2 handler.
Mar 29 13:36:29 racoon: ERROR: phase2 negotiation failed due
to time up
waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:35:58 racoon: INFO: begin Aggressive mode.
Mar 29 13:35:58 racoon: INFO: initiate new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:35:58 racoon: INFO: IPsec-SA request for
70.237.44.110 queued
due to no phase1 found.
Mar 29 13:32:04 racoon: ERROR: phase1 negotiation failed due
to time
up. 022718bb87e94fd7:0000000000000000
Mar 29 13:31:35 racoon: INFO: delete phase 2 handler.
Mar 29 13:31:35 racoon: ERROR: phase2 negotiation failed due
to time up
waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:31:04 racoon: INFO: begin Aggressive mode.
Mar 29 13:31:04 racoon: INFO: initiate new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:31:04 racoon: INFO: IPsec-SA request for
70.237.44.110 queued
due to no phase1 found.
This set of responses just seem to repeat themselves over and over
again. If I set the remote node to use the pfsense's WAN ip and change
the tunnel definition on the pfsense box to use the WAN interface, then
everything immediately works after hitting the save and apply buttons.
Please verify that the IP addresses match up in the report below.
You can also change "My Identifier" to "IP Address" and manually type
in the OPT interface IP. Does that fix it? If so please show the log
files differences.
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]