I changed the My Identifier on the tunnel definition to IP Address and then specified 75.44.169.169. I clicked save and apply. When I did this, the tunnel still did not work. In addition, all mention of the tunnel stopped in the IPSEC logs. I have confirmed that I can ping the 75.44.169.169 IP from the remote gateway and that it is the OPT2 IP for the pfsense box. I also confirmed that I can ssh into the pfsense machine using the above IP address.

Are there any special firewall or NAT rules that I need to set up the OPT2 interface to get it to accept an IPSEC tunnel? I noticed that, for WAN at least, that those rules are automatically created and are not visible on the rules page.

Vaughn


Scott Ullrich wrote:
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
I've set up a test tunnel between my office and my customer site.  The
VPN tunnel will work correctly when the pfsense interface is the WAN
interface.  When I change the interface to the OPT interface, It doesn't
seem to work.  Here are some log entries.

racoon: ERROR: phase1 negotiation failed due to time up.
8c35cc8f9a4378c0:0000000000000000
Mar 29 13:36:29         racoon: INFO: delete phase 2 handler.
Mar 29 13:36:29 racoon: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:35:58         racoon: INFO: begin Aggressive mode.
Mar 29 13:35:58         racoon: INFO: initiate new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:35:58 racoon: INFO: IPsec-SA request for 70.237.44.110 queued
due to no phase1 found.
Mar 29 13:32:04 racoon: ERROR: phase1 negotiation failed due to time
up. 022718bb87e94fd7:0000000000000000
Mar 29 13:31:35         racoon: INFO: delete phase 2 handler.
Mar 29 13:31:35 racoon: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:31:04         racoon: INFO: begin Aggressive mode.
Mar 29 13:31:04         racoon: INFO: initiate new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 13:31:04 racoon: INFO: IPsec-SA request for 70.237.44.110 queued
due to no phase1 found.



This set of responses just seem to repeat themselves over and over
again.  If I set the remote node to use the pfsense's WAN ip and change
the tunnel definition on the pfsense box to use the WAN interface, then
everything immediately works after hitting the save and apply buttons.

Please verify that the IP addresses match up in the report below.

You can also change "My Identifier" to "IP Address" and manually type
in the OPT interface IP.  Does that fix it?  If so please show the log
files differences.

Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to