[pfSense Support] IPEC on OPT interface - packets going out via the WAN interface

Thu, 05 Apr 2007 17:39:20 -0700

Been struggling for quite a few hours today trying to get some IPSEC tunnels established over the OPT interface. 

WAN  = 216.211.25.114 (PPPoE DSL)
OPT1 = 24.109.252.249 (static IP)
pfSense Version: 1.0.1-SNAPSHOT-03-27-2007 built on Thu Apr 5 18:16:29 EDT 2007
I've got a VPN tunnel on the WAN connection which is functioning perfectly. Now I'm trying to configure a couple of tunnels over the OPT1 interface. I've gotten the tunnel configured and have chosen the OPT1 interface as the interface. The remote gateway is 209.91.153.18. 

In my IPSEC logs I'm getting:
Apr 5 20:19:49 racoon: INFO: initiate new phase 1 negotiation: 24.109.252.249[500]<=>209.91.153.18[500] 
Apr 5 20:19:49  racoon: INFO: begin Identity Protection mode.
Apr 5 20:19:58 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 209.91.153.18[500]->24.109.252.249[500] 
Apr 5 20:19:58  racoon: INFO: delete phase 2 handler.
Apr 5 20:20:01 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Apr 5 20:20:10 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 209.91.153.18[500]->24.109.252.249[500] 
Apr 5 20:20:10  racoon: INFO: delete phase 2 handler.
I've tried various forms of rules for UDP 500 and ESP on the OPT1 interface to no avail. However, what I'm noticing on the remote router, running Shorewall, is that it's dropping UDP packets on port 500....coming from my WAN address:
Apr 5 20:23:44 marathon kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:05:02:b0:bb:62:00:02:4a:58:08:00:08:00 SRC=216.211.25.114 DST=209.91.153.18 LEN=128TOS=0x00 PREC=0x00 TTL=53 ID=11104 PROTO=UDP SPT=65061 DPT=500 LEN=108
If I look at the states on the pfSense box, there's a line with the remote gateway:
udp 24.109.252.249:500 -> 216.211.25.114:65061 -> 209.91.153.18:500 SINGLE:NO_TRAFFIC
It appears this IPSEC tunnel is trying to connect via the WAN interface, rather than the OPT1 interface. 

Any suggestions on where to go from here?

Thanks

David Wadson
IT Manager
The Chronicle-Journal


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to