I'm new to this list and relatively new to pfSense, so please bear with me. (I
have been a FreeBSD user since FreeBSD 3, though.)
Recently, I decided to deploy pfSense, and, in accordance with the 2.0-RC
announcement, decided to use pfSense 2.0-RC for my new installation.
Unfortunately, I have been having problems getting IPsec to work. My IPsec
configuration apparently works when clients are behind a NAT but doesn't when
they are not.
My pfSense LAN consists of a 172.23.23.0/24 subnet. One of the systems on this
LAN is also acts as a gateway to a 10.0.0.0/24 subnet. My goal is to be able
to allow mobile clients to access both the 172.23.23.0/24 and 10.0.0.0/24
networks via an IPsec VPN.
I configured VPN : IPsec : Mobile to use a virtual address pool of
172.23.5.0/24. I have configured a VPN : IPsec Phase 1 tunnel for Mobile
Client to use Mutual PSK + Xauth. I have also defined two Phase 2 tunnels
under this Phase 1 configuration: one for the 172.23.23.0/24 subnet and the
other for the 10.0.0.0/24 subnet. The Phase 2 definitions are the same except
one has "Local Network" defined as "Type: Network", "Address: 172.23.23.0/24"
and the other "Type: Network", "Address: 10.0.0.0/24". It was my understanding
that to have SPDs created to route traffic from the client to the two pfSense
local subnets I'd need two Phase 2 tunnels---one for each local subnet. (Is
this a correct assumption? Is there another way of achieving the same end?)
Finally, I created a "pass all traffic" rule for the IPsec interface in
Firewall : Rules, so as not to block VPN traffic.
On the client side, my target audience is all Mac OS X users. I am using the
built-in VPN "Cisco IPSec" client of Mac OS X 10.6---chosen for minimal
configuration impact on the client end. When I connect from a system that is
behind a NAT, the IPsec VPN is created and SPDs inserted on the Mac and pfSense
side to route traffic successfully over the VPN. Everything works: traffic
from the client to 172.23.23.0/24 and 10.0.0.0/24 is sent over the IPsec VPN,
and clients even resolve hostnames correctly that apply to the private local
domain name used on the remote end of the VPN. This is great! :-)
Unfortunately, when I use the same configuration on a client that is NOT behind
a NAT, the VPN is established but doesn't work. It seems that the client
receives IP and DNS information correctly, and that SAD and SPD entries are
installed correctly on the client side, but no SPD entries are created on the
pfSense server (the remote end of the VPN). Oddly, too, for non NAT-T
connections, I get three SAD entries created, whereas only two SAD entries are
created for NAT-T VPN connections.
For a successful VPN connection, the pfSense GUI shows something like this:
Status : IPsec : SAD:
Source Destination Protocol SPI Enc. alg. Auth. alg.
S.S.S.S[4500] N.N.N.N[4500] ESP-UDP 01a4b04e aes-cbc hmac-sha1
N.N.N.N[4500] S.S.S.S[4500] ESP-UDP 0a72a812 aes-cbc hmac-sha1
Status : IPsec : SPD:
Source Destination Direction Protocol Tunnel endpoints
172.23.5.1 172.23.23.0/24 |> ESP N.N.N.N -> S.S.S.S
172.23.23.0/24 172.23.5.1 <| ESP S.S.S.S -> N.N.N.N
where S.S.S.S is the IP address of the pfSense system and N.N.N.N is the IP
address of the NAT gateway the client is behind.
For an unsuccessful VPN connection, I see something like this:
Status : IPsec : SAD:
Source Destination Protocol SPI Enc. alg. Auth. alg.
S.S.S.S C.C.C.C ESP 03105658 aes-cbc hmac-sha1
C.C.C.C S.S.S.S ESP 0627fa1d aes-cbc hmac-sha1
C.C.C.C S.S.S.S ESP 0765239c aes-cbc hmac-sha1
Status : IPsec : SPD:
No IPsec security policies.
where S.S.S.S is the IP address of the pfSense system and C.C.C.C is the IP
address of the client.
Can anyone explain why this is working for NAT-T but not otherwise? Or,
alternatively, can anyone point out what I am doing that is blatantly wrong?
Is anyone successfully using the built-in VPN "Cisco IPSec" client with Mac OS
X and pfSense 2.0? (Is this a problem on the pfSense side or the Mac OS X
side?)
(I'm appending more detailed information at the end of this message, in case
that helps.)
Cheers,
Paul.
More details:
This is what happens during a successful VPN establishment:
C.C.C.C = Client's IP address
S.S.S.S = pfSense server
N.N.N.N = NAT gateway behind which client lies
Status: System logs: IPsec VPN
Mar 29 11:49:28 racoon: [Self]: INFO: respond new phase 1 negotiation:
S.S.S.S[500]<=>N.N.N.N[500]
Mar 29 11:49:28 racoon: INFO: begin Aggressive mode.
Mar 29 11:49:28 racoon: INFO: received Vendor ID: RFC 3947
Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 29 11:49:28 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 29 11:49:28 racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 29 11:49:28 racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 29 11:49:28 racoon: INFO: received Vendor ID: DPD
Mar 29 11:49:28 racoon: [N.N.N.N] INFO: Selected NAT-T version: RFC 3947
Mar 29 11:49:28 racoon: INFO: Adding remote and local NAT-D payloads.
Mar 29 11:49:28 racoon: [N.N.N.N] INFO: Hashing N.N.N.N[500] with algo #2
Mar 29 11:49:28 racoon: [Self]: [S.S.S.S] INFO: Hashing S.S.S.S[500] with algo
#2
Mar 29 11:49:28 racoon: INFO: Adding xauth VID payload.
Mar 29 11:49:28 racoon: [Self]: INFO: NAT-T: ports changed to:
N.N.N.N[4500]<->S.S.S.S[4500]
Mar 29 11:49:28 racoon: [Self]: [S.S.S.S] INFO: Hashing S.S.S.S[4500] with algo
#2
Mar 29 11:49:28 racoon: INFO: NAT-D payload #0 verified
Mar 29 11:49:28 racoon: [N.N.N.N] INFO: Hashing N.N.N.N[4500] with algo #2
Mar 29 11:49:28 racoon: INFO: NAT-D payload #1 doesn't match
Mar 29 11:49:28 racoon: [N.N.N.N] ERROR: notification INITIAL-CONTACT received
in aggressive exchange.
Mar 29 11:49:28 racoon: INFO: NAT detected: PEER
Mar 29 11:49:28 racoon: INFO: Sending Xauth request
Mar 29 11:49:28 racoon: [Self]: INFO: ISAKMP-SA established
S.S.S.S[4500]-N.N.N.N[4500] spi:81e617d2c7b9b303:10b842b4abd5fc5c
Mar 29 11:49:34 racoon: INFO: Using port 0
Mar 29 11:49:34 racoon: INFO: login succeeded for user "user"
Mar 29 11:49:34 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Mar 29 11:49:34 racoon: ERROR: Cannot open "/etc/motd"
Mar 29 11:49:34 racoon: WARNING: Ignored attribute 28683
Mar 29 11:49:34 racoon: [Self]: INFO: respond new phase 2 negotiation:
S.S.S.S[4500]<=>N.N.N.N[4500]
Mar 29 11:49:34 racoon: INFO: no policy found, try to generate the policy :
172.23.5.1/32[0] 172.23.23.0/24[0] proto=any dir=in
Mar 29 11:49:34 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Mar 29 11:49:34 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Mar 29 11:49:34 racoon: [Self]: INFO: IPsec-SA established: ESP
S.S.S.S[500]->N.N.N.N[500] spi=175286290(0xa72a812)
Mar 29 11:49:34 racoon: [Self]: INFO: IPsec-SA established: ESP
S.S.S.S[500]->N.N.N.N[500] spi=27570254(0x1a4b04e)
On client:
bash-3.2# setkey -D
C.C.C.C S.S.S.S
esp mode=tunnel spi=175286290(0x0a72a812) reqid=16389(0x00004005)
E: aes-cbc f28072ff f5029cf3 2a70eedc 2a2b0ad9 2c28e74b a414498c
9291e311 cccf8af0
A: hmac-sha1 f29f43d9 7bacceb2 13b50280 208f69da ff2811a7
seq=0x00000009 replay=4 flags=0x00000006 state=mature
created: Mar 29 11:49:34 2011 current: Mar 29 11:49:50 2011
diff: 16(s) hard: 3600(s) soft: 2880(s)
last: Mar 29 11:49:38 2011 hard: 0(s) soft: 0(s)
current: 1440(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 9 hard: 0 soft: 0
sadb_seq=1 pid=593 refcnt=2
S.S.S.S C.C.C.C
esp mode=tunnel spi=27570254(0x01a4b04e) reqid=16390(0x00004006)
E: aes-cbc 142d151d 796b20a0 860ace1f 09f0d700 1f3ec969 c1ae1590
ce966a4b f1057e26
A: hmac-sha1 b6592fa3 a12a3833 6b395351 73ffe3f0 cc20106b
seq=0x00000006 replay=4 flags=0x00000006 state=mature
created: Mar 29 11:49:34 2011 current: Mar 29 11:49:50 2011
diff: 16(s) hard: 3600(s) soft: 2880(s)
last: Mar 29 11:49:38 2011 hard: 0(s) soft: 0(s)
current: 802(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 6 hard: 0 soft: 0
sadb_seq=0 pid=593 refcnt=2
bash-3.2# setkey -D -P
172.23.23.0/24[any] 172.23.5.1[any] any
in ipsec
esp/tunnel/S.S.S.S-C.C.C.C/unique#16390
spid=6 seq=3 pid=594
refcnt=2
10.0.0.0/24[any] 172.23.5.1[any] any
in ipsec
esp/tunnel/S.S.S.S-C.C.C.C/unique#16392
spid=8 seq=2 pid=594
refcnt=2
172.23.5.1[any] 172.23.23.0/24[any] any
out ipsec
esp/tunnel/C.C.C.C-S.S.S.S/unique#16389
spid=5 seq=1 pid=594
refcnt=2
172.23.5.1[any] 10.0.0.0/24[any] any
out ipsec
esp/tunnel/C.C.C.C-S.S.S.S/unique#16391
spid=7 seq=0 pid=594
refcnt=2
pfSense GUI:
Status : IPsec : SAD:
Source Destination Protocol SPI Enc. alg. Auth. alg.
S.S.S.S[4500] N.N.N.N[4500] ESP-UDP 01a4b04e aes-cbc hmac-sha1
N.N.N.N[4500] S.S.S.S[4500] ESP-UDP 0a72a812 aes-cbc hmac-sha1
Status : IPsec : SPD:
Source Destination Direction Protocol Tunnel endpoints
172.23.5.1 172.23.23.0/24 > ESP N.N.N.N -> S.S.S.S
172.23.23.0/24 172.23.5.1 < ESP S.S.S.S -> N.N.N.N
On pfSense server:
Diagnostics : Execute command:
$ setkey -D -P
172.23.23.0/24[any] 172.23.23.1[any] 255
in none
spid=2 seq=3 pid=41190
refcnt=1
172.23.5.1[any] 172.23.23.0/24[any] 255
in ipsec
esp/tunnel/N.N.N.N-S.S.S.S/unique:5
created: Mar 29 11:49:34 2011 lastused: Mar 29 11:57:37 2011
lifetime: 3600(s) validtime: 0(s)
spid=11 seq=2 pid=41190
refcnt=1
172.23.23.1[any] 172.23.23.0/24[any] 255
out none
spid=1 seq=1 pid=41190
refcnt=1
172.23.23.0/24[any] 172.23.5.1[any] 255
out ipsec
esp/tunnel/S.S.S.S-N.N.N.N/unique:5
created: Mar 29 11:49:34 2011 lastused: Mar 29 11:57:37 2011
lifetime: 3600(s) validtime: 0(s)
spid=12 seq=0 pid=41190
refcnt=1
Diagnostics : Execute command:
$ setkey -D
S.S.S.S[4500] N.N.N.N[4500]
esp-udp mode=any spi=27570254(0x01a4b04e) reqid=5(0x00000005)
E: aes-cbc 142d151d 796b20a0 860ace1f 09f0d700 1f3ec969 c1ae1590
ce966a4b f1057e26
A: hmac-sha1 b6592fa3 a12a3833 6b395351 73ffe3f0 cc20106b
seq=0x000004b0 replay=4 flags=0x00000000 state=mature
created: Mar 29 11:49:34 2011 current: Mar 29 11:58:32 2011
diff: 538(s) hard: 3600(s) soft: 2880(s)
last: Mar 29 11:58:31 2011 hard: 0(s) soft: 0(s)
current: 916368(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1200 hard: 0 soft: 0
sadb_seq=1 pid=62101 refcnt=2
N.N.N.N[4500] S.S.S.S[4500]
esp-udp mode=tunnel spi=175286290(0x0a72a812) reqid=5(0x00000005)
E: aes-cbc f28072ff f5029cf3 2a70eedc 2a2b0ad9 2c28e74b a414498c
9291e311 cccf8af0
A: hmac-sha1 f29f43d9 7bacceb2 13b50280 208f69da ff2811a7
seq=0x00000391 replay=4 flags=0x00000000 state=mature
created: Mar 29 11:49:34 2011 current: Mar 29 11:58:32 2011
diff: 538(s) hard: 3600(s) soft: 2880(s)
last: Mar 29 11:58:31 2011 hard: 0(s) soft: 0(s)
current: 116654(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 913 hard: 0 soft: 0
sadb_seq=0 pid=62101 refcnt=1
This is what happens during an unsuccessful VPN establishment:
C.C.C.C = Client's IP address
S.S.S.S = pfSense server
Status: System logs: IPsec VPN
Mar 29 12:04:36 racoon: [Self]: INFO: respond new phase 1 negotiation:
S.S.S.S[500]<=>C.C.C.C[500]
Mar 29 12:04:36 racoon: INFO: begin Aggressive mode.
Mar 29 12:04:36 racoon: INFO: received Vendor ID: RFC 3947
Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 29 12:04:36 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 29 12:04:36 racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 29 12:04:36 racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 29 12:04:36 racoon: INFO: received Vendor ID: DPD
Mar 29 12:04:36 racoon: [C.C.C.C] INFO: Selected NAT-T version: RFC 3947
Mar 29 12:04:36 racoon: INFO: Adding remote and local NAT-D payloads.
Mar 29 12:04:36 racoon: [C.C.C.C] INFO: Hashing C.C.C.C[500] with algo #2
Mar 29 12:04:36 racoon: [Self]: [S.S.S.S] INFO: Hashing S.S.S.S[500] with algo
#2
Mar 29 12:04:36 racoon: INFO: Adding xauth VID payload.
Mar 29 12:04:36 racoon: [Self]: [S.S.S.S] INFO: Hashing S.S.S.S[500] with algo
#2
Mar 29 12:04:36 racoon: INFO: NAT-D payload #0 verified
Mar 29 12:04:36 racoon: [C.C.C.C] INFO: Hashing C.C.C.C[500] with algo #2
Mar 29 12:04:36 racoon: INFO: NAT-D payload #1 verified
Mar 29 12:04:36 racoon: [C.C.C.C] ERROR: notification INITIAL-CONTACT received
in aggressive exchange.
Mar 29 12:04:36 racoon: INFO: NAT not detected
Mar 29 12:04:36 racoon: INFO: Sending Xauth request
Mar 29 12:04:36 racoon: [Self]: INFO: ISAKMP-SA established
S.S.S.S[500]-C.C.C.C[500] spi:95619fb9ac088afe:0e5b27157aa153b8
Mar 29 12:04:41 racoon: INFO: Using port 0
Mar 29 12:04:41 racoon: INFO: login succeeded for user "user"
Mar 29 12:04:41 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Mar 29 12:04:41 racoon: ERROR: Cannot open "/etc/motd"
Mar 29 12:04:41 racoon: WARNING: Ignored attribute 28683
Mar 29 12:04:41 racoon: [Self]: INFO: respond new phase 2 negotiation:
S.S.S.S[500]<=>C.C.C.C[500]
Mar 29 12:04:41 racoon: INFO: no policy found, try to generate the policy :
172.23.5.1/32[0] 172.23.23.0/24[0] proto=any dir=in
Mar 29 12:04:41 racoon: [Self]: INFO: IPsec-SA established: ESP
S.S.S.S[500]->C.C.C.C[500] spi=124068764(0x765239c)
Mar 29 12:04:41 racoon: [Self]: INFO: IPsec-SA established: ESP
S.S.S.S[500]->C.C.C.C[500] spi=258506082(0xf687d62)
Mar 29 12:04:42 racoon: [Self]: INFO: initiate new phase 2 negotiation:
S.S.S.S[500]<=>C.C.C.C[500]
Mar 29 12:04:42 racoon: [Self]: INFO: IPsec-SA established: ESP
S.S.S.S[500]->C.C.C.C[500] spi=103283229(0x627fa1d)
Mar 29 12:04:42 racoon: [Self]: INFO: IPsec-SA established: ESP
S.S.S.S[500]->C.C.C.C[500] spi=51402328(0x3105658)
Mar 29 12:04:45 racoon: INFO: deleting a generated policy.
Mar 29 12:04:45 racoon: INFO: purged IPsec-SA proto_id=ESP spi=258506082.
On client:
bash-3.2# setkey -D
C.C.C.C S.S.S.S
esp mode=tunnel spi=103283229(0x0627fa1d) reqid=16393(0x00004009)
E: aes-cbc 0de27614 46793c61 c78adf40 1ff0229c 984613fe b6052278
babd13a1 a1960ef2
A: hmac-sha1 fb8e725d e31b1634 0d4abad4 c3103d1a 50718c86
seq=0x00000018 replay=4 flags=0x00000000 state=mature
created: Mar 29 12:04:42 2011 current: Mar 29 12:08:50 2011
diff: 248(s) hard: 3600(s) soft: 2880(s)
last: Mar 29 12:06:42 2011 hard: 0(s) soft: 0(s)
current: 3648(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 24 hard: 0 soft: 0
sadb_seq=2 pid=658 refcnt=2
S.S.S.S C.C.C.C
esp mode=tunnel spi=51402328(0x03105658) reqid=16394(0x0000400a)
E: aes-cbc c297b416 ac035e21 b7613566 d353a0b8 9c31353e e7a6c986
1ce950fd 32d80f49
A: hmac-sha1 576ad258 6417daf8 492defa5 32c885b7 156009f8
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 29 12:04:42 2011 current: Mar 29 12:08:50 2011
diff: 248(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=658 refcnt=2
S.S.S.S C.C.C.C
esp mode=tunnel spi=258506082(0x0f687d62) reqid=16394(0x0000400a)
E: aes-cbc 366e13f5 16c238ea 0cbcecae 5fbc0685 fc24d042 ab9ec6cf
28752d2e 108ff7cf
A: hmac-sha1 a2b201a1 641f5f34 d873c7fb cda8d279 abc5893a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 29 12:04:41 2011 current: Mar 29 12:08:50 2011
diff: 249(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=658 refcnt=2
bash-3.2# setkey -D -P
172.23.23.0/24[any] 172.23.5.1[any] any
in ipsec
esp/tunnel/S.S.S.S-C.C.C.C/unique#16394
spid=10 seq=3 pid=659
refcnt=2
10.0.0.0/24[any] 172.23.5.1[any] any
in ipsec
esp/tunnel/S.S.S.S-C.C.C.C/unique#16396
spid=12 seq=2 pid=659
refcnt=2
172.23.5.1[any] 172.23.23.0/24[any] any
out ipsec
esp/tunnel/C.C.C.C-S.S.S.S/unique#16393
spid=9 seq=1 pid=659
refcnt=2
172.23.5.1[any] 10.0.0.0/24[any] any
out ipsec
esp/tunnel/C.C.C.C-S.S.S.S/unique#16395
spid=11 seq=0 pid=659
refcnt=2
bash-3.2#
pfSense GUI:
Status : IPsec : SAD:
Source Destination Protocol SPI Enc. alg. Auth. alg.
S.S.S.S C.C.C.C ESP 03105658 aes-cbc hmac-sha1
C.C.C.C S.S.S.S ESP 0627fa1d aes-cbc hmac-sha1
C.C.C.C S.S.S.S ESP 0765239c aes-cbc hmac-sha1
Status : IPsec : SPD:
No IPsec security policies.
On pfSense server:
Diagnostics : Execute command:
$ setkey -D
S.S.S.S C.C.C.C
esp mode=any spi=51402328(0x03105658) reqid=7(0x00000007)
E: aes-cbc c297b416 ac035e21 b7613566 d353a0b8 9c31353e e7a6c986
1ce950fd 32d80f49
A: hmac-sha1 576ad258 6417daf8 492defa5 32c885b7 156009f8
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 29 12:04:42 2011 current: Mar 29 12:10:28 2011
diff: 346(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=41539 refcnt=1
C.C.C.C S.S.S.S
esp mode=tunnel spi=103283229(0x0627fa1d) reqid=7(0x00000007)
E: aes-cbc 0de27614 46793c61 c78adf40 1ff0229c 984613fe b6052278
babd13a1 a1960ef2
A: hmac-sha1 fb8e725d e31b1634 0d4abad4 c3103d1a 50718c86
seq=0x00000018 replay=4 flags=0x00000000 state=mature
created: Mar 29 12:04:42 2011 current: Mar 29 12:10:28 2011
diff: 346(s) hard: 3600(s) soft: 2880(s)
last: Mar 29 12:06:42 2011 hard: 0(s) soft: 0(s)
current: 2392(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 24 hard: 0 soft: 0
sadb_seq=1 pid=41539 refcnt=1
C.C.C.C S.S.S.S
esp mode=tunnel spi=124068764(0x0765239c) reqid=7(0x00000007)
E: aes-cbc 87d83d3d 7f5522d5 ffd81080 fdb63f67 9702ffff a33b59bc
40be260f 598213d9
A: hmac-sha1 53fad134 9d09f9fa 063240e3 8bf364d1 3e7b8927
seq=0x00000006 replay=4 flags=0x00000000 state=mature
created: Mar 29 12:04:41 2011 current: Mar 29 12:10:28 2011
diff: 347(s) hard: 3600(s) soft: 2880(s)
last: Mar 29 12:04:42 2011 hard: 0(s) soft: 0(s)
current: 598(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 6 hard: 0 soft: 0
sadb_seq=0 pid=41539 refcnt=1
Diagnostics : Execute command:
$ setkey -D -P
172.23.23.0/24[any] 172.23.23.1[any] 255
in none
spid=2 seq=1 pid=61858
refcnt=1
172.23.23.1[any] 172.23.23.0/24[any] 255
out none
spid=1 seq=0 pid=61858
refcnt=1
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
