Hey Guys,
I have been trying for the last few days to get IPsec working on PfSense.
I have 2 locations, each running PfSense(latest version) on different subnets (192.168.0.x and .1.x)

https://www.dropbox.com/sh/5jdv04z8h8o5q2q/TVUtNZWP1m
^Images of phase 1 and 2 at both locations (with sensitive info removed)

I set all this up yesterday and clicked connect on the status page and a green arrow appeared, however I couldn't access the remote network.
Today, i noticed the green arrow changed to a yellow X, i tried to press connect again and nothing happens.

Log file:

Dec 22 20:20:08 racoon: [SITE 1]: INFO: IPsec-SA request for 24.69.xxx.xxx queued due to no phase1 found.
Dec 22 20:20:08 racoon: [SITE 1]: INFO: initiate new phase 1 negotiation: 24.69.yyy.yyy[500]24.69.xxx.xxx[500]
Dec 22 20:20:08 racoon: INFO: begin Aggressive mode.
Dec 22 20:20:08 racoon: ERROR: sendto (Operation not permitted)
Dec 22 20:20:08 racoon: ERROR: sendfromto failed
Dec 22 20:20:08 racoon: ERROR: phase1 negotiation failed due to send error. 9eba062006a681b9:0000000000000000
Dec 22 20:20:08 racoon: ERROR: failed to begin ipsec sa negotication.
Dec 22 20:28:57 racoon: [SITE 1]: INFO: IPsec-SA request for 24.69.xxx.xxx queued due to no phase1 found.
Dec 22 20:28:57 racoon: [SITE 1: INFO: initiate new phase 1 negotiation: 24.69.yyy.yyy[500]24.69.xxx.xxx[500]
Dec 22 20:28:57 racoon: INFO: begin Aggressive mode.
Dec 22 20:29:28 racoon: [SITE 1]: [24.69.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 24.69.xxx.xxx[0]->24.69.yyy.yyy[0]
Dec 22 20:29:28 racoon: INFO: delete  phase 2 handler.

Both sites show the same error upon trying to connect.

I followed the guide on pfsense.org to set this up, but it was written for version 1.2.3 so i had to guess a few things.

port 500(udp) is forwarded to the pfsense box on both sites along with ESP protocol.

Any ideas?

Topic URL: http://forums.ncix.com/forums/topic.php?id=2579322

You have the NAT traversal box checked. In which case you need port 4500 open.

Added that entry on both sites, still wont connect.


Dec 23 20:21:11 racoon: [SITE 1]: [24.69.yyy.yyy] INFO: Selected NAT-T version: RFC 3947
Dec 23 20:21:11 racoon: [SITE 1]: [24.69.yyy.yyy] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Dec 23 20:21:11 racoon: INFO: Adding remote and local NAT-D payloads.
Dec 23 20:21:11 racoon: [SITE 1]: [24.69yyy.yyy] INFO: Hashing 24.69.yyy.yyy[500] with algo #2
Dec 23 20:21:11 racoon: [Self]: [24.69.xxx.xxx] INFO: Hashing 24.69.xxx.xxx[500] with algo #2
Dec 23 20:21:24 racoon: [SITE 1]: [24.69.yyy.yyy] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 24.69.yyy.yyy[0]->24.69.xxx.xxx[0]
Dec 23 20:21:24 racoon: INFO: delete  phase 2 handler.
Dec 23 20:21:43 racoon: ERROR: phase1 negotiation failed due to time up. 02f4797cdd196220:0000000000000000

I also tried restarting the IPsec service on both sides, nothing, just stays with the yellow X...

Check your PSK, according to the errors its not matching:

couldn't find the proper pskey, try to get one by the peer's address.

Retyped on both ends, also changed the identifier to a FQDN (Distinguished Name according to PfSense) instead of IP. That message seemed to go away but it still wont connect. Restarted the service again, here's the full log:



Dec 23 20:47:50 racoon: INFO: j(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Dec 23 20:47:50 racoon: INFO: j(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Dec 23 20:47:50 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Dec 23 20:47:50 racoon: [Self]: INFO: 24.69.xxx.xxx[4500] used for NAT-T
Dec 23 20:47:50 racoon: [Self]: INFO: 24.69.xxx.xxx[4500] used as isakmp port (fd=14)
Dec 23 20:47:50 racoon: [Self]: INFO: 24.69.xxx.xxx[500] used for NAT-T
Dec 23 20:47:50 racoon: [Self]: INFO: 24.69.xxx.xxx[500] used as isakmp port (fd=15)
Dec 23 20:47:50 racoon: INFO: unsupported PF_KEY message REGISTER
Dec 23 20:47:50 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.1/32[0] 192.168.0.0/24[0] proto=any dir=out
Dec 23 20:47:50 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.0.1/32[0] proto=any dir=in
Dec 23 20:47:50 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
Dec 23 20:47:50 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
Dec 23 20:48:04 racoon: [1300 link]: INFO: IPsec-SA request for 24.69.yyy.yyy queued due to no phase1 found.
Dec 23 20:48:04 racoon: [1300 link]: INFO: initiate new phase 1 negotiation: 24.69.xxx.xxx[500]24.69.yyy.yyy[500]
Dec 23 20:48:04 racoon: INFO: begin Aggressive mode.
Dec 23 20:48:11 racoon: [1300 link]: INFO: respond new phase 1 negotiation: 24.69.xxx.xxx[500]24.69.yyy.yyy[500]
Dec 23 20:48:11 racoon: INFO: begin Aggressive mode.
Dec 23 20:48:11 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Dec 23 20:48:11 racoon: INFO: received Vendor ID: RFC 3947
Dec 23 20:48:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 23 20:48:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 23 20:48:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Dec 23 20:48:11 racoon: INFO: received Vendor ID: DPD
Dec 23 20:48:11 racoon: [1300 link]: [24.69.yyy.yyy] INFO: Selected NAT-T version: RFC 3947
Dec 23 20:48:11 racoon: INFO: Adding remote and local NAT-D payloads.
Dec 23 20:48:11 racoon: [1300 link]: [24.69.yyy.yyy] INFO: Hashing 24.69.yyy.yyy[500] with algo #2
Dec 23 20:48:11 racoon: [Self]: [24.69.xxx.xxx] INFO: Hashing 24.69.xxx.xxx[500] with algo #2
Dec 23 20:48:36 racoon: [1300 link]: [24.69.yyy.yyy] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 24.69.yyy.yyy[0]->24.69.xxx.xxx[0]
Dec 23 20:48:36 racoon: INFO: delete  phase 2 handler.
Dec 23 20:48:55 racoon: ERROR: phase1 negotiation failed due to time up. 971cc4cb147d11e1:0000000000000000
Dec 23 20:49:01 racoon: ERROR: phase1 negotiation failed due to time up. b9064c9c515a0465:a5da21bc9c1c92c7


Need any more info?

Hmm thats odd, should be working. I would try a reboot of both PFsense boxes just to be sure.

Rebooted both and still no luck :(
When i click connect on site 1, site 2's log say this:

Dec 23 21:45:37 racoon: [1300 link]: INFO: respond new phase 1 negotiation: 24.69.xxx.xxx[500]24.69.yyy.yyy[500]
Dec 23 21:45:37 racoon: INFO: begin Aggressive mode.
Dec 23 21:45:37 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Dec 23 21:45:37 racoon: INFO: received Vendor ID: RFC 3947
Dec 23 21:45:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 23 21:45:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 23 21:45:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Dec 23 21:45:37 racoon: INFO: received Vendor ID: DPD
Dec 23 21:45:37 racoon: [1300 link]: [24.69.yyy.yyy] INFO: Selected NAT-T version: RFC 3947
Dec 23 21:45:38 racoon: INFO: Adding remote and local NAT-D payloads.
Dec 23 21:45:38 racoon: [1300 link]: [24.69.yyy.yyy] INFO: Hashing 24.69.yyy.yyy[500] with algo #2
Dec 23 21:45:38 racoon: [Self]: [24.69.xxx.xxx] INFO: Hashing 24.69.xxx.xxx[500] with algo #2
Dec 23 21:46:28 racoon: ERROR: phase1 negotiation failed due to time up. d4f66ed6631bc3f3:75e9a6dfdd79dbbb

So it is connecting, is there something I'm missing in firewall?