Shop by Category | Brand | Order Tracking | Customer Care | Contact Us | Wishlist | My Account |
All
  • All Departments
  • Digital Download
Cart
My Drafts
General Topics
  Tech News
  What's New
  NCIX.com Q&A
  Important Notices
  General Discussions
  Suggestions/Feedback
  Site Bug Reports
  PC Builder Workshop
  NCIX Gaming Community
  NCIX Tech Tips
  Linus Tech Tips
  NCIX Esther
  Manufacturer Support
  CPU Discussions
  Video Cards
  Power Supplies
  Folding @ Home
  Moderated
  Off Topic
  Overclocking
  Product Requests
  PC Modding
Software Topics
  Operating Systems
  Linux
  Freeware/Shareware
  Open Source Projects
  Driver Updates
Broadband Topics
  Shaw Cable
  Telus ADSL
  Speed Test Reports
FAQs
  NCIX FAQs
  Hardware FAQs
  Overclocking FAQs
  Other FAQs
  Software FAQs
Top Categories
  Blu-Ray Drives
  Bundle Deals
  Camcorders
  CD & DVD Drives
  Chromebook
  Computer Cases
  CPU Heatsinks
  DDR2 Desktop Memory
  DDR3 Desktop Memory
  Digital Cameras
  External Hard Drives
  Fans & Cooling
  Hard Drives
  HTPC Accessories
  Inkjet Printers
  Internet Routers
  Keyboards
  Laser Printers
  LCD Monitors
  Mice & Pointing Devices
  Mobile Phones
  Modding
  Motherboards
  Multi-Function Printers
  Network Adapters
  Network Storage NAS
  Network Switches
  PC Games
  Power Supplies
  Processors (CPUs)
  PS3 Games
  Scanners
  SD Secure Digital
  Solid State Drives - SSD
  Speakers & Audio
  UPS/Power Management
  USB Flash Drives
  Video Cards
  Water Cooling
  Webcams
  Wireless Accessories
  XBox 360
 LATEST TOPICS |  FORUMS » GENERAL DISCUSSIONS » PFSENSE IPSEC ISSUES...
Subject: PfSense IPsec Issues
Share this:  
Author Date Posted Tools
Kolby_G Dec 22, 2012 11:17 PM Reply | Bookmark
Like (1) | Top | Bottom

Hey Guys,
I have been trying for the last few days to get IPsec working on PfSense.
I have 2 locations, each running PfSense(latest version) on different subnets (192.168.0.x and .1.x)

https://www.dropbox.com/sh/5jdv04z8h8o5q2q/TVUtNZWP1m
^Images of phase 1 and 2 at both locations (with sensitive info removed)

I set all this up yesterday and clicked connect on the status page and a green arrow appeared, however I couldn't access the remote network.
Today, i noticed the green arrow changed to a yellow X, i tried to press connect again and nothing happens.

Log file:

Dec 22 20:20:08 racoon: [SITE 1]: INFO: IPsec-SA request for 24.69.xxx.xxx queued due to no phase1 found.
Dec 22 20:20:08 racoon: [SITE 1]: INFO: initiate new phase 1 negotiation: 24.69.yyy.yyy[500]24.69.xxx.xxx[500]
Dec 22 20:20:08 racoon: INFO: begin Aggressive mode.
Dec 22 20:20:08 racoon: ERROR: sendto (Operation not permitted)
Dec 22 20:20:08 racoon: ERROR: sendfromto failed
Dec 22 20:20:08 racoon: ERROR: phase1 negotiation failed due to send error. 9eba062006a681b9:0000000000000000
Dec 22 20:20:08 racoon: ERROR: failed to begin ipsec sa negotication.
Dec 22 20:28:57 racoon: [SITE 1]: INFO: IPsec-SA request for 24.69.xxx.xxx queued due to no phase1 found.
Dec 22 20:28:57 racoon: [SITE 1: INFO: initiate new phase 1 negotiation: 24.69.yyy.yyy[500]24.69.xxx.xxx[500]
Dec 22 20:28:57 racoon: INFO: begin Aggressive mode.
Dec 22 20:29:28 racoon: [SITE 1]: [24.69.xxx.xxx] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 24.69.xxx.xxx[0]->24.69.yyy.yyy[0]
Dec 22 20:29:28 racoon: INFO: delete  phase 2 handler.

Both sites show the same error upon trying to connect.

I followed the guide on pfsense.org to set this up, but it was written for version 1.2.3 so i had to guess a few things.

port 500(udp) is forwarded to the pfsense box on both sites along with ESP protocol.

Any ideas?

Topic URL: http://forums.ncix.com/forums/topic.php?id=2579322

Tip Posting | My Postings (668) | My Reviews (43) | View Source
Hyperlight Dec 23, 2012 08:04 AM Reply | Bookmark
Like (2) | Top | Bottom

You have the NAT traversal box checked. In which case you need port 4500 open.

Tip Posting | My Postings (12872) | My Reviews (8) | View Source
Kolby_G Dec 23, 2012 12:23 PM Reply | Bookmark
Like | Top | Bottom

Added that entry on both sites, still wont connect.


Dec 23 20:21:11 racoon: [SITE 1]: [24.69.yyy.yyy] INFO: Selected NAT-T version: RFC 3947
Dec 23 20:21:11 racoon: [SITE 1]: [24.69.yyy.yyy] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Dec 23 20:21:11 racoon: INFO: Adding remote and local NAT-D payloads.
Dec 23 20:21:11 racoon: [SITE 1]: [24.69yyy.yyy] INFO: Hashing 24.69.yyy.yyy[500] with algo #2
Dec 23 20:21:11 racoon: [Self]: [24.69.xxx.xxx] INFO: Hashing 24.69.xxx.xxx[500] with algo #2
Dec 23 20:21:24 racoon: [SITE 1]: [24.69.yyy.yyy] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 24.69.yyy.yyy[0]->24.69.xxx.xxx[0]
Dec 23 20:21:24 racoon: INFO: delete  phase 2 handler.
Dec 23 20:21:43 racoon: ERROR: phase1 negotiation failed due to time up. 02f4797cdd196220:0000000000000000

I also tried restarting the IPsec service on both sides, nothing, just stays with the yellow X...

Tip Posting | My Postings (668) | My Reviews (43) | View Source
Hyperlight Dec 23, 2012 12:38 PM Reply | Bookmark
Like | Top | Bottom

Check your PSK, according to the errors its not matching:

couldn't find the proper pskey, try to get one by the peer's address.

Tip Posting | My Postings (12872) | My Reviews (8) | View Source
Kolby_G Dec 23, 2012 12:54 PM Reply | Bookmark
Like | Top | Bottom

Retyped on both ends, also changed the identifier to a FQDN (Distinguished Name according to PfSense) instead of IP. That message seemed to go away but it still wont connect. Restarted the service again, here's the full log:



Dec 23 20:47:50 racoon: INFO: j(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Dec 23 20:47:50 racoon: INFO: j(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Dec 23 20:47:50 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Dec 23 20:47:50 racoon: [Self]: INFO: 24.69.xxx.xxx[4500] used for NAT-T
Dec 23 20:47:50 racoon: [Self]: INFO: 24.69.xxx.xxx[4500] used as isakmp port (fd=14)
Dec 23 20:47:50 racoon: [Self]: INFO: 24.69.xxx.xxx[500] used for NAT-T
Dec 23 20:47:50 racoon: [Self]: INFO: 24.69.xxx.xxx[500] used as isakmp port (fd=15)
Dec 23 20:47:50 racoon: INFO: unsupported PF_KEY message REGISTER
Dec 23 20:47:50 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.1/32[0] 192.168.0.0/24[0] proto=any dir=out
Dec 23 20:47:50 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.0.1/32[0] proto=any dir=in
Dec 23 20:47:50 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
Dec 23 20:47:50 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
Dec 23 20:48:04 racoon: [1300 link]: INFO: IPsec-SA request for 24.69.yyy.yyy queued due to no phase1 found.
Dec 23 20:48:04 racoon: [1300 link]: INFO: initiate new phase 1 negotiation: 24.69.xxx.xxx[500]24.69.yyy.yyy[500]
Dec 23 20:48:04 racoon: INFO: begin Aggressive mode.
Dec 23 20:48:11 racoon: [1300 link]: INFO: respond new phase 1 negotiation: 24.69.xxx.xxx[500]24.69.yyy.yyy[500]
Dec 23 20:48:11 racoon: INFO: begin Aggressive mode.
Dec 23 20:48:11 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Dec 23 20:48:11 racoon: INFO: received Vendor ID: RFC 3947
Dec 23 20:48:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 23 20:48:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 23 20:48:11 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Dec 23 20:48:11 racoon: INFO: received Vendor ID: DPD
Dec 23 20:48:11 racoon: [1300 link]: [24.69.yyy.yyy] INFO: Selected NAT-T version: RFC 3947
Dec 23 20:48:11 racoon: INFO: Adding remote and local NAT-D payloads.
Dec 23 20:48:11 racoon: [1300 link]: [24.69.yyy.yyy] INFO: Hashing 24.69.yyy.yyy[500] with algo #2
Dec 23 20:48:11 racoon: [Self]: [24.69.xxx.xxx] INFO: Hashing 24.69.xxx.xxx[500] with algo #2
Dec 23 20:48:36 racoon: [1300 link]: [24.69.yyy.yyy] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 24.69.yyy.yyy[0]->24.69.xxx.xxx[0]
Dec 23 20:48:36 racoon: INFO: delete  phase 2 handler.
Dec 23 20:48:55 racoon: ERROR: phase1 negotiation failed due to time up. 971cc4cb147d11e1:0000000000000000
Dec 23 20:49:01 racoon: ERROR: phase1 negotiation failed due to time up. b9064c9c515a0465:a5da21bc9c1c92c7


Need any more info?

Tip Posting | My Postings (668) | My Reviews (43) | View Source
Hyperlight Dec 23, 2012 01:30 PM Reply | Bookmark
Like | Top | Bottom

Hmm thats odd, should be working. I would try a reboot of both PFsense boxes just to be sure.

Tip Posting | My Postings (12872) | My Reviews (8) | View Source
Kolby_G Dec 23, 2012 01:46 PM Reply | Bookmark
Like | Top | Bottom

Rebooted both and still no luck :(
When i click connect on site 1, site 2's log say this:

Dec 23 21:45:37 racoon: [1300 link]: INFO: respond new phase 1 negotiation: 24.69.xxx.xxx[500]24.69.yyy.yyy[500]
Dec 23 21:45:37 racoon: INFO: begin Aggressive mode.
Dec 23 21:45:37 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Dec 23 21:45:37 racoon: INFO: received Vendor ID: RFC 3947
Dec 23 21:45:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 23 21:45:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Dec 23 21:45:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Dec 23 21:45:37 racoon: INFO: received Vendor ID: DPD
Dec 23 21:45:37 racoon: [1300 link]: [24.69.yyy.yyy] INFO: Selected NAT-T version: RFC 3947
Dec 23 21:45:38 racoon: INFO: Adding remote and local NAT-D payloads.
Dec 23 21:45:38 racoon: [1300 link]: [24.69.yyy.yyy] INFO: Hashing 24.69.yyy.yyy[500] with algo #2
Dec 23 21:45:38 racoon: [Self]: [24.69.xxx.xxx] INFO: Hashing 24.69.xxx.xxx[500] with algo #2
Dec 23 21:46:28 racoon: ERROR: phase1 negotiation failed due to time up. d4f66ed6631bc3f3:75e9a6dfdd79dbbb

So it is connecting, is there something I'm missing in firewall?

Tip Posting | My Postings (668) | My Reviews (43) | View Source


Call Queue
Now Serving
144684
Avg. Response Time
Estimate: 25 mins
Request Call Back
(Web Orders Only)

Recent Experts
1. Alter3d Reality (17198)
2. Saberon (14842)
3. Spork™ (13659)
4. JohnyBoy (4188)
5. Rebecca_M (250)
All Time Experts
1. Mr. Friendly™ (51387)
2. The Wizard (39824)
3. death_hawk™ (35144)
4. Not An Expert (26343)
5. Lance W (25246)
 
Your Order Company Info Memberships Services Hotlinks
Order Status
RMAs (Merchandise returns)
F.A.Q.
Contact Us / Store Locator
Careers
Terms & Conditions
Privacy Policy
NCIX Rewards
Premier Partner Reseller Program
VIP Memberships
Advantage Membership
Affiliate Program
Express Coverage
Express RMA
Express Shipping Service
Express Exchange and Care Coverage
Gift Cards & Balance Checker
NCIX Newsletters
NCIX Forums
Folding @ Home Team
The Banner Vault
International Sites:  Canada
Get the best discount computers online for online computer shopping and discount PC computer components as well as notebook computers, laptops and Canada custom computers for the best deals on computers.
NCIX.com provides Canada the best priced computers in the country for computer components and computer parts and computer accessories with the best online computer store in Canada for your personal and business computer needs.
At NCIX you can build your own computer online as well as search for the cheapest and best video cards, computer processors and CPUs, motherboards computer memory RAM, ssd and hard drives with the fastest shipping in Canada and the US.
So for discount computers online NCIX provides the cheapest digital cameras, printers, motherboards, flash memory, PC speakers and computer electronics with the best Canadian computer and Canadian online computer shopping website in the world.

NCIX.com is powered by Intel® Xeon® Quad Core Processors
Copyright© 2014 NCIX.com/Netlink Computer Inc. All rights reserved. S / Server ID:74 20140722163612  125 ms