I've set up a test tunnel between my office and my customer site. The VPN tunnel will work correctly when the pfsense interface is the WAN interface. When I change the interface to the OPT interface, It doesn't seem to work. Here are some log entries.

racoon: ERROR: phase1 negotiation failed due to time up. 8c35cc8f9a4378c0:0000000000000000
Mar 29 13:36:29         racoon: INFO: delete phase 2 handler.
Mar 29 13:36:29 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:35:58         racoon: INFO: begin Aggressive mode.
Mar 29 13:35:58 racoon: INFO: initiate new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 13:35:58 racoon: INFO: IPsec-SA request for 70.237.44.110 queued due to no phase1 found. Mar 29 13:32:04 racoon: ERROR: phase1 negotiation failed due to time up. 022718bb87e94fd7:0000000000000000
Mar 29 13:31:35         racoon: INFO: delete phase 2 handler.
Mar 29 13:31:35 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 70.237.44.110[500]->75.44.169.169[500]
Mar 29 13:31:04         racoon: INFO: begin Aggressive mode.
Mar 29 13:31:04 racoon: INFO: initiate new phase 1 negotiation: 75.44.169.169[500]<=>70.237.44.110[500] Mar 29 13:31:04 racoon: INFO: IPsec-SA request for 70.237.44.110 queued due to no phase1 found.



This set of responses just seem to repeat themselves over and over again. If I set the remote node to use the pfsense's WAN ip and change the tunnel definition on the pfsense box to use the WAN interface, then everything immediately works after hitting the save and apply buttons.
Thanks,

Vaughn

Scott Ullrich wrote:
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
I'm using the 3-27 snapshot on the pfsense box.

I've searched both the forum and the mailing list archives, and I can't
seem to find an updated listing of how to get IPSEC to work over an OPT
interface as well as over WAN at the Same time.

Here's what I want to do:

I have several remote sites that use one of two companies for their
Internet access.  Our main office also has Internet access through these
two ISP's.  I want to configure the tunnels that have Internet access
through ISP A to use our ISP A connection, which is WAN, and those that
have ISP B, which is our OPT1, to use ISP B's interface on the pfsense
box for IPSEC vpn's.

I can get all of the VPN connections to work properly if they all use
the WAN interface, but this adds about 5 hops and 50 milli-seconds to
the round trip for those remotes that use ISP B.

Here's what I tried without success:
On the pfsense box, I changed the existing working configurations for
the desired VPN tunnels to use the OPT interface.  I then saved my
changed settings and clicked the Apply button.  At the desired remote
sites, I changed the remote Gateway IP on their (previously working when
using WAN) existing VPN tunnel configurations to use the OPT interface's
IP address.  After doing this, I rebooted both the pfsense box and the
remote router.   Also, the IPSEC interface has the default rule to allow
all connections and all traffic.

Both the pfsense machine and the remote sites have static IP's for their
Internet connections.  The remote sites are using linksys RV series
firewalls.  The dsl router at the main site for the OPT interface is a
netopia 3500 and it is set to bridge mode so that the OPT interface has
a real public IP.

Please post the IPSEC logs from the pfSense box.

Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to