After I let the connection set for a couple minutes after manually
adding the UDP 500 and ESP rules, the tunnel started working. Yeah!!!
Assuming that I will need to manually add the rules to the OPT2
interface, are there any additional rules that need to be added for IPSEC?
Also, here are the log entries now that the tunnel is up.
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port
(fd=22)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as
isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port
(fd=20)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as
isakmp port (fd=19)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port
(fd=18)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as
isakmp port (fd=17)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port
(fd=14)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as
isakmp port (fd=13)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port
(fd=22)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as
isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port
(fd=20)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as
isakmp port (fd=19)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port
(fd=18)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as
isakmp port (fd=17)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port
(fd=14)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as
isakmp port (fd=13)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port
(fd=22)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as
isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port
(fd=20)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as
isakmp port (fd=19)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port
(fd=18)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as
isakmp port (fd=17)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15)
Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port
(fd=14)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as
isakmp port (fd=13)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port
(fd=22)
Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as
isakmp port (fd=21)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port
(fd=20)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as
isakmp port (fd=19)
Mar 29 14:24:41 racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port
(fd=18)
Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as
isakmp port (fd=17)
Thanks,
Vaughn Reid III
Vaughn L. Reid III wrote:
I have only the default allow everything rule on the IPSEC tab. I
manually added rules to the firewall to allow UDP 500 to the OPT2
interface and to allow ESP to the OPT2 interface, and now I'm getting
different IPSEC log results (I changed the My Identifier back to
interface address).
Here are the new log entries:
Mar 29 14:20:20 racoon: ERROR: pfkey DELETE received: ESP
75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620)
Mar 29 14:19:21 racoon: INFO: IPsec-SA established: ESP/Tunnel
75.44.169.169[0]->70.237.44.110[0] spi=3097439008(0xb89f2b20)
Mar 29 14:19:21 racoon: INFO: IPsec-SA established: ESP/Tunnel
70.237.44.110[0]->75.44.169.169[0] spi=129752861(0x7bbdf1d)
Mar 29 14:19:21 racoon: INFO: respond new phase 2 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:19:21 racoon: INFO: ISAKMP-SA established
75.44.169.169[500]-70.237.44.110[500]
spi:72fba3fecd3739c6:f7fb0fc1959fdf21
Mar 29 14:19:20 racoon: NOTIFY: couldn't find the proper pskey,
try to get one by the peer's address.
Mar 29 14:19:20 racoon: INFO: begin Aggressive mode.
Mar 29 14:19:20 racoon: INFO: respond new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:17:43 racoon: ERROR: pfkey DELETE received: ESP
75.44.169.169[0]->70.237.44.110[0] spi=754453952(0x2cf80dc0)
Mar 29 14:17:43 racoon: ERROR: pfkey DELETE received: ESP
75.44.169.169[0]->70.237.44.110[0] spi=2451182496(0x921a13a0)
Mar 29 14:17:03 racoon: INFO: IPsec-SA established: ESP/Tunnel
75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620)
Mar 29 14:17:03 racoon: INFO: IPsec-SA established: ESP/Tunnel
70.237.44.110[0]->75.44.169.169[0] spi=101957205(0x613be55)
Mar 29 14:17:03 racoon: INFO: respond new phase 2 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:17:03 racoon: INFO: ISAKMP-SA established
75.44.169.169[500]-70.237.44.110[500]
spi:8203621148841b41:6ad562eb830dd2d5
Mar 29 14:17:02 racoon: NOTIFY: couldn't find the proper pskey,
try to get one by the peer's address.
Mar 29 14:17:02 racoon: INFO: begin Aggressive mode.
Mar 29 14:17:02 racoon: INFO: respond new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Vaughn
Scott Ullrich wrote:
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
I changed the My Identifier on the tunnel definition to IP Address and
then specified 75.44.169.169. I clicked save and apply. When I did
this, the tunnel still did not work. In addition, all mention of the
tunnel stopped in the IPSEC logs.
I have confirmed that I can ping the 75.44.169.169 IP from the remote
gateway and that it is the OPT2 IP for the pfsense box. I also
confirmed that I can ssh into the pfsense machine using the above IP
address.
Are there any special firewall or NAT rules that I need to set up the
OPT2 interface to get it to accept an IPSEC tunnel? I noticed that,
for
WAN at least, that those rules are automatically created and are not
visible on the rules page.
Nothing else is required except for a pass rule on the IPSEC tab on
recent snapshots.
I am running a tunnel on a opt1 interface and it works fine here.
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
