No, this sounds like a bug. I sent a request for information a few minutes ago. Did you get it? If so please check /tmp/rules.debug for IPSEC and see if the OPT interface rules are being addded.
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
After I let the connection set for a couple minutes after manually adding the UDP 500 and ESP rules, the tunnel started working. Yeah!!! Assuming that I will need to manually add the rules to the OPT2 interface, are there any additional rules that need to be added for IPSEC? Also, here are the log entries now that the tunnel is up. Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16) Mar 29 14:24:41 racoon: INFO: ::1[500] used as isakmp port (fd=15) Mar 29 14:24:41 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=14) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%ng1[500] used as isakmp port (fd=13) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 192.168.10.1[500] used as isakmp port (fd=22) Mar 29 14:24:41 racoon: INFO: fe80::2e0:81ff:fe74:bb24%em0[500] used as isakmp port (fd=21) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 209.218.218.138[500] used as isakmp port (fd=20) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b8a6%em1[500] used as isakmp port (fd=19) Mar 29 14:24:41 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 29 14:24:41 racoon: INFO: 75.44.169.169[500] used as isakmp port (fd=18) Mar 29 14:24:41 racoon: INFO: fe80::204:23ff:fede:b88d%em4[500] used as isakmp port (fd=17) Thanks, Vaughn Reid III Vaughn L. Reid III wrote: > I have only the default allow everything rule on the IPSEC tab. I > manually added rules to the firewall to allow UDP 500 to the OPT2 > interface and to allow ESP to the OPT2 interface, and now I'm getting > different IPSEC log results (I changed the My Identifier back to > interface address). > > Here are the new log entries: > > Mar 29 14:20:20 racoon: ERROR: pfkey DELETE received: ESP > 75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620) > Mar 29 14:19:21 racoon: INFO: IPsec-SA established: ESP/Tunnel > 75.44.169.169[0]->70.237.44.110[0] spi=3097439008(0xb89f2b20) > Mar 29 14:19:21 racoon: INFO: IPsec-SA established: ESP/Tunnel > 70.237.44.110[0]->75.44.169.169[0] spi=129752861(0x7bbdf1d) > Mar 29 14:19:21 racoon: INFO: respond new phase 2 negotiation: > 75.44.169.169[500]<=>70.237.44.110[500] > Mar 29 14:19:21 racoon: INFO: ISAKMP-SA established > 75.44.169.169[500]-70.237.44.110[500] > spi:72fba3fecd3739c6:f7fb0fc1959fdf21 > Mar 29 14:19:20 racoon: NOTIFY: couldn't find the proper pskey, > try to get one by the peer's address. > Mar 29 14:19:20 racoon: INFO: begin Aggressive mode. > Mar 29 14:19:20 racoon: INFO: respond new phase 1 negotiation: > 75.44.169.169[500]<=>70.237.44.110[500] > Mar 29 14:17:43 racoon: ERROR: pfkey DELETE received: ESP > 75.44.169.169[0]->70.237.44.110[0] spi=754453952(0x2cf80dc0) > Mar 29 14:17:43 racoon: ERROR: pfkey DELETE received: ESP > 75.44.169.169[0]->70.237.44.110[0] spi=2451182496(0x921a13a0) > Mar 29 14:17:03 racoon: INFO: IPsec-SA established: ESP/Tunnel > 75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620) > Mar 29 14:17:03 racoon: INFO: IPsec-SA established: ESP/Tunnel > 70.237.44.110[0]->75.44.169.169[0] spi=101957205(0x613be55) > Mar 29 14:17:03 racoon: INFO: respond new phase 2 negotiation: > 75.44.169.169[500]<=>70.237.44.110[500] > Mar 29 14:17:03 racoon: INFO: ISAKMP-SA established > 75.44.169.169[500]-70.237.44.110[500] > spi:8203621148841b41:6ad562eb830dd2d5 > Mar 29 14:17:02 racoon: NOTIFY: couldn't find the proper pskey, > try to get one by the peer's address. > Mar 29 14:17:02 racoon: INFO: begin Aggressive mode. > Mar 29 14:17:02 racoon: INFO: respond new phase 1 negotiation: > 75.44.169.169[500]<=>70.237.44.110[500] > > > Vaughn > > Scott Ullrich wrote: >> On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: >>> I changed the My Identifier on the tunnel definition to IP Address and >>> then specified 75.44.169.169. I clicked save and apply. When I did >>> this, the tunnel still did not work. In addition, all mention of the >>> tunnel stopped in the IPSEC logs. >>> >>> I have confirmed that I can ping the 75.44.169.169 IP from the remote >>> gateway and that it is the OPT2 IP for the pfsense box. I also >>> confirmed that I can ssh into the pfsense machine using the above IP >>> address. >>> >>> Are there any special firewall or NAT rules that I need to set up the >>> OPT2 interface to get it to accept an IPSEC tunnel? I noticed that, >>> for >>> WAN at least, that those rules are automatically created and are not >>> visible on the rules page. >> >> Nothing else is required except for a pass rule on the IPSEC tab on >> recent snapshots. >> >> I am running a tunnel on a opt1 interface and it works fine here. >> >> Scott >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
