[pfSense] IPSEC does not initiate phase 1

Tue, 29 Nov 2011 00:31:25 -0800 

Hi,
We are trying to establish an ipsec between a pfsense 2.0 and a cisco
firewall, but we are not able to get trough the 'self' tests on pfsense and
on the cisco side it doesn't seem like anyone tries to connect.

This is the only entries in the ipsec syslog:

Nov 29 08:59:25racoon: INFO: @(#)ipsec-tools 0.8.0 (
http://ipsec-tools.sourceforge.net)
Nov 29 08:59:25racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar
2010 (http://www.openssl.org/)
Nov 29 08:59:25racoon: INFO: Reading configuration from
"/var/etc/racoon.conf"
Nov 29 08:59:25racoon: *[Self]*: INFO: PFSENSE.WAN.IP[4500] used for NAT-T
Nov 29 08:59:25racoon: *[Self]*: INFO: PFSENSE.WAN.IP[4500] used as isakmp
port (fd=14)
Nov 29 08:59:25racoon: *[Self]*: INFO: PFSENSE.WAN.IP[500] used for NAT-T
Nov 29 08:59:25racoon: *[Self]*: INFO: PFSENSE.WAN.IP[500] used as isakmp
port (fd=15)
Nov 29 08:59:25racoon: INFO: unsupported PF_KEY message REGISTER
Nov 29 08:59:27racoon: INFO: unsupported PF_KEY message REGISTER
Nov 29 09:04:51racoon: ERROR: such policy already exists. anyway replace
it: PFSENSE.LAN.IP/32[0] PFSENSE.LANSUBNET/29[0] proto=any dir=out
Nov 29 09:04:51racoon: ERROR: such policy already exists. anyway replace
it: PFSENSE.LANSUBNET/29[0] PFSENSE.LAN.IP/32[0] proto=any dir=in
Nov 29 09:04:51racoon: ERROR: such policy already exists. anyway replace
it: PFSENSE.LANSUBNET/29[0] CISCO.LANSUBNET/32[0] proto=any dir=out
Nov 29 09:04:51racoon: ERROR: such policy already exists. anyway replace
it: CISCO.LANSUBNET/32[0] PFSENSE.LANSUBNET/29[0] proto=any dir=in

Remote subnet is only 1 address, local subnet is /29. All addresses is
public ip's if that is related. Even the /29.

It just stops after this and phase 1 isn't started. We have doubledchecked
everything, even configured a new clean pfsense but the same thing
happends. The firstime we tried this it established phase 1 with the cisco
,but we had a misconfiguration in phase 2 so when we fixed that, and tried
again we never get pass this self test. The phase1 lifetime is 24hours.
Could that be related, even if we have restarted both sides within this
time? It has not gone 24 hours yet since the first test.

Thanks in advance for any help!

_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Reply via email to