Re: AW: [pfSense Support] IPSec Problem

Wed, 10 Aug 2005 07:03:28 -0700

When trying to use a dyndns name in the IPSec tunnel setup for the gateway address, I receive the following error: 

"The following input errors were detected:

    * A valid remote gateway address must be specified."
IPSec config for office attached. I do not have access in to the home machine at the moment. I'll get that config later, if you still need it. 



Holger Bauer wrote:

From what I can tell from the log something is missconfigured as there are 
loopbackadresses and it has problems to use an Interface for the outgoing 
connection (only had a very very quick look, not much time atm). Maybe you can 
post your ipsec-config and your local networks of both sides.


DynDNS.Names should already be usable for both endpoints (was implemented 
several versions ago). Have you tried it or only assumed that it is not 
possible?

Holger

-----Ursprüngliche Nachricht-----
Von: Brian [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 10. August 2005 15:18
An: [email protected]
Betreff: [pfSense Support] IPSec Problem
I had been trying to set up mobile IPSec to use from my laptop, but was having issues, so I decided to just try straight IPSec from my office to home (both on pfSense 0.74.6). Both are on dynamic IPs, but for the purposes of this exercise, I set the home pfSense to be the 'static' side. This leads me to a question though:
Could the IPSec tunnel setup be changed to allow a DNS name to be used for the remote gateway? Even if pfSense just resolved the name for you each time the tunnel was established that would allow people to use dyndns names for the endpoints without needing to edit the tunnel each time.
As I said, for now I just pretended that my home IP was static and set up the tunnel using Holger's tutorial as a guide. When I try to establish the tunnel from work to home, I get the following entries in my IPSec log. I know it must be something silly since others have many tunnels working, but I can't get this sorted out. 

Are there any ports I need to forward or open for this to work?
Is is possible that Verizon (my ISP for work and home) blocks ports for IPSec?
Thanks for any help you can provide. I'm also on IRC as DungaBee if anyone wants to chat real time. 

Thanks much,
Brian

Here are the log entries:
Aug 10 08:50:54         racoon: ERROR: no address could be bound.
Aug 10 08:50:54 racoon: ERROR: failed to bind to address 192.168.100.1[500] (Address already in use). Aug 10 08:50:54 racoon: ERROR: failed to bind to address fe80::2a0:ccff:fe53:70cd%dc0[500] (Address already in use). Aug 10 08:50:54 racoon: ERROR: failed to bind to address fe80::2a0:ccff:fe53:7078%dc1[500] (Address already in use). Aug 10 08:50:54 racoon: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use). Aug 10 08:50:54 racoon: ERROR: failed to bind to address ::1[500] (Address already in use). Aug 10 08:50:54 racoon: ERROR: failed to bind to address fe80::1%lo0[500] (Address already in use). Aug 10 08:50:54 racoon: ERROR: failed to bind to address 70.17.189.123[500] (Address already in use). Aug 10 08:50:54 racoon: ERROR: failed to bind to address fe80::2a0:ccff:fe53:70cd%ng0[500] (Address already in use). 
Aug 10 08:50:54         last message repeated 2 times
Aug 10 08:50:54         racoon: INFO: unsupported PF_KEY message REGISTER
Aug 10 08:50:54 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/) Aug 10 08:50:54 racoon: INFO: @(#)ipsec-tools 0.6 (http://ipsec-tools.sourceforge.net) 
Aug 10 08:50:54         racoon: INFO: unsupported PF_KEY message REGISTER
Aug 10 08:50:06         racoon: ERROR: no address could be bound.
Aug 10 08:50:06 racoon: ERROR: failed to bind to address 192.168.100.1[500] (Address already in use). Aug 10 08:50:06 racoon: ERROR: failed to bind to address fe80::2a0:ccff:fe53:70cd%dc0[500] (Address already in use). Aug 10 08:50:06 racoon: ERROR: failed to bind to address fe80::2a0:ccff:fe53:7078%dc1[500] (Address already in use). Aug 10 08:50:06 racoon: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use). Aug 10 08:50:06 racoon: ERROR: failed to bind to address ::1[500] (Address already in use). Aug 10 08:50:06 racoon: ERROR: failed to bind to address fe80::1%lo0[500] (Address already in use). Aug 10 08:50:06 racoon: ERROR: failed to bind to address 70.17.189.123[500] (Address already in use). Aug 10 08:50:06 racoon: ERROR: failed to bind to address fe80::2a0:ccff:fe53:70cd%ng0[500] (Address already in use). 
Aug 10 08:50:06         last message repeated 2 times

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


____________
Virus checked by G DATA AntiVirusKit





<ipsec>
		<enable/>
		<mobileclients>
			<enable/>
			<p1>
				<mode>aggressive</mode>
				<myident>
					<myaddress/>
				</myident>
				<encryption-algorithm>3des</encryption-algorithm>
				<hash-algorithm>sha1</hash-algorithm>
				<dhgroup>2</dhgroup>
				<lifetime/>
				<private-key/>
				<cert/>
				<authentication_method>pre_shared_key</authentication_method>
			</p1>
			<p2>
				<protocol>esp</protocol>
				<encryption-algorithm-option>3des</encryption-algorithm-option>
				<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
				<pfsgroup>0</pfsgroup>
				<lifetime/>
			</p2>
		</mobileclients>
		<mobilekey>
			<ident>[EMAIL PROTECTED]</ident>
			<pre-shared-key>remoteclientkey</pre-shared-key>
		</mobilekey>
		<tunnel>
			<auto/>
			<interface>wan</interface>
			<local-subnet>
				<network>lan</network>
			</local-subnet>
			<remote-subnet>10.0.0.0/32</remote-subnet>
			<remote-gateway>70.17.160.135</remote-gateway>
			<p1>
				<mode>aggressive</mode>
				<myident>
					<fqdn>myoffice.mycompany.com</fqdn>
				</myident>
				<encryption-algorithm>3des</encryption-algorithm>
				<hash-algorithm>sha1</hash-algorithm>
				<dhgroup>2</dhgroup>
				<lifetime>1200</lifetime>
				<pre-shared-key>remoteofficekey</pre-shared-key>
				<private-key/>
				<cert/>
				<peercert/>
				<authentication_method>pre_shared_key</authentication_method>
			</p1>
			<p2>
				<protocol>esp</protocol>
				<encryption-algorithm-option>3des</encryption-algorithm-option>
				<encryption-algorithm-option>blowfish</encryption-algorithm-option>
				<encryption-algorithm-option>cast128</encryption-algorithm-option>
				<encryption-algorithm-option>rijndael</encryption-algorithm-option>
				<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
				<hash-algorithm-option>hmac_md5</hash-algorithm-option>
				<pfsgroup>0</pfsgroup>
				<lifetime>1200</lifetime>
			</p2>
			<descr>Home VPN</descr>
		</tunnel>
	</ipsec>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to