Re: [pfSense Support] IPsec on (NAT)OPT1

Fri, 09 Sep 2005 04:33:11 -0700 

hi there,
ic forgot one thing: I wasn't able to insert "no nat" rules on OPT1 as I don't need NAT on port 500 and proto esp ... !?! 

Am 09.09.2005 um 12:59 schrieb Tom Müller-Kortkamp:


Hi,

I have Problems with IPSec on OPT1 (I tried to get help on irc,  
but ...)


OK, I have:
A WRAP with 0.82.4,
I have a cheap DSL on WAN,
a double E1 on OPT1, Static-IP: eg. 1.2.3.4/24,
LAN and ATH(OPT2) Bridged Static-IP: eg 192.168.35.254/24


First Problem: No Nat on OPT1. I had to enable "Enable advanced  
outbound NAT" in Firewall->NAT->Outbound

and write two NAT-Rules (for DSL and for OPT1).

Next thing: I need IPsec on OPT1
Other Net is: 172.20/16 Endpoint is 2.2.2.2

This is Handshake:
01 INFO: initiate new phase 2 negotiation: 1.2.3.4[0]<=>2.2.2.2[0]
02 WARNING: ignore RESPONDER-LIFETIME notification.
03 WARNING: transform number has been modified.
04 WARNING: trns_id mismatched: my:DES peer:3DES
05 WARNING: trns_id mismatched: my:DES peer:3DES

06 INFO: IPsec-SA established: ESP/Tunnel 2.2.2.2[0]->1.2.3.4[0]  
spi=227333822(0xd8cd6be)
07 INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->2.2.2.2[0]  
spi=1874806242(0x6fbf45e2)

08 INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>192.168.35.2[0]

09 ERROR: no policy found: 2.2.2.2/32[0] 192.168.35.0/24[0]  
proto=any dir=in

10 ERROR: failed to get proposal for responder.
11 ERROR: failed to pre-process packet.

I guess Line 09 ist the Problem!!!

# setkey -DP
192.168.35.0/24[any] 192.168.35.254[any] any
        in none
        spid=113 seq=3 pid=85039
        refcnt=1
172.20.0.0/16[any] 192.168.35.0/24[any] any
        in ipsec
        esp/tunnel/2.2.2.2-1.2.3.4/unique#16442
        spid=116 seq=2 pid=85039
        refcnt=1
192.168.35.254[any] 192.168.35.0/24[any] any
        out none
        spid=114 seq=1 pid=85039
        refcnt=1
192.168.35.0/24[any] 172.20.0.0/16[any] any
        out ipsec
        esp/tunnel/1.2.3.4-2.2.2.2/unique#16441
        spid=115 seq=0 pid=85039
        refcnt=1



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--
kommunity GmbH & Co.KG
Tom Müller-Kortkamp
Netzwerke & Internet
Goseriede 4
D-30159 Hannover

Phone +49 (0)5 11 - 80 72 58 0
Fax +49 (0)5 11 - 80 72 58 10
http://www.kommunity.net



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]















    











					Reply via email to