Thank you again, I'll let you know.
For the rules I was speaking about the cisco do you know if these run IOS? I'm not sure if these adsl device run that or just a gui.
If it's IOS the rules would be something like:
permit esp any any
permit any any eq isakmp
John
From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 02, 2006 9:22 AM
To: [email protected]
Subject: Re: [pfSense Support] Problem with ipsec tunnel
On 3/2/06, John Cianfarani <[EMAIL PROTECTED]> wrote:
Ah it was late last night misread part of that, no more 3am replies. :P
Eh eh, same habits.. don't worry!
On the cisco's are you forwarding the appropriate ports (protocol 50/51 ESP/AH, and UDP 500) to the inside pfsense boxes?
At the moment, I am forwarding only 500/udp, because of 2 problems: the first is that I am not so good in Cisco programming, so I do not know how to forward AH&ESP (but I think that I could solve this problem with a bit of google'ng). The second is that I looked for 4500/udp port listening, and I found nothing. So.. I thought that there was a problem (or a misconfiguration in racoon). Now I enabled 4500/udp, this night I'll test again..
In any of your rules are you allowing udp isakmp and esp to the host? They might even have a ipsec passthrough option to do this.
I think that psSense does it automatically. Am i wrong?
Or you are speaking about the routers?Sorry for the confusion
No.. you're welcome! Thank you again!
Tom
From: Tommaso Di Donato [mailto: [EMAIL PROTECTED]]
Sent: Thursday, March 02, 2006 3:25 AM
To: [email protected]
Subject: Re: [pfSense Support] Problem with ipsec tunnel
On 3/2/06, John Cianfarani <[EMAIL PROTECTED]> wrote:
1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN
interface.
I'm sorry... I cannot understand the point..
PC -------- pfSense -------- Cisco 827 ----------internet
Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of course, in pfsense I can see racoon listening on wan interface (only on 500/udp, ton on 4500/udp)
2. Not sure but my guess would be no (without a lot of easy configuration changes)
You mean you guess there is no port 4500?
One think that was reversed in previous builds (not sure if is changed in 2-20) is the "Prefer old IPSec Sa" checkbox under System-Advnced. Bill found that in the code pfsense already tries old sa's first, so when you check this box it will make it prefer NEW Sa's. That was the heart of a lot of my Ipsec troubles.
mmh, I tried both ways... no differences...
Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s)
Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box here in order to send logs...
What are you using as your local identified IP or FQDN?
I tried both. Obviously, changing psk accordingly...
Once you get a session up can you do a "ping –c 5 –S <your pfsense lan ip> <remote pfsense lan ip>" from the Diag -> Command Prompt tab?
Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side.
I think this night I'll do some other test, using as second endpoint a linux box (i am more familiar with linux ipsec implementation).
Ah, by the way.. when I see a SPD or a SA established, sould something be wisible with netstat -rn?
Thank you again...
Thanks
John
From: Tommaso Di Donato [mailto: [EMAIL PROTECTED]]
Sent: Thursday, March 02, 2006 2:38 AM
To: [email protected]
Subject: [pfSense Support] Problem with ipsec tunnel
Hi guys!
Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed..
I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs.... On the routers, we redirected only port 500/UDP from the router to the pfsense boxes...
So, my question are:
1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration
2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense box I cannot see such a port open....
3) ..and in the end.. am I missing something? I do not have my box with me now, but I can recall the settings very well..
I'm using 02-20 SNAPSHOT.
Thank you, guys.. very much.
Tom
