Okay, I reset everything to factory defaults and completed stated over to make sure I wasn't missing something or had problems elsewhere.
I'm still having the same problems. I have attached both configs. As you can see the are identical in the IPSec section (except they are mirrors of course). I have also put attached the Ipsec Logs. They are giving me the same exact errors as before. I've wiped out and rebuilt this solution 20 times over the last few days and I need to get something working soon. Thanks for all your help. --Jason W. Allen -----Original Message----- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, December 01, 2006 4:29 PM To: [email protected] Subject: RE: [pfSense Support] Simple Ipsec VPN Not working >From a short look this looks like a parameter mismatch somewhere. Recheck all parameters and passphrases at both ends. Holger -----Original Message----- From: Jason W. Allen [mailto:[EMAIL PROTECTED] Sent: Friday, December 01, 2006 7:29 PM To: [email protected] Subject: [pfSense Support] Simple Ipsec VPN Not working Hello All, I'm trying to setup a simple IPSec VPN and I'm having some issues. I'm new to VPN's so I'm probably missing something. -LAN (192.168.40.0/24)--| pfsense(left) |--WAN (10.1.10.250) ------- WAN (10.1.10.131)--| pfsense(right) |---LAN (192.168.50.0/24) IPSec Tunnel config for Left: Interface: WAN Local Subnet: LAN subnet Remote Subnet: 192.168.50.0 / 24 Remote Gateway: 10.1.10.131 Phase 1 Negotiation Mode: aggressive My Idenifier: MY IP Address Encryption Algorithm: Blowfish Hash Algorithm: SHA1 DH Group: 2 Lifetime: 28800 Authentication Method: Pre-Shared Key Preshared Key: abc123! Phase 2 Protocol: ESP Encryption Algorithm: Blowfish Hash Algorithm: SHA1 PFS Group: 2 Lifetime: 86400 IPSec Tunnel config for Right: Interface: WAN Local Subnet: LAN subnet Remote Subnet: 192.168.40.0 / 24 Remote Gateway: 10.1.10.250 Phase 1 Negotiation Mode: aggressive My Idenifier: MY IP Address Encryption Algorithm: Blowfish Hash Algorithm: SHA1 DH Group: 2 Lifetime: 28800 Authentication Method: Pre-Shared Key Preshared Key: abc123! Phase 2 Protocol: ESP Encryption Algorithm: Blowfish Hash Algorithm: SHA1 PFS Group: 2 Lifetime: 86400 Now when I try to ping from the left network to the right nothing happens and these are the logs I get. RIGHT: Dec 1 13:04:19 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Dec 1 13:04:19 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Dec 1 13:04:19 racoon: INFO: 192.168.50.130[500] used as isakmp port (fd=13) Dec 1 13:04:19 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 1 13:04:19 racoon: INFO: 10.1.10.145[500] used as isakmp port (fd=14) ... Same two lines repeated 12 times (WARNING & INFO) Dec 1 13:04:19 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 1 13:04:19 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=21) Dec 1 13:04:19 racoon: INFO: ::1[500] used as isakmp port (fd=22) Dec 1 13:04:19 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=23) Dec 1 13:04:19 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 1 13:04:19 racoon: INFO: fe80::200:24ff:fec7:4c53%sis6[500] used as isakmp port (fd=24) Dec 1 13:04:19 racoon: INFO: 192.168.55.1[500] used as isakmp port (fd=25) Dec 1 13:04:19 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 1 13:04:19 racoon: INFO: fe80::200:24ff:fec7:815d%sis1[500] used as isakmp port (fd=26) Dec 1 13:04:19 racoon: INFO: 192.168.50.131[500] used as isakmp port (fd=27) Dec 1 13:04:19 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 1 13:04:19 racoon: INFO: fe80::200:24ff:fec7:815c%sis0[500] used as isakmp port (fd=28) Dec 1 13:04:19 racoon: INFO: 10.1.10.131[500] used as isakmp port (fd=29) Dec 1 13:04:19 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 1 13:05:13 racoon: INFO: IPsec-SA request for 10.1.10.250 queued due to no phase1 found. Dec 1 13:05:13 racoon: INFO: initiate new phase 1 negotiation: 10.1.10.131[500]<=>10.1.10.250[500] Dec 1 13:05:13 racoon: INFO: begin Aggressive mode. Dec 1 13:05:14 racoon: INFO: received Vendor ID: DPD Dec 1 13:05:14 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Dec 1 13:05:14 racoon: INFO: ISAKMP-SA established 10.1.10.131[500]-10.1.10.250[500] spi:4c4f191d79b58c36:86991c42785d5ac8 Dec 1 13:05:14 racoon: INFO: initiate new phase 2 negotiation: 10.1.10.131[500]<=>10.1.10.250[500] Dec 1 13:05:44 racoon: ERROR: 10.1.10.250 give up to get IPsec-SA due to time up to wait. Dec 1 13:05:47 racoon: INFO: initiate new phase 2 negotiation: 10.1.10.131[500]<=>10.1.10.250[500] Dec 1 13:06:17 racoon: ERROR: 10.1.10.250 give up to get IPsec-SA due to time up to wait. Dec 1 13:06:20 racoon: INFO: initiate new phase 2 negotiation: 10.1.10.131[500]<=>10.1.10.250[500] LEFT: Dec 1 13:03:50 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Dec 1 13:03:50 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Dec 1 13:03:50 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13) Dec 1 13:03:50 racoon: INFO: ::1[500] used as isakmp port (fd=14) Dec 1 13:03:50 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15) Dec 1 13:03:50 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 1 13:03:50 racoon: INFO: fe80::200:24ff:fec7:7eb1%sis1[500] used as isakmp port (fd=16) Dec 1 13:03:50 racoon: INFO: 192.168.40.1[500] used as isakmp port (fd=17) Dec 1 13:03:50 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 1 13:03:50 racoon: INFO: fe80::200:24ff:fec7:7eb0%sis0[500] used as isakmp port (fd=18) Dec 1 13:03:50 racoon: INFO: 10.1.10.250[500] used as isakmp port (fd=19) Dec 1 13:03:50 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 1 13:04:51 racoon: INFO: respond new phase 1 negotiation: 10.1.10.250[500]<=>10.1.10.131[500] Dec 1 13:04:51 racoon: INFO: begin Aggressive mode. Dec 1 13:04:51 racoon: INFO: received Vendor ID: DPD Dec 1 13:04:51 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Dec 1 13:04:51 racoon: INFO: ISAKMP-SA established 10.1.10.250[500]-10.1.10.131[500] spi:4c4f191d79b58c36:86991c42785d5ac8 Dec 1 13:05:25 racoon: INFO: respond new phase 2 negotiation: 10.1.10.250[500]<=>10.1.10.131[500] Dec 1 13:05:25 racoon: ERROR: failed to get sainfo. Dec 1 13:05:25 racoon: ERROR: failed to get sainfo. Dec 1 13:05:25 racoon: ERROR: failed to pre-process packet. ... Same 4 lines repeated (INFO, ERROR, ERROR & ERROR) Like I said I'm probably missing something really stupid, so go easy on a newbie. TIA --Jason W. Allen --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Dec 4 12:06:07 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Dec 4 12:06:07 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Dec 4 12:06:07 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12) Dec 4 12:06:07 racoon: INFO: ::1[500] used as isakmp port (fd=13) Dec 4 12:06:07 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14) Dec 4 12:06:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 4 12:06:07 racoon: INFO: fe80::200:24ff:fec7:815d%sis1[500] used as isakmp port (fd=15) Dec 4 12:06:07 racoon: INFO: 192.168.50.131[500] used as isakmp port (fd=16) Dec 4 12:06:07 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 4 12:06:07 racoon: INFO: fe80::200:24ff:fec7:815c%sis0[500] used as isakmp port (fd=17) Dec 4 12:06:08 racoon: INFO: 10.1.10.131[500] used as isakmp port (fd=18) Dec 4 12:06:08 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 4 12:08:15 racoon: INFO: IPsec-SA request for 10.1.10.132 queued due to no phase1 found. Dec 4 12:08:15 racoon: INFO: initiate new phase 1 negotiation: 10.1.10.131[500]<=>10.1.10.132[500] Dec 4 12:08:15 racoon: INFO: begin Aggressive mode. Dec 4 12:08:16 racoon: INFO: received Vendor ID: DPD Dec 4 12:08:16 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Dec 4 12:08:16 racoon: INFO: ISAKMP-SA established 10.1.10.131[500]-10.1.10.132[500] spi:66da77a00086650c:74395bc2fe7b5a31 Dec 4 12:08:16 racoon: INFO: initiate new phase 2 negotiation: 10.1.10.131[500]<=>10.1.10.132[500] Dec 4 12:08:46 racoon: ERROR: 10.1.10.132 give up to get IPsec-SA due to time up to wait. Dec 4 12:09:42 racoon: INFO: initiate new phase 2 negotiation: 10.1.10.131[500]<=>10.1.10.132[500] Dec 4 12:10:12 racoon: ERROR: 10.1.10.132 give up to get IPsec-SA due to time up to wait.
config-ephrata-fw0.mpgis.net-20061204121338.xml
Description: application/xml
config-ephrata-fw1.mpgis.net-20061204121432.xml
Description: application/xml
Dec 4 12:06:03 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Dec 4 12:06:03 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Dec 4 12:06:03 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12) Dec 4 12:06:03 racoon: INFO: ::1[500] used as isakmp port (fd=13) Dec 4 12:06:03 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14) Dec 4 12:06:03 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 4 12:06:03 racoon: INFO: fe80::200:24ff:fec7:8159%sis1[500] used as isakmp port (fd=15) Dec 4 12:06:03 racoon: INFO: 192.168.40.1[500] used as isakmp port (fd=16) Dec 4 12:06:03 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 4 12:06:03 racoon: INFO: fe80::200:24ff:fec7:8158%sis0[500] used as isakmp port (fd=17) Dec 4 12:06:03 racoon: INFO: 10.1.10.132[500] used as isakmp port (fd=18) Dec 4 12:06:03 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Dec 4 12:08:22 racoon: INFO: respond new phase 1 negotiation: 10.1.10.132[500]<=>10.1.10.131[500] Dec 4 12:08:22 racoon: INFO: begin Aggressive mode. Dec 4 12:08:22 racoon: INFO: received Vendor ID: DPD Dec 4 12:08:22 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Dec 4 12:08:23 racoon: INFO: ISAKMP-SA established 10.1.10.132[500]-10.1.10.131[500] spi:66da77a00086650c:74395bc2fe7b5a31 Dec 4 12:09:49 racoon: INFO: respond new phase 2 negotiation: 10.1.10.132[500]<=>10.1.10.131[500] Dec 4 12:09:49 racoon: ERROR: failed to get sainfo. Dec 4 12:09:49 racoon: ERROR: failed to get sainfo. Dec 4 12:09:49 racoon: ERROR: failed to pre-process packet. Dec 4 12:09:59 racoon: INFO: respond new phase 2 negotiation: 10.1.10.132[500]<=>10.1.10.131[500] Dec 4 12:09:59 racoon: ERROR: failed to get sainfo. Dec 4 12:09:59 racoon: ERROR: failed to get sainfo. Dec 4 12:09:59 racoon: ERROR: failed to pre-process packet. Dec 4 12:10:09 racoon: INFO: respond new phase 2 negotiation: 10.1.10.132[500]<=>10.1.10.131[500] Dec 4 12:10:09 racoon: ERROR: failed to get sainfo. Dec 4 12:10:09 racoon: ERROR: failed to get sainfo. Dec 4 12:10:09 racoon: ERROR: failed to pre-process packet.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
