Re: [pfSense Support] IPSEC over an OPT interface Problems

[Scott Ullrich]

On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:

I have only the default allow everything rule on the IPSEC tab.  I
manually added rules to the firewall to allow UDP 500 to the OPT2
interface and to allow ESP to the OPT2 interface, and now I'm getting
different IPSEC log results (I changed the My Identifier back to
interface address).

Here are the new log entries:

Mar 29 14:20:20         racoon: ERROR: pfkey DELETE received: ESP
75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620)
Mar 29 14:19:21         racoon: INFO: IPsec-SA established: ESP/Tunnel
75.44.169.169[0]->70.237.44.110[0] spi=3097439008(0xb89f2b20)
Mar 29 14:19:21         racoon: INFO: IPsec-SA established: ESP/Tunnel
70.237.44.110[0]->75.44.169.169[0] spi=129752861(0x7bbdf1d)
Mar 29 14:19:21         racoon: INFO: respond new phase 2 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:19:21         racoon: INFO: ISAKMP-SA established
75.44.169.169[500]-70.237.44.110[500] spi:72fba3fecd3739c6:f7fb0fc1959fdf21
Mar 29 14:19:20         racoon: NOTIFY: couldn't find the proper pskey, try to
get one by the peer's address.
Mar 29 14:19:20         racoon: INFO: begin Aggressive mode.
Mar 29 14:19:20         racoon: INFO: respond new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:17:43         racoon: ERROR: pfkey DELETE received: ESP
75.44.169.169[0]->70.237.44.110[0] spi=754453952(0x2cf80dc0)
Mar 29 14:17:43         racoon: ERROR: pfkey DELETE received: ESP
75.44.169.169[0]->70.237.44.110[0] spi=2451182496(0x921a13a0)
Mar 29 14:17:03         racoon: INFO: IPsec-SA established: ESP/Tunnel
75.44.169.169[0]->70.237.44.110[0] spi=3627103776(0xd8313620)
Mar 29 14:17:03         racoon: INFO: IPsec-SA established: ESP/Tunnel
70.237.44.110[0]->75.44.169.169[0] spi=101957205(0x613be55)
Mar 29 14:17:03         racoon: INFO: respond new phase 2 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]
Mar 29 14:17:03         racoon: INFO: ISAKMP-SA established
75.44.169.169[500]-70.237.44.110[500] spi:8203621148841b41:6ad562eb830dd2d5
Mar 29 14:17:02         racoon: NOTIFY: couldn't find the proper pskey, try to
get one by the peer's address.
Mar 29 14:17:02         racoon: INFO: begin Aggressive mode.
Mar 29 14:17:02         racoon: INFO: respond new phase 1 negotiation:
75.44.169.169[500]<=>70.237.44.110[500]

Look in /tmp/rules.debug and search for IPSEC.

Do you see rules permitting traffic to the interface?

Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]