On 10-12-10 01:40 AM, [email protected] wrote:
Hi,
LAN net - 192.168.8.0/24 -------- This is pfsense 2.0 ----------
172.20.20.0/24
........ 172.20.21.0/24
0.0.0.0/0 172.20.22.0/24
172.20.24.0/24
.......
firewall on the ipsec iface full open.
Why not established 1 phase ipsec?
P.S. With this configuration all works on pfsense 1.2 and monowall!
Please Help!
my racoon.conf:
# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp 192.168.180.33 [500];
isakmp_natt 192.168.180.33 [4500];
isakmp 192.168.180.1 [500];
isakmp_natt 192.168.180.1 [4500];
isakmp 10.221.40.6 [500];
isakmp_natt 10.221.40.6 [4500];
}
remote 192.186.180.38
{
ph1id 1;
exchange_mode aggressive;
my_identifier address 192.168.180.33;
peers_identifier address 192.186.180.38;
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = off;
dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 3600 secs;
}
}
remote 192.186.180.39
{
ph1id 2;
exchange_mode aggressive;
my_identifier address 192.168.180.33;
peers_identifier address 192.186.180.39;
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = on;
dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 3600 secs;
}
}
..........
sainfo subnet 0.0.0.0/0 any subnet 172.20.22.0/24 any
{
remoteid 1;
encryption_algorithm blowfish 256, blowfish 248, blowfish 240,
blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200,
blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160,
blowfish 152, blowfish 144, blowfish 136, blowfish 128;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 3600 secs;
compression_algorithm deflate;
}
sainfo subnet 0.0.0.0/0 any subnet 172.20.20.0/24 any
{
remoteid 2;
encryption_algorithm aes 256, aes 192, aes 128;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 3600 secs;
compression_algorithm deflate;
}
.......
racoon.log
racoon: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
Dec 10 08:55:02 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24
Mar 2010 (http://www.openssl.org/)
Dec 10 08:55:02 racoon: INFO: Reading configuration from
"/var/etc/racoon.conf"
Dec 10 08:55:02 racoon: [Self]: INFO: 10.221.40.6[4500] used as isakmp
port (fd=16)
Dec 10 08:55:02 racoon: INFO: 10.221.40.6[4500] used for NAT-T
Dec 10 08:55:02 racoon: [Self]: INFO: 10.221.40.6[500] used as isakmp
port (fd=17)
Dec 10 08:55:02 racoon: INFO: 10.221.40.6[500] used for NAT-T
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[4500] used as isakmp port
(fd=18)
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[4500] used for NAT-T
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[500] used as isakmp port
(fd=19)
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[500] used for NAT-T
Dec 10 08:55:02 racoon: [Self]: INFO: 192.168.180.33[4500] used as
isakmp
port (fd=20)
Dec 10 08:55:02 racoon: INFO: 192.168.180.33[4500] used for NAT-T
Dec 10 08:55:02 racoon: [Self]: INFO: 192.168.180.33[500] used as isakmp
port (fd=21)
Dec 10 08:55:02 racoon: INFO: 192.168.180.33[500] used for NAT-T
Dec 10 08:55:02 racoon: INFO: unsupported PF_KEY message REGISTER
Dec 10 08:55:04 racoon: [Milicia]: INFO: IPsec-SA request for
192.186.180.15 queued due to no phase1 found.
Dec 10 08:55:04 racoon: [Milicia]: INFO: initiate new phase 1
negotiation: 192.168.180.1[500]<=>192.186.180.15[500]
Dec 10 08:55:04 racoon: INFO: begin Aggressive mode.
Dec 10 08:55:05 racoon: [Statichov_7]: INFO: IPsec-SA request for
192.186.180.39 queued due to no phase1 found.
Dec 10 08:55:05 racoon: [Statichov_7]: INFO: initiate new phase 1
negotiation: 192.168.180.33[500]<=>192.186.180.39[500]
Dec 10 08:55:05 racoon: INFO: begin Aggressive mode.
Dec 10 08:55:06 racoon: [M.Gorkogo_59]: INFO: IPsec-SA request for
192.186.180.35 queued due to no phase1 found.
Dec 10 08:55:06 racoon: [M.Gorkogo_59]: INFO: initiate new phase 1
negotiation: 192.168.180.33[500]<=>192.186.180.35[500]
Dec 10 08:55:06 racoon: INFO: begin Aggressive mode.
Dec 10 08:55:13 racoon: INFO: @(#)ipsec-tools 0.7.3
(http://ipsec-tools.sourceforge.net)
Dec 10 08:55:13 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24
Mar 2010 (http://www.openssl.org/)
Dec 10 08:55:13 racoon: INFO: Reading configuration from
"/var/etc/racoon.conf"
Dec 10 08:55:13 racoon: [Self]: INFO: 10.221.40.6[4500] used as isakmp
port (fd=19)
Dec 10 08:55:13 racoon: INFO: 10.221.40.6[4500] used for NAT-T
Dec 10 08:55:13 racoon: [Self]: INFO: 10.221.40.6[500] used as isakmp
port (fd=20)
Dec 10 08:55:13 racoon: INFO: 10.221.40.6[500] used for NAT-T
Dec 10 08:55:13 racoon: INFO: 192.168.180.1[4500] used as isakmp port
(fd=21)
Dec 10 08:55:13 racoon: INFO: 192.168.180.1[4500] used for NAT-T
Dec 10 08:55:13 racoon: INFO: 192.168.180.1[500] used as isakmp port
(fd=22)
Dec 10 08:55:13 racoon: INFO: 192.168.180.1[500] used for NAT-T
Dec 10 08:55:13 racoon: [Self]: INFO: 192.168.180.33[4500] used as
isakmp
port (fd=23)
Dec 10 08:55:13 racoon: INFO: 192.168.180.33[4500] used for NAT-T
Dec 10 08:55:13 racoon: [Self]: INFO: 192.168.180.33[500] used as isakmp
port (fd=24)
Dec 10 08:55:13 racoon: INFO: 192.168.180.33[500] used for NAT-T
Dec 10 08:55:13 racoon: INFO: unsupported PF_KEY message REGISTER
Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
it: 192.168.8.13/32[0] 192.168.8.0/24[0] proto=any dir=out
Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
it: 192.168.8.0/24[0] 192.168.8.13/32[0] proto=any dir=in
Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
it: 0.0.0.0/0[0] 172.20.22.0/24[0] proto=any dir=out
Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
it: 172.20.22.0/24[0] 0.0.0.0/0[0] proto=any dir=in
Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
it: 0.0.0.0/0[0] 172.20.20.0/24[0] proto=any dir=out
Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
it: 172.20.20.0/24[0] 0.0.0.0/0[0] proto=any dir=in
.......
Drovalev Roman Nikolaevich.
Please do not top-post.
It is not full log, is it? it does not say anything about failure. There
must be something like 'timeout' or other error. Are you sure you are
receiving packets from remote site on WAN?
Evgeny.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
