Hi, pfsense not send and recived ipsec message to remote gateway!
Network topology:
192.168.8.0/24(LAN)-Pfsense 2.0
-(WAN)192.168.180.1--------------------192.168.180.13(WAN)-monowall
-(LAN)172.20.34.0/24
1.) If inicial coonections from remote net to local net (172.20.34.0/24 ->
192.168.8.0/24),
----------remote monowall racoon.conf--------------
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
remote 192.186.180.1 {
exchange_mode aggressive;
my_identifier user_fqdn "[email protected]";
peers_identifier address 192.186.180.1;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 3600 secs;
}
lifetime time 3600 secs;
}
sainfo address 172.20.34.0/24 any address 192.168.8.0/24 any {
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group 1;
lifetime time 3600 secs;
}
--------------END monowall racoon.conf--------------------------
--------- pfsense racoon.conf-------------------
# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp 192.168.180.1 [500];
isakmp_natt 192.168.180.1 [4500];
}
remote 192.186.180.13
{
ph1id 6;
exchange_mode aggressive;
my_identifier address 192.168.180.1;
peers_identifier user_fqdn "[email protected]";
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = off;
dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check obey;
proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 3600 secs;
}
}
sainfo subnet 192.168.8.0/24 any subnet 172.20.34.0/24 any
{
remoteid 6;
encryption_algorithm blowfish 256, blowfish 248, blowfish 240,
blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200,
blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160,
blowfish 152, blowfish 144, blowfish 136, blowfish 128;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 3600 secs;
compression_algorithm deflate;
}
-------------------- END pfsense racoon.conf ---------------------
a.) remote monowall racoon.log
Dec 11 16:38:20 racoon: DEBUG: get pfkey ACQUIRE message
Dec 11 16:38:20 racoon: DEBUG: suitable outbound SP found:
172.20.34.0/24
[0] 192.168.8.0/24[0] proto=any dir=out.
Dec 11 16:38:20 racoon: DEBUG: sub:0xbfbff460: 192.168.8.0/24[0]
172.20.34.0/24[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: db :0x80a5a08: 172.20.34.0/24[0]
172.20.34.1/32[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: sub:0xbfbff460: 192.168.8.0/24[0]
172.20.34.0/24[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: db :0x80a5c08: 192.168.8.0/24[0]
172.20.34.0/24[0] proto=any dir=in
Dec 11 16:38:20 racoon: DEBUG: suitable inbound SP found: 192.168.8.0/24
[0] 172.20.34.0/24[0] proto=any dir=in.
Dec 11 16:38:20 racoon: DEBUG: new acquire 172.20.34.0/24[0]
192.168.8.0/24[0] proto=any dir=out
Dec 11 16:38:20 racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000
spi_p=00000000 encmode=Tunnel reqid=16426:16425)
Dec 11 16:38:20 racoon: DEBUG: (trns_id=BLOWFISH encklen=128
authtype=hmac-sha)
Dec 11 16:38:20 racoon: DEBUG: configuration found for 192.186.180.1.
Dec 11 16:38:20 racoon: INFO: IPsec-SA request for 192.186.180.1 queued
due to no phase1 found.
Dec 11 16:38:20 racoon: DEBUG: ===
Dec 11 16:38:20 racoon: INFO: initiate new phase 1 negotiation:
192.168.180.13[500]<=>192.186.180.1[500]
Dec 11 16:38:20 racoon: INFO: begin Aggressive mode.
Dec 11 16:38:20 racoon: DEBUG: new cookie: bd8323a305dc6618
Dec 11 16:38:20 racoon: DEBUG: use ID type of User_FQDN
Dec 11 16:38:20 racoon: DEBUG: compute DH's private.
Dec 11 16:38:20 racoon: DEBUG: 50b121a0 b0639e68 c03f785c c5750692
9ef93e85 2ab97fe9 1524af19 578f99f4 c44f4a08 3af43dc7 6bd94b4f 3f48b220
03d7c270 ed5a7b76 2d054820 90bcef3f c893a102 ae6d2726 d7fedc3f eb5012c2
98163336 247a9e77 842b7b56 e3d89d32 71b7e676 a9a18b0e 77794232 dd509b6d
74714418 ee7cbb50 1697e380 4fd87b6a
Dec 11 16:38:20 racoon: DEBUG: compute DH's public.
Dec 11 16:38:20 racoon: DEBUG: b1ac5940 e16f0a79 403b7ee8 2a190e74
cc2cc43d 6ddb5bdb c8e5d1b6 bc6d03d0 aa6fcde5 7b97d694 43ec6a41 dc470544
6ef87a11 9711c2d9 2d731fa8 f80b288c 0e1be727 8c51391e 57979e40 13b3a30e
570dd39b 6a54e62f 7b97bca4 3971be85 34047b20 dbe5a671 b4afc883 ea52f8d3
69be79fe fcdb3e85 9a4926db 8a908fec
Dec 11 16:38:20 racoon: DEBUG: authmethod is pre-shared key
Dec 11 16:38:20 racoon: DEBUG: add payload of len 48, next type 4
Dec 11 16:38:20 racoon: DEBUG: add payload of len 128, next type 10
Dec 11 16:38:20 racoon: DEBUG: add payload of len 16, next type 5
Dec 11 16:38:20 racoon: DEBUG: add payload of len 22, next type 13
Dec 11 16:38:20 racoon: DEBUG: add payload of len 16, next type 0
Dec 11 16:38:20 racoon: DEBUG: 278 bytes from 192.168.180.13[500] to
192.186.180.1[500]
Dec 11 16:38:20 racoon: DEBUG: sockname 192.168.180.13[500]
Dec 11 16:38:20 racoon: DEBUG: send packet from 192.168.180.13[500]
Dec 11 16:38:20 racoon: DEBUG: send packet to 192.186.180.1[500]
Dec 11 16:38:20 racoon: DEBUG: 1 times of 278 bytes message will be sent
to 192.186.180.1[500]
Dec 11 16:38:20 racoon: DEBUG: bd8323a3 05dc6618 00000000 00000000
01100400 00000000 00000116 04000034 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c0e10 80010005 80030001 80020002 80040002
0a000084 b1ac5940 e16f0a79 403b7ee8 2a190e74 cc2cc43d 6ddb5bdb c8e5d1b6
bc6d03d0 aa6fcde5 7b97d694 43ec6a41 dc470544 6ef87a11 9711c2d9 2d731fa8
f80b288c 0e1be727 8c51391e 57979e40 13b3a30e 570dd39b 6a54e62f 7b97bca4
3971be85 34047b20 dbe5a671 b4afc883 ea52f8d3 69be79fe fcdb3e85 9a4926db
8a908fec 05000014 8b1829de b01ba19d 87d2245c 1582abc6 0d00001a 03000000
6b756c74 406b616c 7567612d 676f762e 72750000 0014afca d71368a1 f1c96b86
96fc7757 0100
Dec 11 16:38:20 racoon: DEBUG: resend phase1 packet
bd8323a305dc6618:0000000000000000
Dec 11 16:38:30 racoon: DEBUG: 278 bytes from 192.168.180.13[500] to
192.186.180.1[500]
Dec 11 16:38:30 racoon: DEBUG: sockname 192.168.180.13[500]
Dec 11 16:38:30 racoon: DEBUG: send packet from 192.168.180.13[500]
Dec 11 16:38:30 racoon: DEBUG: send packet to 192.186.180.1[500]
Dec 11 16:38:30 racoon: DEBUG: 1 times of 278 bytes message will be sent
to 192.186.180.1[500]
Dec 11 16:38:30 racoon: DEBUG: bd8323a3 05dc6618 00000000 00000000
01100400 00000000 00000116 04000034 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c0e10 80010005 80030001 80020002 80040002
0a000084 b1ac5940 e16f0a79 403b7ee8 2a190e74 cc2cc43d 6ddb5bdb c8e5d1b6
bc6d03d0 aa6fcde5 7b97d694 43ec6a41 dc470544 6ef87a11 9711c2d9 2d731fa8
f80b288c 0e1be727 8c51391e 57979e40 13b3a30e 570dd39b 6a54e62f 7b97bca4
3971be85 34047b20 dbe5a671 b4afc883 ea52f8d3 69be79fe fcdb3e85 9a4926db
8a908fec 05000014 8b1829de b01ba19d 87d2245c 1582abc6 0d00001a 03000000
6b756c74 406b616c 7567612d 676f762e 72750000 0014afca d71368a1 f1c96b86
96fc7757 0100
Dec 11 16:38:30 racoon: DEBUG: resend phase1 packet
bd8323a305dc6618:0000000000000000
Dec 11 16:38:40 racoon: DEBUG: 278 bytes from 192.168.180.13[500] to
192.186.180.1[500]
Dec 11 16:38:40 racoon: DEBUG: sockname 192.168.180.13[500]
Dec 11 16:38:40 racoon: DEBUG: send packet from 192.168.180.13[500]
Dec 11 16:38:40 racoon: DEBUG: send packet to 192.186.180.1[500]
Dec 11 16:38:40 racoon: DEBUG: 1 times of 278 bytes message will be sent
to 192.186.180.1[500]
Dec 11 16:38:40 racoon: DEBUG: bd8323a3 05dc6618 00000000 00000000
01100400 00000000 00000116 04000034 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c0e10 80010005 80030001 80020002 80040002
0a000084 b1ac5940 e16f0a79 403b7ee8 2a190e74 cc2cc43d 6ddb5bdb c8e5d1b6
bc6d03d0 aa6fcde5 7b97d694 43ec6a41 dc470544 6ef87a11 9711c2d9 2d731fa8
f80b288c 0e1be727 8c51391e 57979e40 13b3a30e 570dd39b 6a54e62f 7b97bca4
3971be85 34047b20 dbe5a671 b4afc883 ea52f8d3 69be79fe fcdb3e85 9a4926db
8a908fec 05000014 8b1829de b01ba19d 87d2245c 1582abc6 0d00001a 03000000
6b756c74 406b616c 7567612d 676f762e 72750000 0014afca d71368a1 f1c96b86
96fc7757 0100
Dec 11 16:38:40 racoon: DEBUG: resend phase1 packet
bd8323a305dc6618:0000000000000000
Dec 11 16:38:50 racoon: DEBUG: 278 bytes from 192.168.180.13[500] to
192.186.180.1[500]
Dec 11 16:38:50 racoon: DEBUG: sockname 192.168.180.13[500]
Dec 11 16:38:50 racoon: DEBUG: send packet from 192.168.180.13[500]
Dec 11 16:38:50 racoon: DEBUG: send packet to 192.186.180.1[500]
Dec 11 16:38:50 racoon: DEBUG: 1 times of 278 bytes message will be sent
to 192.186.180.1[500]
Dec 11 16:38:50 racoon: DEBUG: bd8323a3 05dc6618 00000000 00000000
01100400 00000000 00000116 04000034 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c0e10 80010005 80030001 80020002 80040002
0a000084 b1ac5940 e16f0a79 403b7ee8 2a190e74 cc2cc43d 6ddb5bdb c8e5d1b6
bc6d03d0 aa6fcde5 7b97d694 43ec6a41 dc470544 6ef87a11 9711c2d9 2d731fa8
f80b288c 0e1be727 8c51391e 57979e40 13b3a30e 570dd39b 6a54e62f 7b97bca4
3971be85 34047b20 dbe5a671 b4afc883 ea52f8d3 69be79fe fcdb3e85 9a4926db
8a908fec 05000014 8b1829de b01ba19d 87d2245c 1582abc6 0d00001a 03000000
6b756c74 406b616c 7567612d 676f762e 72750000 0014afca d71368a1 f1c96b86
96fc7757 0100
Dec 11 16:38:50 racoon: DEBUG: resend phase1 packet
bd8323a305dc6618:0000000000000000
Dec 11 16:38:51 racoon: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 192.186.180.1[0]->192.168.180.13[0]
Dec 11 16:38:51 racoon: INFO: delete phase 2 handler.
b.) pfsense racoon.log is empty!
2.) If coonect from local net to remote gateway monowall (192.168.8.0/24 ->
172.20.34.0/24),
a.) remote monowall racoon.log is empty!
b.) Pfsense 2.0 racoon.log
Dec 11 13:58:00 racoon: ERROR: couldn't find configuration.
Dec 11 13:58:07 racoon: [C-Chedrina_72]: ERROR: phase2 negotiation
failed
due to time up waiting for phase1. ESP 192.186.180.13[0]->192.168.180.1[0]
Dec 11 13:58:07 racoon: INFO: delete phase 2 handler.
Dec 11 13:58:20 racoon: ERROR: couldn't find configuration.
Dec 11 13:58:25 racoon: ERROR: phase1 negotiation failed due to time up.
16931d8b372f27af:0000000000000000
Dec 11 13:58:40 racoon: ERROR: couldn't find configuration.
Dec 11 13:59:16 racoon: ERROR: couldn't find configuration.
Dec 11 14:00:56 last message repeated 5 times
Dec 11 14:01:16 racoon: [C-Chedrina_72]: INFO: IPsec-SA request for
192.186.180.13 queued due to no phase1 found.
Dec 11 14:01:16 racoon: [C-Chedrina_72]: INFO: initiate new phase 1
negotiation: 192.168.180.1[500]<=>192.186.180.13[500]
Dec 11 14:01:16 racoon: INFO: begin Aggressive mode.
Dec 11 14:01:47 racoon: [C-Chedrina_72]: ERROR: phase2 negotiation
failed
due to time up waiting for phase1. ESP 192.186.180.13[0]->192.168.180.1[0]
Dec 11 14:01:47 racoon: INFO: delete phase 2 handler.
Dec 11 14:01:58 racoon: ERROR: couldn't find configuration.
, but racoon.conf is exist (in /status.php)!
Please HELP!
P.S. FireWall any to any on the WAN iface!
Drovalev Roman Nikolaevich.
Evgeny Yurchenko <[email protected]> написано 10.12.2010 17:16:53:
> От: Evgeny Yurchenko <[email protected]>
> Кому: [email protected]
> Дата: 10.12.2010 17:17
> Тема: Re: [pfSense Support] 2.0 - don't work Ipsec!
>
> On 10-12-10 01:40 AM, [email protected] wrote:
> > Hi,
> >
> > LAN net - 192.168.8.0/24 -------- This is pfsense 2.0 ----------
> > 172.20.20.0/24
> > ........ 172.20.21.0/24
> > 0.0.0.0/0 172.20.22.0/24
> > 172.20.24.0/24
> > .......
> >
> > firewall on the ipsec iface full open.
> >
> > Why not established 1 phase ipsec?
> >
> > P.S. With this configuration all works on pfsense 1.2 and monowall!
> >
> > Please Help!
> >
> >
> > my racoon.conf:
> >
> > # This file is automatically generated. Do not edit
> > path pre_shared_key "/var/etc/psk.txt";
> >
> > path certificate "/var/etc";
> >
> >
> > listen
> > {
> > adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
> > isakmp 192.168.180.33 [500];
> > isakmp_natt 192.168.180.33 [4500];
> > isakmp 192.168.180.1 [500];
> > isakmp_natt 192.168.180.1 [4500];
> > isakmp 10.221.40.6 [500];
> > isakmp_natt 10.221.40.6 [4500];
> > }
> >
> >
> > remote 192.186.180.38
> > {
> > ph1id 1;
> > exchange_mode aggressive;
> > my_identifier address 192.168.180.33;
> > peers_identifier address 192.186.180.38;
> > ike_frag on;
> > generate_policy = off;
> > initial_contact = on;
> > nat_traversal = off;
> >
> >
> > dpd_delay = 10;
> > dpd_maxfail = 5;
> > support_proxy on;
> > proposal_check obey;
> >
> >
> > proposal
> > {
> > authentication_method pre_shared_key;
> > encryption_algorithm 3des;
> > hash_algorithm sha1;
> > dh_group 2;
> > lifetime time 3600 secs;
> > }
> > }
> >
> > remote 192.186.180.39
> > {
> > ph1id 2;
> > exchange_mode aggressive;
> > my_identifier address 192.168.180.33;
> > peers_identifier address 192.186.180.39;
> > ike_frag on;
> > generate_policy = off;
> > initial_contact = on;
> > nat_traversal = on;
> >
> >
> > dpd_delay = 10;
> > dpd_maxfail = 5;
> > support_proxy on;
> > proposal_check obey;
> >
> >
> > proposal
> > {
> > authentication_method pre_shared_key;
> > encryption_algorithm 3des;
> > hash_algorithm sha1;
> > dh_group 2;
> > lifetime time 3600 secs;
> > }
> > }
> >
> > ..........
> >
> >
> > sainfo subnet 0.0.0.0/0 any subnet 172.20.22.0/24 any
> > {
> > remoteid 1;
> > encryption_algorithm blowfish 256, blowfish 248, blowfish 240,
> > blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200,
> > blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160,
> > blowfish 152, blowfish 144, blowfish 136, blowfish 128;
> > authentication_algorithm hmac_sha1;
> > pfs_group 2;
> > lifetime time 3600 secs;
> > compression_algorithm deflate;
> > }
> >
> > sainfo subnet 0.0.0.0/0 any subnet 172.20.20.0/24 any
> > {
> > remoteid 2;
> > encryption_algorithm aes 256, aes 192, aes 128;
> > authentication_algorithm hmac_sha1;
> > pfs_group 2;
> > lifetime time 3600 secs;
> > compression_algorithm deflate;
> > }
> >
> > .......
> >
> > racoon.log
> >
> >
> > racoon: INFO: @(#)ipsec-tools 0.7.3
(http://ipsec-tools.sourceforge.net)
> > Dec 10 08:55:02 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n
24
> > Mar 2010 (http://www.openssl.org/)
> > Dec 10 08:55:02 racoon: INFO: Reading configuration from
> > "/var/etc/racoon.conf"
> > Dec 10 08:55:02 racoon: [Self]: INFO: 10.221.40.6[4500] used as
isakmp
> > port (fd=16)
> > Dec 10 08:55:02 racoon: INFO: 10.221.40.6[4500] used for NAT-T
> > Dec 10 08:55:02 racoon: [Self]: INFO: 10.221.40.6[500] used as
isakmp
> > port (fd=17)
> > Dec 10 08:55:02 racoon: INFO: 10.221.40.6[500] used for NAT-T
> > Dec 10 08:55:02 racoon: INFO: 192.168.180.1[4500] used as isakmp
port
> > (fd=18)
> > Dec 10 08:55:02 racoon: INFO: 192.168.180.1[4500] used for NAT-T
> > Dec 10 08:55:02 racoon: INFO: 192.168.180.1[500] used as isakmp port
> > (fd=19)
> > Dec 10 08:55:02 racoon: INFO: 192.168.180.1[500] used for NAT-T
> > Dec 10 08:55:02 racoon: [Self]: INFO: 192.168.180.33[4500] usedas
isakmp
> > port (fd=20)
> > Dec 10 08:55:02 racoon: INFO: 192.168.180.33[4500] used for NAT-T
> > Dec 10 08:55:02 racoon: [Self]: INFO: 192.168.180.33[500] used as
isakmp
> > port (fd=21)
> > Dec 10 08:55:02 racoon: INFO: 192.168.180.33[500] used for NAT-T
> > Dec 10 08:55:02 racoon: INFO: unsupported PF_KEY message REGISTER
> > Dec 10 08:55:04 racoon: [Milicia]: INFO: IPsec-SA request for
> > 192.186.180.15 queued due to no phase1 found.
> > Dec 10 08:55:04 racoon: [Milicia]: INFO: initiate new phase 1
> > negotiation: 192.168.180.1[500]<=>192.186.180.15[500]
> > Dec 10 08:55:04 racoon: INFO: begin Aggressive mode.
> > Dec 10 08:55:05 racoon: [Statichov_7]: INFO: IPsec-SA request for
> > 192.186.180.39 queued due to no phase1 found.
> > Dec 10 08:55:05 racoon: [Statichov_7]: INFO: initiate new phase 1
> > negotiation: 192.168.180.33[500]<=>192.186.180.39[500]
> > Dec 10 08:55:05 racoon: INFO: begin Aggressive mode.
> > Dec 10 08:55:06 racoon: [M.Gorkogo_59]: INFO: IPsec-SA request for
> > 192.186.180.35 queued due to no phase1 found.
> > Dec 10 08:55:06 racoon: [M.Gorkogo_59]: INFO: initiate new phase 1
> > negotiation: 192.168.180.33[500]<=>192.186.180.35[500]
> > Dec 10 08:55:06 racoon: INFO: begin Aggressive mode.
> > Dec 10 08:55:13 racoon: INFO: @(#)ipsec-tools 0.7.3
> > (http://ipsec-tools.sourceforge.net)
> > Dec 10 08:55:13 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n
24
> > Mar 2010 (http://www.openssl.org/)
> > Dec 10 08:55:13 racoon: INFO: Reading configuration from
> > "/var/etc/racoon.conf"
> > Dec 10 08:55:13 racoon: [Self]: INFO: 10.221.40.6[4500] used as
isakmp
> > port (fd=19)
> > Dec 10 08:55:13 racoon: INFO: 10.221.40.6[4500] used for NAT-T
> > Dec 10 08:55:13 racoon: [Self]: INFO: 10.221.40.6[500] used as
isakmp
> > port (fd=20)
> > Dec 10 08:55:13 racoon: INFO: 10.221.40.6[500] used for NAT-T
> > Dec 10 08:55:13 racoon: INFO: 192.168.180.1[4500] used as isakmp
port
> > (fd=21)
> > Dec 10 08:55:13 racoon: INFO: 192.168.180.1[4500] used for NAT-T
> > Dec 10 08:55:13 racoon: INFO: 192.168.180.1[500] used as isakmp port
> > (fd=22)
> > Dec 10 08:55:13 racoon: INFO: 192.168.180.1[500] used for NAT-T
> > Dec 10 08:55:13 racoon: [Self]: INFO: 192.168.180.33[4500] usedas
isakmp
> > port (fd=23)
> > Dec 10 08:55:13 racoon: INFO: 192.168.180.33[4500] used for NAT-T
> > Dec 10 08:55:13 racoon: [Self]: INFO: 192.168.180.33[500] used as
isakmp
> > port (fd=24)
> > Dec 10 08:55:13 racoon: INFO: 192.168.180.33[500] used for NAT-T
> > Dec 10 08:55:13 racoon: INFO: unsupported PF_KEY message REGISTER
> > Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
> > it: 192.168.8.13/32[0] 192.168.8.0/24[0] proto=any dir=out
> > Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
> > it: 192.168.8.0/24[0] 192.168.8.13/32[0] proto=any dir=in
> > Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
> > it: 0.0.0.0/0[0] 172.20.22.0/24[0] proto=any dir=out
> > Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
> > it: 172.20.22.0/24[0] 0.0.0.0/0[0] proto=any dir=in
> > Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
> > it: 0.0.0.0/0[0] 172.20.20.0/24[0] proto=any dir=out
> > Dec 10 08:55:13 racoon: ERROR: such policy already exists. anyway
replace
> > it: 172.20.20.0/24[0] 0.0.0.0/0[0] proto=any dir=in
> >
> > .......
> >
> >
> >
> > Drovalev Roman Nikolaevich.
> >
> >
> >
> Please do not top-post.
> It is not full log, is it? it does not say anything about failure. There
> must be something like 'timeout' or other error. Are you sure you are
> receiving packets from remote site on WAN?
> Evgeny.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
> Commercial support available - https://portal.pfsense.org
>
