pfSense 1.2.3
--------
external ip: 1.1.1.1
internal ip: 172.20.1.20
internal network: 172.20.1.0/24
Centos 5.5
--------
external ip: 2.2.2.2
internal ip: 172.20.2.1
internal network: 172.20.2.0/24
pfSense config from a reset.
Firewall rule to allow all ipsec communication (all protocols).
pfSense ipsec config
--------------------
Mode: Tunnel
Interface: WAN (I'm not sure this should be WAN, but changing it to LAN makes no difference)
Local subnet: 172.20.1.0/24
Remote subnet: 172.20.2.0/24
Remote gateway: 2.2.2.2
Phase 1
Negotiation mode: agressive
My identifier: My IP adress
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 2
Authentication method: Pre-shared key
Pre-Shared Key: secret
Phase 2
Protocol: ESP
Encryption algorithms: Rijndael (AES)
Hash algorithms: SHA1
PFS key group: 2
Centos ipsec config
-------------------
/etc/sysconfig/network-scripts/ifcfg-ipsec0
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=172.20.2.1
DSTGW=172.20.1.20
SRCNET=172.20.2.0/24
DSTNET=172.20.1.0/24
DST=1.1.1.1
/etc/sysconfig/network-scripts/keys-ipsec0
IKE_PSK=secret
/etc/racoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm rijndael ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
include "/etc/racoon/1.1.1.1.conf";
/etc/racoon/1.1.1.1.conf
remote 1.1.1.1
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
Ipsec log of pfSense
--------------------
Nov 28 19:38:11 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Nov 28 19:38:11 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Nov 28 19:38:11 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Nov 28 19:38:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Nov 28 19:38:11 racoon: [Self]: INFO: 1.1.1.1[500] used as isakmp port (fd=15)
Nov 28 19:38:11 racoon: [Self]: INFO: 172.20.1.20[500] used as isakmp port (fd=16)
Nov 28 19:38:11 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 28 19:38:11 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=out
Nov 28 19:38:11 racoon: ERROR: such policy already exists. anyway replace it: 172.20.2.0/24[0] 172.20.1.0/24[0] proto=any dir=in
Nov 28 19:38:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Nov 28 19:38:11 racoon: [Self]: INFO: 1.1.1.1[500] used as isakmp port (fd=15)
Nov 28 19:38:11 racoon: [Self]: INFO: 172.20.1.20[500] used as isakmp port (fd=16)
Nov 28 19:41:11 racoon: [IPsec tunnel]: INFO: respond new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Nov 28 19:41:11 racoon: INFO: begin Aggressive mode.
Nov 28 19:41:11 racoon: INFO: received Vendor ID: DPD
Nov 28 19:41:11 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Nov 28 19:41:11 racoon: [IPsec tunnel]: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:36580e589a8cb1e8:f3cef1de14e3ec5e
Nov 28 19:41:12 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
Nov 28 19:41:12 racoon: ERROR: not matched
Nov 28 19:41:12 racoon: ERROR: no suitable policy found.
Nov 28 19:41:12 racoon: ERROR: failed to pre-process packet.
Nov 28 19:41:22 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
Nov 28 19:41:22 racoon: ERROR: not matched
Nov 28 19:41:22 racoon: ERROR: no suitable policy found.
Nov 28 19:41:22 racoon: ERROR: failed to pre-process packet.
Nov 28 19:41:32 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
Nov 28 19:41:32 racoon: ERROR: not matched
Nov 28 19:41:32 racoon: ERROR: no suitable policy found.
Nov 28 19:41:32 racoon: ERROR: failed to pre-process packet.
/var/log/messages of Centos
----------------------------
Nov 28 19:40:34 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 28 19:40:34 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=37)
Nov 28 19:40:34 racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 28 19:40:34 racoon: INFO: 2.2.2.2[500] used as isakmp port (fd=38)
Nov 28 19:40:34 racoon: INFO: 2.2.2.2[500] used for NAT-T
Nov 28 19:40:34 racoon: INFO: 172.20.2.1[500] used as isakmp port (fd=39)
Nov 28 19:40:34 racoon: INFO: 172.20.2.1[500] used for NAT-T
Nov 28 19:40:34 racoon: INFO: ::1[500] used as isakmp port (fd=40)
Nov 28 19:40:34 racoon: INFO: fe80::216:1aff:fed9:1fc5%eth0[500] used as isakmp port (fd=41)
Nov 28 19:40:44 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 28 19:40:44 last message repeated 4 times
Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.2.0/24[0] 172.20.1.0/24[0] proto=any dir=out
Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=in
Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=fwd
Nov 28 19:40:44 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=38)
Nov 28 19:40:44 racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 28 19:40:44 racoon: INFO: 2.2.2.2[500] used as isakmp port (fd=39)
Nov 28 19:40:44 racoon: INFO: 2.2.2.2[500] used for NAT-T
Nov 28 19:40:44 racoon: INFO: 172.20.2.1[500] used as isakmp port (fd=40)
Nov 28 19:40:44 racoon: INFO: 172.20.2.1[500] used for NAT-T
Nov 28 19:40:44 racoon: INFO: ::1[500] used as isakmp port (fd=41)
Nov 28 19:40:44 racoon: INFO: fe80::216:1aff:fed9:1fc5%eth0[500] used as isakmp port (fd=42)
Nov 28 19:41:09 racoon: INFO: IPsec-SA request for 1.1.1.1 queued due to no phase1 found.
Nov 28 19:41:09 racoon: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Nov 28 19:41:09 racoon: INFO: begin Aggressive mode.
Nov 28 19:41:09 racoon: INFO: received Vendor ID: DPD
Nov 28 19:41:09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Nov 28 19:41:09 racoon: INFO: ISAKMP-SA established 2.2.2.2[500]-1.1.1.1[500] spi:36580e589a8cb1e8:f3cef1de14e3ec5e
Nov 28 19:41:10 racoon: INFO: initiate new phase 2 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Nov 28 19:41:10 racoon: ERROR: unknown notify message, no phase2 handle found.
Nov 28 19:41:30 last message repeated 2 times
Nov 28 19:41:40 racoon: INFO: IPsec-SA expired: AH/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=206806147(0xc539c83)
Nov 28 19:41:40 racoon: WARNING: the expire message is received but the handler has not been established.
Nov 28 19:41:40 racoon: ERROR: 1.1.1.1 give up to get IPsec-SA due to time up to wait.
Nov 28 19:41:40 racoon: INFO: IPsec-SA expired: ESP/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=72570967(0x4535857)
changed the config of the Centos computer
/etc/sysconfig/network-scripts/ifcfg-ipsec0
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
AH_PROTO=none
SRCGW=172.20.2.1
DSTGW=172.20.1.20
SRCNET=172.20.2.0/24
DSTNET=172.20.1.0/24
DST=1.1.1.1
--------
external ip: 1.1.1.1
internal ip: 172.20.1.20
internal network: 172.20.1.0/24
Centos 5.5
--------
external ip: 2.2.2.2
internal ip: 172.20.2.1
internal network: 172.20.2.0/24
pfSense config from a reset.
Firewall rule to allow all ipsec communication (all protocols).
pfSense ipsec config
--------------------
Mode: Tunnel
Interface: WAN (I'm not sure this should be WAN, but changing it to LAN makes no difference)
Local subnet: 172.20.1.0/24
Remote subnet: 172.20.2.0/24
Remote gateway: 2.2.2.2
Phase 1
Negotiation mode: agressive
My identifier: My IP adress
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 2
Authentication method: Pre-shared key
Pre-Shared Key: secret
Phase 2
Protocol: ESP
Encryption algorithms: Rijndael (AES)
Hash algorithms: SHA1
PFS key group: 2
Centos ipsec config
-------------------
/etc/sysconfig/network-scripts/ifcfg-ipsec0
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=172.20.2.1
DSTGW=172.20.1.20
SRCNET=172.20.2.0/24
DSTNET=172.20.1.0/24
DST=1.1.1.1
/etc/sysconfig/network-scripts/keys-ipsec0
IKE_PSK=secret
/etc/racoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm rijndael ;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ;
}
include "/etc/racoon/1.1.1.1.conf";
/etc/racoon/1.1.1.1.conf
remote 1.1.1.1
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
Ipsec log of pfSense
--------------------
Nov 28 19:38:11 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Nov 28 19:38:11 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Nov 28 19:38:11 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Nov 28 19:38:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Nov 28 19:38:11 racoon: [Self]: INFO: 1.1.1.1[500] used as isakmp port (fd=15)
Nov 28 19:38:11 racoon: [Self]: INFO: 172.20.1.20[500] used as isakmp port (fd=16)
Nov 28 19:38:11 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 28 19:38:11 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=out
Nov 28 19:38:11 racoon: ERROR: such policy already exists. anyway replace it: 172.20.2.0/24[0] 172.20.1.0/24[0] proto=any dir=in
Nov 28 19:38:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Nov 28 19:38:11 racoon: [Self]: INFO: 1.1.1.1[500] used as isakmp port (fd=15)
Nov 28 19:38:11 racoon: [Self]: INFO: 172.20.1.20[500] used as isakmp port (fd=16)
Nov 28 19:41:11 racoon: [IPsec tunnel]: INFO: respond new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
Nov 28 19:41:11 racoon: INFO: begin Aggressive mode.
Nov 28 19:41:11 racoon: INFO: received Vendor ID: DPD
Nov 28 19:41:11 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Nov 28 19:41:11 racoon: [IPsec tunnel]: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:36580e589a8cb1e8:f3cef1de14e3ec5e
Nov 28 19:41:12 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
Nov 28 19:41:12 racoon: ERROR: not matched
Nov 28 19:41:12 racoon: ERROR: no suitable policy found.
Nov 28 19:41:12 racoon: ERROR: failed to pre-process packet.
Nov 28 19:41:22 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
Nov 28 19:41:22 racoon: ERROR: not matched
Nov 28 19:41:22 racoon: ERROR: no suitable policy found.
Nov 28 19:41:22 racoon: ERROR: failed to pre-process packet.
Nov 28 19:41:32 racoon: [IPsec tunnel]: INFO: respond new phase 2 negotiation: 1.1.1.1[0]<=>2.2.2.2[0]
Nov 28 19:41:32 racoon: ERROR: not matched
Nov 28 19:41:32 racoon: ERROR: no suitable policy found.
Nov 28 19:41:32 racoon: ERROR: failed to pre-process packet.
/var/log/messages of Centos
----------------------------
Nov 28 19:40:34 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 28 19:40:34 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=37)
Nov 28 19:40:34 racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 28 19:40:34 racoon: INFO: 2.2.2.2[500] used as isakmp port (fd=38)
Nov 28 19:40:34 racoon: INFO: 2.2.2.2[500] used for NAT-T
Nov 28 19:40:34 racoon: INFO: 172.20.2.1[500] used as isakmp port (fd=39)
Nov 28 19:40:34 racoon: INFO: 172.20.2.1[500] used for NAT-T
Nov 28 19:40:34 racoon: INFO: ::1[500] used as isakmp port (fd=40)
Nov 28 19:40:34 racoon: INFO: fe80::216:1aff:fed9:1fc5%eth0[500] used as isakmp port (fd=41)
Nov 28 19:40:44 racoon: INFO: unsupported PF_KEY message REGISTER
Nov 28 19:40:44 last message repeated 4 times
Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.2.0/24[0] 172.20.1.0/24[0] proto=any dir=out
Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=in
Nov 28 19:40:44 racoon: ERROR: such policy already exists. anyway replace it: 172.20.1.0/24[0] 172.20.2.0/24[0] proto=any dir=fwd
Nov 28 19:40:44 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=38)
Nov 28 19:40:44 racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 28 19:40:44 racoon: INFO: 2.2.2.2[500] used as isakmp port (fd=39)
Nov 28 19:40:44 racoon: INFO: 2.2.2.2[500] used for NAT-T
Nov 28 19:40:44 racoon: INFO: 172.20.2.1[500] used as isakmp port (fd=40)
Nov 28 19:40:44 racoon: INFO: 172.20.2.1[500] used for NAT-T
Nov 28 19:40:44 racoon: INFO: ::1[500] used as isakmp port (fd=41)
Nov 28 19:40:44 racoon: INFO: fe80::216:1aff:fed9:1fc5%eth0[500] used as isakmp port (fd=42)
Nov 28 19:41:09 racoon: INFO: IPsec-SA request for 1.1.1.1 queued due to no phase1 found.
Nov 28 19:41:09 racoon: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Nov 28 19:41:09 racoon: INFO: begin Aggressive mode.
Nov 28 19:41:09 racoon: INFO: received Vendor ID: DPD
Nov 28 19:41:09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Nov 28 19:41:09 racoon: INFO: ISAKMP-SA established 2.2.2.2[500]-1.1.1.1[500] spi:36580e589a8cb1e8:f3cef1de14e3ec5e
Nov 28 19:41:10 racoon: INFO: initiate new phase 2 negotiation: 2.2.2.2[500]<=>1.1.1.1[500]
Nov 28 19:41:10 racoon: ERROR: unknown notify message, no phase2 handle found.
Nov 28 19:41:30 last message repeated 2 times
Nov 28 19:41:40 racoon: INFO: IPsec-SA expired: AH/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=206806147(0xc539c83)
Nov 28 19:41:40 racoon: WARNING: the expire message is received but the handler has not been established.
Nov 28 19:41:40 racoon: ERROR: 1.1.1.1 give up to get IPsec-SA due to time up to wait.
Nov 28 19:41:40 racoon: INFO: IPsec-SA expired: ESP/Tunnel 1.1.1.1[0]->2.2.2.2[0] spi=72570967(0x4535857)
changed the config of the Centos computer
/etc/sysconfig/network-scripts/ifcfg-ipsec0
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
AH_PROTO=none
SRCGW=172.20.2.1
DSTGW=172.20.1.20
SRCNET=172.20.2.0/24
DSTNET=172.20.1.0/24
DST=1.1.1.1
Thanks for the guidance!@Sara
ReplyDeleteDrivers Download