Has anyone gotten this working? I've read their VPN doc 3 or 4 times. Everything matches to the T, the VPN establish a connection on both ends as shown by the traffic graphs and VPN status (green icon), however I just can't get traffic to pass through the VPN. Both sites of course are not on the same subnet...
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
pfSense IPSEC VPN
- Thread starter athlon1.2
- Start date
YeOldeStonecat
[H]F Junkie
- Joined
- Jul 19, 2004
- Messages
- 11,330
Yup...I connect to the RV016 at my office...I have PFSense running on a laptop at home as my router. Runs great.
Ive had a pfsense endpoint connected to my network many times(full cisco core). Its a very straight forward configuration from what I can remember. I never liked the VPN status page, best way to test is to force traffic from your subnet to the remote lan(ping works best).
Also note that Ive seen both of the pfsense green arrows as green but have noticed that the security association was not fully complete(encaps at one side, no decaps at the other). Im fairly I would check the remote side and make sure that the crypto ACL(which defines your "interesting traffic") is the EXACT opposite than what it is on your side. Im going to say that your SA isn't being established correctly becuase of misconfiguration crypto acls(where you define your LAN). You may also want to define your LAN subnet and not use the LAN interface(this was how I had it setup).
Also note that Ive seen both of the pfsense green arrows as green but have noticed that the security association was not fully complete(encaps at one side, no decaps at the other). Im fairly I would check the remote side and make sure that the crypto ACL(which defines your "interesting traffic") is the EXACT opposite than what it is on your side. Im going to say that your SA isn't being established correctly becuase of misconfiguration crypto acls(where you define your LAN). You may also want to define your LAN subnet and not use the LAN interface(this was how I had it setup).
Both ends are running pfSense.. I certainly can not ping from either site to the other.
I'll double check everything.
Then how would I use it? The pfSense is the router/firewall for both sites.
I'll double check everything.
Then how would I use it? The pfSense is the router/firewall for both sites.
http://www.edain.de/res/howtos/wlan_protection_1.png <-- stolen
but instead of selecting your LAN subnet, which is tied to your LAN interface through pfsense you should be able to manually define your LAN subnet(192.168.1.0/24). I think its a problem with your crypto ACL. Check out the ipsec logs as well... that will be able to tell you what exactly is going on. You can copy and paste them here if you would like.
Ok I'm really pulling my hair on this one. 2 pfsense, same settings. Tried both 192.168.0.0/24 and 192.168.0.1/24 (other end is 192.168.12.1/24). Just tried default settings changing bare minimum to get it working and again will not pass any traffic. Logs are showing
Aug 28 01:04:09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
racoon: INFO: unsupported PF_KEY message REGISTER
Aug 28 01:04:03 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Aug 28 01:04:03 racoon: INFO: received Vendor ID: DPD
Aug 28 01:04:03 racoon: INFO: begin Aggressive mode.
Aug 28 01:04:03 racoon: [vpn]: INFO: respond new phase 1 negotiation: 216.x.x.x[500]<=>69.x.x.x[500]
Aug 28 01:03:59 racoon: INFO: begin Aggressive mode.
Aug 28 01:03:59 racoon: [vpn]: INFO: initiate new phase 1 negotiation: 216.x.x.x[500]<=>69.x.x.x[500]
Aug 28 01:03:59 racoon: [vpn]: INFO: IPsec-SA request for 69.x.x.x queued due to no phase1 found.
Does it matter if one end is using PPPoE (MTU 1492)? Pfsense PPPoE client did not work well, the connection was about as fast as a 14.4 modem. So the modem is set to do the PPPoE but it passes the public IP, no nat, to the pfsense.
Aug 28 01:04:09 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
racoon: INFO: unsupported PF_KEY message REGISTER
Aug 28 01:04:03 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Aug 28 01:04:03 racoon: INFO: received Vendor ID: DPD
Aug 28 01:04:03 racoon: INFO: begin Aggressive mode.
Aug 28 01:04:03 racoon: [vpn]: INFO: respond new phase 1 negotiation: 216.x.x.x[500]<=>69.x.x.x[500]
Aug 28 01:03:59 racoon: INFO: begin Aggressive mode.
Aug 28 01:03:59 racoon: [vpn]: INFO: initiate new phase 1 negotiation: 216.x.x.x[500]<=>69.x.x.x[500]
Aug 28 01:03:59 racoon: [vpn]: INFO: IPsec-SA request for 69.x.x.x queued due to no phase1 found.
Does it matter if one end is using PPPoE (MTU 1492)? Pfsense PPPoE client did not work well, the connection was about as fast as a 14.4 modem. So the modem is set to do the PPPoE but it passes the public IP, no nat, to the pfsense.
YeOldeStonecat
[H]F Junkie
- Joined
- Jul 19, 2004
- Messages
- 11,330
Check that..sometimes some firewall rules on the "modem" can still be applied even if a public IP passes through them.
Yes, you want the same MTU or the router is going to be fragmenting everything that passes through the tunnel.
It looks like phase 1 is failing from the logs that you posted, make sure that the PSK is the same on both ends.
Aug 28 01:04:03 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
^ this leads me to believe that they are not the same. Also make sure that in your firewall rules you are allowing the remote network to touch your LAN... or just create an "any any" ACL which is what most people do.
Get Phase 1 working, thats your first apparent problem.
So you are saying that by default pfsense will create the VPN but not a rule to pass traffic through it? I've left it up and running and in the past 24hrs it has not given any errors. Only INFO messages.
Everything APPEARS to be configured fine... just can't pass traffic.
Everything APPEARS to be configured fine... just can't pass traffic.
from what I remember, I had to add the rule manually.... check your rules, you'll find out
... Like I said though, your phase 1 looks like its failing... if its not shame on pfsense coders... they don't know how to write proper logging Under Firewall -> Rules -> IPSEC there are no rules. Should it be on that section?
Ok it works now after simply adding the VPN firewall rules.
I need to file now a bugreport against the pfSense DOCUMENTATION. Been following this to the T: http://doc.pfsense.org/index.php/VPN_Capability_IPSec and of course it does not work because it's WRONG.
I need to file now a bugreport against the pfSense DOCUMENTATION. Been following this to the T: http://doc.pfsense.org/index.php/VPN_Capability_IPSec and of course it does not work because it's WRONG.
RiDDLeRThC
2[H]4U
- Joined
- Jun 13, 2002
- Messages
- 3,963
mind posting screenshots of your config with any secure info removed?
Follow the pfsense guide and then just add a firewall rule under IPSEC that looks like this:
The pfsense wiki is correct expect for what it says about firewall rules. The pfsense people don't seem to be interested in fixing it, either.
The pfsense wiki is correct expect for what it says about firewall rules. The pfsense people don't seem to be interested in fixing it, either.
Ok... Given these assumptions:
Location 1 LAN=x.x.x.x/24 ( i.e. 192.168.0.0/255.255.255.0)
Location 2 LAN=y.y.y.y/24 ( i.e. 192.168.1.0/255.255.255.0)
Both Locations MUST have different LAN IP Subnets.
Start with this config and move on from there.
BTW Please tell me that you have RDP forwarded to some machine on the far side to you aren't driving between sites...
***Location 1 config***
Interface: WAN
Local Subnet: x.x.x.x (Location 1 LAN)
Remote subnet: y.y.y.y (Location 2 LAN)
Remote gateway= Public IP of PF Sense Box @ Location 2
Description: Location 2
Neg. Mode: MAIN
My identifier: My IP Address
Encrpytion: AES
Hash: SHA1
DH: 2
Lifetime: 28800
Auth MethodSK
PSK: **changeme**
Protocol: ESP
Encryption: Rijndael (AES)
Hash: SHA1
PFS: ON
Lifetime: 28800
Keep alive: Location 2 LAN IP of PFSense Box
***Location 2 config***
Interface: WAN
Local Subnet: y.y.y.y (Location 2 LAN)
Remote subnet: x.x.x.x (Location 1 LAN)
Remote gateway= Public IP of PF Sense Box @ Location 1
Description: Location 1
Neg. Mode: MAIN
My identifier: My IP Address
Encrpytion: AES
Hash: SHA1
DH: 2
Lifetime: 28800
Auth MethodSK
PSK: **changeme**
Protocol: ESP
Encryption: Rijndael (AES)
Hash: SHA1
PFS: ON
Lifetime: 28800
Keep alive: Location 1 LAN IP of PFSense Box
Location 1 LAN=x.x.x.x/24 ( i.e. 192.168.0.0/255.255.255.0)
Location 2 LAN=y.y.y.y/24 ( i.e. 192.168.1.0/255.255.255.0)
Both Locations MUST have different LAN IP Subnets.
Start with this config and move on from there.
BTW Please tell me that you have RDP forwarded to some machine on the far side to you aren't driving between sites...
***Location 1 config***
Interface: WAN
Local Subnet: x.x.x.x (Location 1 LAN)
Remote subnet: y.y.y.y (Location 2 LAN)
Remote gateway= Public IP of PF Sense Box @ Location 2
Description: Location 2
Neg. Mode: MAIN
My identifier: My IP Address
Encrpytion: AES
Hash: SHA1
DH: 2
Lifetime: 28800
Auth Method
SKPSK: **changeme**
Protocol: ESP
Encryption: Rijndael (AES)
Hash: SHA1
PFS: ON
Lifetime: 28800
Keep alive: Location 2 LAN IP of PFSense Box
***Location 2 config***
Interface: WAN
Local Subnet: y.y.y.y (Location 2 LAN)
Remote subnet: x.x.x.x (Location 1 LAN)
Remote gateway= Public IP of PF Sense Box @ Location 1
Description: Location 1
Neg. Mode: MAIN
My identifier: My IP Address
Encrpytion: AES
Hash: SHA1
DH: 2
Lifetime: 28800
Auth Method
SKPSK: **changeme**
Protocol: ESP
Encryption: Rijndael (AES)
Hash: SHA1
PFS: ON
Lifetime: 28800
Keep alive: Location 1 LAN IP of PFSense Box
RiDDLeRThC
2[H]4U
- Joined
- Jun 13, 2002
- Messages
- 3,963
Can i use PFSense along with our current router and just use it to create the vpn links between both locations?
YeOldeStonecat
[H]F Junkie
- Joined
- Jul 19, 2004
- Messages
- 11,330
If you open/forward the necessary ports which are required for whatever type of VPN tunnel you wish to build...usually most routers will allow that VPN traffic to be passed through. However...any computers you wish to have in the VPN tunnel will have to be behind the PFSense box. So you'd end up having piggybacked routers..."double NAT"...which is clunky. Why not remove "old" router...replace with the PFSense box...and keep it simple, streamlined, and efficient? Unless your original router is a really high end enterprise grade one costing in the thousands, any PFSense box you build will be many times superior to it, and your old router will be a performance bottleneck.
RiDDLeRThC
2[H]4U
- Joined
- Jun 13, 2002
- Messages
- 3,963
Well heres my network (kinda)
Our main office, will have the PFSense router inplace, its the only router.
Then we rent servers from Softlayer, they already have routers in place but I would like to bring online a pfsense server there and connect it to our main office.
Anyone have an idea on how to do this? someone I guess that also rents servers from a datacenter would have a better idea on what i am talking about.
Our main office, will have the PFSense router inplace, its the only router.
Then we rent servers from Softlayer, they already have routers in place but I would like to bring online a pfsense server there and connect it to our main office.
Anyone have an idea on how to do this? someone I guess that also rents servers from a datacenter would have a better idea on what i am talking about.
YeOldeStonecat
[H]F Junkie
- Joined
- Jul 19, 2004
- Messages
- 11,330
The approach I would try to take first.....see if Softlayer would un-NAT the IP address you use your servers, and place your PFSense box in place. Your servers behind the PFSense box, with the WAN IP of the PFSense box taking the public IP address you get from them.
BTW Please tell me that you have RDP forwarded to some machine on the far side to you aren't driving between sites...
RDP? What's that? Was using SSH tunneling.
I posted a long time ago to say it was working.
Latest update, the economy is bad, 2nd site was closed.