next »

[rana]

hello i have been trying to setup ipsec
i used this to setup my vpn
http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

it looks like i can connect to me pfsense but i cant ping any of my computers please help

config loaded for site 'XXXXXXXXXX'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled

see dont have any problems there

[jimp]

Did you add firewall rules under Firewall > Rules, on the IPsec tab?

[rana]

do you mean this

[rana]

also i hope this helps you to help me thank you

Feb 8 15:48:26    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 67.49.xxx.xxx[500]-12.173.xxx.xxx[472] spi:ea5a84ca885ca505:c542fcd1decf936c
Feb 8 15:48:26    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 67.49.xxx.xxx[0]<=>12.173.xxx.xxx[0]
Feb 8 15:48:26    racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.4.32/32[0] 192.168.1.0/24[0] proto=any dir=in
Feb 8 15:48:27    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 12.173.xxx.xxx[0]->67.49.xxx.xxx[0] spi=161391074(0x99ea1e2)
Feb 8 15:48:27    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 67.49.xxx.xxx[0]->12.173.xxx.xxx[0] spi=1085753737(0x40b74989)
Feb 8 15:48:27    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.4.32/32[0] 192.168.1.0/24[0] proto=any dir=in"
Feb 8 15:48:27    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.4.32/32[0] proto=any dir=out"
Feb 8 15:54:16    racoon: INFO: generated policy, deleting it.
Feb 8 15:54:16    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 67.49.xxx.xxx[500]-12.173.xxx.xxx[472] spi:ea5a84ca885ca505:c542fcd1decf936c
Feb 8 15:54:17    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 67.49.xxx.xxx[500]-12.173.xxx.xxx[472] spi:ea5a84ca885ca505:c542fcd1decf936c
Feb 8 16:13:26    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 67.49.xxx.xxx[500]<=>12.173.xxx.xxx[489]

[jimp]

do you mean this

The protocol on that rule is set for only TCP. Change that to "Any"

[rana]

i tryed that but no lock here are more pic
i have been reading the book and i still dont get it please help its making me go crazy i think im missing some rules or something

[jimp]

That all looks right.

Are you seeing any entries in the firewall log for the times you have tried to ping?

Is pfSense the default gateway for the PCs you are trying to ping?

[rana]

nothing in the firewall logs and yes its on the default gateway

[jimp]

Do you have the Dashboard package installed on pfSense? There is an IPsec status widget there which can report the status of mobile tunnels. I wonder if it shows as up/green in that view when the client is connected.

[rana]

Active Tunnels     Inactive Tunnels
        0                           0

and nothing under
 Tunnel Status

[rkelleyrtp]

Can you please tell us exactly what you are trying to accomplish?  Are you configuring a site-to-site ipsec tunnel, or are you configuring mobile ipsec clients?  Your screenshots seem to indicate you are doing a site-to-site tunnel.  If so, what device is at the other end of the tunnel (Cisco, pfSense, etc)?

[rkelleyrtp]

Sorry, my mistake.  Your screen grabs looked just like the site-to-site tunnel config screen.

What kind of logs does your client get during tunnel negotiation?  What kind of client are you using?