next »

[romegas]

Hello,

I have two IPSEC tunnels created.

The remote parameters for both tunnels are exactly the same.

The only difference between the 2 tunnels is the local subnet. First tunnel is for local subnet 192.168.1.0, second tunnel is for local subnet 192.168.2.0

They both look ON (green) on the Ipsec Overview Status.

But I always have the following error message :

*************************************************
racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 10.76.20.92/32[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 10.76.20.92/32[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 10.76.20.92/32[0] 192.168.2.0/24[0] proto=any dir=in
racoon: ERROR: such policy already exists. anyway replace it: 10.76.20.92/32[0] 192.168.1.0/24[0] proto=any dir=in
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
*************************************************



Does pfsense allow to create tunnels that similar (i mean tunnels that differ only with local subnet) ?

And if so, will these errors message "lead" to some communication errors ?

Thank you.

(pfsense 1.2)

[heiko]

from the same wan ip with a different subnet on one side you need different FQDN´s. Parallel Tunnel with the same WAN IP runs only in the aggressive mode. The FQDN Name is your free choice....

Example:

192.168.6.0/24 ----> FQDN : dmz@pfsense.org --> 192.168.10.0/24 (Same WAN IP)
192.168.6.0/24 -----> FQDN : lan@pfsense.org --> 192.168.20.0/24 (Same WAN IP)

[cybercare]

Sorry if this is dumb question but I am doing the same thing and was looking for a little more details.

I have the following:

MAN1 going to pfsense WAN w/ lan 172.16.22.0
MAN1 going to pfsense WAN w/ lan2 10.50.75.0

The MAN1 has one pub IP and one lan subnet, the WAN on other end has 2 lan subnets.

I tried to set the pfsense side that had 2 lan subnets to use My identifier: User FQDN: casa@mydomain.com on the first one and phones@mydomain.com on the second one however the VPN's went down and stayed dead. Do I need to set the other side to match on the User FQDN or did I miss something?

I am running 1.2final,

Thx

[heiko]

Yes, you need on both endpoint the same FQDN-identifier but different lan subnets, that´s the trick

[cybercare]

So because only 1 end has multi subnets this wont work? or am I missunderstanding and so long as I use FQDN and they match on both sides for both tunnels (each tunnel uniq FQDN of course) I am good?

One end has 1 pub and 1 lan subnet, other has 1 pub and 2 lan subnets.

Right now I have the original posters problem but they do work, just is a mess.