Netgate m1n1wall

Author Topic: IPsec  (Read 5551 times)

0 Members and 1 Guest are viewing this topic.

Offline Jonb

  • Sr. Member
  • ****
  • Posts: 410
  • Karma: +0/-0
    • View Profile
    • Peer Point Internet
IPsec
« on: July 09, 2008, 07:50:05 am »
When I installed this the IPsec tunnel were no longer listed in the SA section. I tryed to resave the IPsec tunnels but it wouldn't recreate them.
For IP connectivity, Cloud Backup and UK co-lo hosting check us out.
http://www.peerpointinternet.co.uk

Offline Ma.S.Caos.-

  • Sr. Member
  • ****
  • Posts: 342
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #1 on: July 10, 2008, 02:09:12 am »
As for me. IPSec not Work.

1.2.1-TESTING-SNAPSHOT
built on Wed Jul 9 01:01:43 EDT 2008

Matteo

Offline Ma.S.Caos.-

  • Sr. Member
  • ****
  • Posts: 342
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #2 on: July 10, 2008, 02:39:17 am »
also the version 1.2.1-TESTING-SNAPSHOT - built on Thu Jul 10 00:10:45 EDT 2008 the ipsecs don't work.

Matteo

:(

Offline Jonb

  • Sr. Member
  • ****
  • Posts: 410
  • Karma: +0/-0
    • View Profile
    • Peer Point Internet
Re: IPsec
« Reply #3 on: July 10, 2008, 04:25:25 am »
I think this is something you will need to give them time to fix this.
For IP connectivity, Cloud Backup and UK co-lo hosting check us out.
http://www.peerpointinternet.co.uk

Offline celtic

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #4 on: July 10, 2008, 01:25:43 pm »
here is my log

My log ( 1.2.1 testing 07-10)
Jul 10 20:15:11    racoon: ERROR: failed to pre-process packet.
Jul 10 20:15:11    racoon: ERROR: failed to get proposal for responder.
Jul 10 20:15:11    racoon: [Unknown Gateway/Dynamic]: ERROR: no policy found: remote lan/24[0] local Lan/24[0] proto=any dir=in
Jul 10 20:15:11    racoon: [Bas !!]: INFO: respond new phase 2 negotiation: local WAN[0]<=>remote wan[0]
Jul 10 20:15:01    racoon: ERROR: failed to pre-process packet.
Jul 10 20:15:01    racoon: ERROR: failed to get proposal for responder.
Jul 10 20:15:01    racoon: ERROR: no policy found: remote lan[0] local lan/24[0] proto=any dir=in
Jul 10 20:15:01    racoon: [Bas !!]: INFO: respond new phase 2 negotiation: local wan[0]<=>remote wan[0]

Remote log (1.2 embedded)
Jul 10 19:50:00    racoon: INFO: ISAKMP-SA expired local wan[500]-My wan[500] spi:46ad15180bb8f90f:46f3c69382edae8e
Jul 10 19:50:00    racoon: ERROR: unknown Informational exchange received.
Jul 10 19:50:00    racoon: INFO: IPsec-SA request for My wan queued due to no phase1 found.
Jul 10 19:50:00    racoon: INFO: initiate new phase 1 negotiation: local wan[500]<=>my wan[500]
Jul 10 19:50:00    racoon: INFO: begin Aggressive mode.
Jul 10 19:50:00    racoon: INFO: received Vendor ID: DPD

Hope this helps... i you need anything more... lemme know....



Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: IPsec
« Reply #5 on: July 10, 2008, 03:06:01 pm »
What happens if you run /usr/local/sbin/setkey  ... Please post the output.

Offline celtic

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #6 on: July 10, 2008, 04:18:43 pm »
# /usr/local/sbin/setkey
/usr/local/sbin/setkey: Command not found.
#


Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: IPsec
« Reply #7 on: July 10, 2008, 11:35:30 pm »
Please issue:

ls -lah /usr/local/sbin/

Offline celtic

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #8 on: July 11, 2008, 12:59:40 am »
# ls -lah /usr/local/sbin/
total 3366
drwxr-xr-x   2 root  wheel   1.0K Jul  8 13:19 .
drwxr-xr-x  16 root  wheel   512B Jul  8 13:18 ..
-r-xr-xr-x   1 root  wheel   6.8K Jul  8 13:19 check_reload_status
-r-xr-xr-x   1 root  wheel   7.1K Jul  8 13:19 choparp
-r-xr-xr-x   1 root  wheel    31K Jul  8 12:08 dfuife_curses
-rwxr-xr-x   1 root  wheel   505K Jul  8 13:19 dhcpd
-rwxr-xr-x   1 root  wheel   128K Jul  8 13:19 dhcrelay
-r-xr-xr-x   1 root  wheel   133K Jul  8 13:19 dnsmasq
-rwxr-xr-x   1 root  wheel   9.9K Jul  8 13:19 expiretable
-r-xr-xr-x   1 root  wheel    22K Jul  8 13:19 fping
-r-xr-xr-x   1 root  wheel    15K Jul  8 13:19 ftpsesame
-r-xr-xr-x   1 root  wheel   134K Jul  8 12:12 grub
-r-xr-xr-x   1 root  wheel    13K Jul  8 12:12 grub-install
-r-xr-xr-x   1 root  wheel   2.3K Jul  8 12:12 grub-md5-crypt
-r-xr-xr-x   1 root  wheel   2.5K Jul  8 12:12 grub-set-default
-r-xr-xr-x   1 root  wheel   2.4K Jul  8 12:12 grub-terminfo
-r-xr-xr-x   1 root  wheel   157K Jul  8 13:19 lighttpd
-r-xr-xr-x   1 root  wheel    43K Jul  8 13:19 miniupnpd
-r-xr-xr-x   1 root  wheel   239K Jul  8 13:19 mpd
-r-xr-xr-x   1 root  wheel    31K Jul  8 13:19 ntpd
-rwxr-xr-x   1 root  wheel   152K Jul  8 13:19 olsrd
-r-xr-xr-x   1 root  wheel   357K Jul  8 13:19 openvpn
-rwxr-xr-x   1 root  wheel   8.5K Apr 14 19:31 pfSsh.php
-r-xr-xr-x   1 root  wheel    98K Jul  8 13:19 pftop
-r-xr-xr-x   1 root  wheel    22K Jul  8 13:19 pftpx
-rwxr-xr-x   1 root  wheel   613B Nov 28  2005 ppp-linkup
-r-xr-xr-x   1 root  wheel   1.0M Jul  8 13:19 racoon
-r-xr-xr-x   1 root  wheel    48K Jul  8 13:19 racoonctl
-rwxr-xr-x   1 root  wheel   361B Jan 31 05:36 reset_slbd.sh
-rwxr-xr-x   1 root  wheel   551B Jun 10  2006 show_filter_reload_status.php
-rwxr-xr-x   1 root  wheel    29K Jul  8 13:19 slbd
-r-xr-xr-x   1 root  wheel   3.0K Jul  8 13:19 ssh_tunnel_shell
-r-xr-xr-x   1 root  wheel   4.4K Jul  8 13:19 sshlockout_pf
-rwxr-xr-x   1 root  wheel    75B Apr 11  2006 vpn-linkdown
-rwxr-xr-x   1 root  wheel    75B Apr 11  2006 vpn-linkup
#


always fun... 2 people trying to help each other.... in different timezones :)

Offline Ma.S.Caos.-

  • Sr. Member
  • ****
  • Posts: 342
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #9 on: July 11, 2008, 02:35:56 am »
# ls -lah /usr/local/sbin/
total 4522
drwxr-xr-x   2 root  wheel   1.0K Jul 10 09:22 .
drwxr-xr-x  18 root  wheel   512B Jul 10 09:23 ..
-rwxr-xr-x   1 root  wheel   5.3K Nov  4  2005 atareinit
-rwxr-xr-x   1 root  wheel    46K Nov  7  2004 bpalogin
-rwxr-xr-x   1 root  wheel   6.8K May 18  2007 check_reload_status
-rwxr-xr-x   1 root  wheel   7.1K Nov  4  2005 choparp
-rwxr-xr-x   1 root  wheel   505K Jan 18  2007 dhcpd
-rwxr-xr-x   1 root  wheel   128K Jan 13  2006 dhcrelay
-rwxr-xr-x   1 root  wheel   192K Mar  8  2005 dnsextd
-rwxr-xr-x   1 root  wheel   133K Jul 27  2007 dnsmasq
-rwxr-xr-x   1 root  wheel   4.7K Mar 13  2005 env4801
-rwxr-xr-x   1 root  wheel   9.9K Jul 10  2005 expiretable
-rwxr-xr-x   1 root  wheel    22K Apr 19  2007 fping
-rwxr-xr-x   1 root  wheel    15K Jul 11  2007 ftpsesame
-rwxr-xr-x   1 root  wheel   795K Nov  8  2005 gzsig
-rwxr-xr-x   1 root  wheel   3.3K Nov  4  2005 kbdcheck
-rwxr-xr-x   1 root  wheel   157K Sep 11  2007 lighttpd
-rwxr-xr-x   1 root  wheel   220K Mar  8  2005 mdnsd
-rwxr-xr-x   1 root  wheel    43K Sep 29  2007 miniupnpd
-rwxr-xr-x   1 root  wheel   239K Jan  6  2008 mpd
-rwxr-xr-x   1 root  wheel    31K Oct  3  2006 ntpd
-rwxr-xr-x   1 root  wheel   152K Feb 13  2007 olsrd
-rwxr-xr-x   1 root  wheel   357K Sep 13  2007 openvpn
-rwxr-xr-x   1 root  wheel   8.5K Nov 24  2007 pfSsh.php
-rwxr-xr-x   1 root  wheel    98K May 27  2007 pftop
-rwxr-xr-x   1 root  wheel    22K Jun 30  2007 pftpx
-rwxr-xr-x   1 root  wheel   613B Nov 28  2005 ppp-linkup
-rwxr-xr-x   1 root  wheel   1.0M Feb  1 22:32 racoon
-rwxr-xr-x   1 root  wheel   669B Oct  4  2007 racoon_watch.sh
-rwxr-xr-x   1 root  wheel    48K Dec 26  2005 racoonctl
-rwxr-xr-x   1 root  wheel   361B Jan 31 05:36 reset_slbd.sh
-rwxr-xr-x   1 root  wheel    37K Aug 19  2005 sasyncd
-rwxr-xr-x   1 root  wheel   551B Jun 10  2006 show_filter_reload_status.php
-rwxr-xr-x   1 root  wheel    29K Apr 24  2007 slbd
-rwxr-xr-x   1 root  wheel   3.0K Jun  5  2006 ssh_tunnel_shell
-rwxr-xr-x   1 root  wheel   4.4K Nov  4  2005 sshlockout_pf
-rwxr-xr-x   1 root  wheel    75B Apr 11  2006 vpn-linkdown
-rwxr-xr-x   1 root  wheel    75B Apr 11  2006 vpn-linkup
#

Offline celtic

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #10 on: July 12, 2008, 05:15:22 am »
1.2.1-TESTING-SNAPSHOT
built on Fri Jul 11 01:40:31 EDT 2008

# ls -lah /usr/local/sbin/
total 3366
drwxr-xr-x   2 root  wheel   1.0K Jul  8 13:19 .
drwxr-xr-x  16 root  wheel   512B Jul  8 13:18 ..
-r-xr-xr-x   1 root  wheel   6.8K Jul  8 13:19 check_reload_status
-r-xr-xr-x   1 root  wheel   7.1K Jul  8 13:19 choparp
-r-xr-xr-x   1 root  wheel    31K Jul  8 12:08 dfuife_curses
-rwxr-xr-x   1 root  wheel   505K Jul  8 13:19 dhcpd
-rwxr-xr-x   1 root  wheel   128K Jul  8 13:19 dhcrelay
-r-xr-xr-x   1 root  wheel   133K Jul  8 13:19 dnsmasq
-rwxr-xr-x   1 root  wheel   9.9K Jul  8 13:19 expiretable
-r-xr-xr-x   1 root  wheel    22K Jul  8 13:19 fping
-r-xr-xr-x   1 root  wheel    15K Jul  8 13:19 ftpsesame
-r-xr-xr-x   1 root  wheel   134K Jul  8 12:12 grub
-r-xr-xr-x   1 root  wheel    13K Jul  8 12:12 grub-install
-r-xr-xr-x   1 root  wheel   2.3K Jul  8 12:12 grub-md5-crypt
-r-xr-xr-x   1 root  wheel   2.5K Jul  8 12:12 grub-set-default
-r-xr-xr-x   1 root  wheel   2.4K Jul  8 12:12 grub-terminfo
-r-xr-xr-x   1 root  wheel   157K Jul  8 13:19 lighttpd
-r-xr-xr-x   1 root  wheel    43K Jul  8 13:19 miniupnpd
-r-xr-xr-x   1 root  wheel   239K Jul  8 13:19 mpd
-r-xr-xr-x   1 root  wheel    31K Jul  8 13:19 ntpd
-rwxr-xr-x   1 root  wheel   152K Jul  8 13:19 olsrd
-r-xr-xr-x   1 root  wheel   357K Jul  8 13:19 openvpn
-rwxr-xr-x   1 root  wheel   8.5K Apr 14 19:31 pfSsh.php
-r-xr-xr-x   1 root  wheel    98K Jul  8 13:19 pftop
-r-xr-xr-x   1 root  wheel    22K Jul  8 13:19 pftpx
-rwxr-xr-x   1 root  wheel   613B Nov 28  2005 ppp-linkup
-r-xr-xr-x   1 root  wheel   1.0M Jul  8 13:19 racoon
-r-xr-xr-x   1 root  wheel    48K Jul  8 13:19 racoonctl
-rwxr-xr-x   1 root  wheel   361B Jan 31 05:36 reset_slbd.sh
-rwxr-xr-x   1 root  wheel   551B Jun 10  2006 show_filter_reload_status.php
-rwxr-xr-x   1 root  wheel    29K Jul  8 13:19 slbd
-r-xr-xr-x   1 root  wheel   3.0K Jul  8 13:19 ssh_tunnel_shell
-r-xr-xr-x   1 root  wheel   4.4K Jul  8 13:19 sshlockout_pf
-rwxr-xr-x   1 root  wheel    75B Apr 11  2006 vpn-linkdown
-rwxr-xr-x   1 root  wheel    75B Apr 11  2006 vpn-linkup
#

Offline celtic

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #11 on: July 12, 2008, 07:06:29 am »
did a fresh install instead of the upgrade this time....
 
Code: [Select]
# ls -lah /usr/local/sbin/
total 3366
drwxr-xr-x   2 root  wheel   1.0K Jul 11 07:35 .
drwxr-xr-x  15 root  wheel   512B Jul 11 07:33 ..
-r-xr-xr-x   1 root  wheel   6.8K Jul 11 07:35 check_reload_status
-r-xr-xr-x   1 root  wheel   7.1K Jul 11 07:35 choparp
-r-xr-xr-x   1 root  wheel    31K Jul 11 06:44 dfuife_curses
-rwxr-xr-x   1 root  wheel   505K Jul 11 07:35 dhcpd
-rwxr-xr-x   1 root  wheel   128K Jul 11 07:35 dhcrelay
-r-xr-xr-x   1 root  wheel   133K Jul 11 07:35 dnsmasq
-rwxr-xr-x   1 root  wheel   9.9K Jul 11 07:35 expiretable
-r-xr-xr-x   1 root  wheel    22K Jul 11 07:35 fping
-r-xr-xr-x   1 root  wheel    15K Jul 11 07:35 ftpsesame
-r-xr-xr-x   1 root  wheel   134K Jul 10 04:58 grub
-r-xr-xr-x   1 root  wheel    13K Jul 10 04:58 grub-install
-r-xr-xr-x   1 root  wheel   2.3K Jul 10 04:58 grub-md5-crypt
-r-xr-xr-x   1 root  wheel   2.5K Jul 10 04:58 grub-set-default
-r-xr-xr-x   1 root  wheel   2.4K Jul 10 04:58 grub-terminfo
-r-xr-xr-x   1 root  wheel   157K Jul 11 07:35 lighttpd
-r-xr-xr-x   1 root  wheel    43K Jul 11 07:35 miniupnpd
-r-xr-xr-x   1 root  wheel   239K Jul 11 07:35 mpd
-r-xr-xr-x   1 root  wheel    31K Jul 11 07:35 ntpd
-rwxr-xr-x   1 root  wheel   152K Jul 11 07:35 olsrd
-r-xr-xr-x   1 root  wheel   357K Jul 11 07:35 openvpn
-rwxr-xr-x   1 root  wheel   8.5K Apr 14 19:31 pfSsh.php
-r-xr-xr-x   1 root  wheel    98K Jul 11 07:35 pftop
-r-xr-xr-x   1 root  wheel    22K Jul 11 07:35 pftpx
-rwxr-xr-x   1 root  wheel   613B Nov 28  2005 ppp-linkup
-r-xr-xr-x   1 root  wheel   1.0M Jul 11 07:35 racoon
-r-xr-xr-x   1 root  wheel    48K Jul 11 07:35 racoonctl
-rwxr-xr-x   1 root  wheel   361B Jan 31 05:36 reset_slbd.sh
-rwxr-xr-x   1 root  wheel   551B Jun 10  2006 show_filter_reload_status.php
-rwxr-xr-x   1 root  wheel    29K Jul 11 07:35 slbd
-r-xr-xr-x   1 root  wheel   3.0K Jul 11 07:35 ssh_tunnel_shell
-r-xr-xr-x   1 root  wheel   4.4K Jul 11 07:35 sshlockout_pf
-rwxr-xr-x   1 root  wheel    75B Apr 11  2006 vpn-linkdown
-rwxr-xr-x   1 root  wheel    75B Apr 11  2006 vpn-linkup


not much change here.... but got the setkey in /sbin now...

anyway i can do more testing for u guys ?

my logs while trying to get a connection with a 1.2 pfsense :
Jul 12 14:01:57    last message repeated 3 times
Code: [Select]
Jul 12 14:01:27 racoon: ERROR: couldn't find configuration.
Jul 12 14:01:05 racoon: [Self]: INFO: 85.223.49.41[500] used as isakmp port (fd=15)
Jul 12 14:01:05 racoon: [Self]: INFO: 172.16.66.254[500] used as isakmp port (fd=14)
Jul 12 14:01:05 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Jul 12 14:01:04 racoon: [Self]: INFO: 85.223.49.41[500] used as isakmp port (fd=15)
Jul 12 14:01:04 racoon: [Self]: INFO: 172.16.66.254[500] used as isakmp port (fd=14)
Jul 12 14:01:04 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Jul 12 14:01:03 racoon: [Self]: INFO: 85.223.49.41[500] used as isakmp port (fd=15)
Jul 12 14:01:03 racoon: [Self]: INFO: 172.16.66.254[500] used as isakmp port (fd=14)
Jul 12 14:01:03 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Jul 12 14:01:03 racoon: [Self]: INFO: 85.223.49.41[500] used as isakmp port (fd=15)
Jul 12 14:01:03 racoon: [Self]: INFO: 172.16.66.254[500] used as isakmp port (fd=14)
Jul 12 14:01:03 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)

still no SA's btw.

after rebooting and trying some diferent settings...

Code: [Select]
Jul 12 14:37:21 racoon: ERROR: failed to pre-process packet.
Jul 12 14:37:21 racoon: ERROR: failed to get proposal for responder.
Jul 12 14:37:21 racoon: [Unknown Gateway/Dynamic]: ERROR: no policy found: 172.17.77.0/24[0] 172.16.66.0/24[0] proto=any dir=in
Jul 12 14:37:21 racoon: [Bas]: INFO: respond new phase 2 negotiation: 85.223.49.41[0]<=>85.223.50.134[0]
Jul 12 14:37:11 racoon: ERROR: failed to pre-process packet.
Jul 12 14:37:11 racoon: ERROR: failed to get proposal for responder.
Jul 12 14:37:11 racoon: ERROR: no policy found: 172.17.77.0/24[0] 172.16.66.0/24[0] proto=any dir=in
Jul 12 14:37:11 racoon: [Bas]: INFO: respond new phase 2 negotiation: 85.223.49.41[0]<=>85.223.50.134[0]
« Last Edit: July 12, 2008, 07:41:52 am by celtic »

Offline celtic

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #12 on: July 13, 2008, 02:50:17 pm »
IPsec is working.... got some yellew crosses in the status => ipsec but it is working... not that fast.... was hoping that the AES stuff on my MB would do more...  15Mbps with a Via C3 1Ghz,, not that shabby i presume...

edit
In the ipsec SA

Source    Destination    Protocol    SPI    Enc. alg.    Auth. alg.    
Invalid    extension                
Invalid    extension                
Invalid    extension                
Invalid    extension       

no show stopper... but well.... something is wrong...
« Last Edit: July 13, 2008, 02:52:48 pm by celtic »

Offline David_W

  • Full Member
  • ***
  • Posts: 132
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #13 on: July 14, 2008, 06:35:59 am »
was hoping that the AES stuff on my MB would do more...  15Mbps with a Via C3 1Ghz,, not that shabby i presume...

Have a look at the dmesg - does a 'padlock' device show up? That's the device driver that supports the crypto features of the C3.

If it shows up, maybe pfSense isn't configured to make use of it, though the man page suggests it should work fine with the IPsec code that pfSense uses.

It's possible that this is a configuration error in the FreeBSD kernel being used in the current betas, which is why I'm suggesting you look at the dmesg.

Offline celtic

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: IPsec
« Reply #14 on: July 14, 2008, 06:47:23 am »
no "padlock" in dmesg... :-(