pfSense Gold Subscription

Author Topic: IPsec tunnel looks OK but no firewall rules are generated  (Read 3121 times)

0 Members and 1 Guest are viewing this topic.

Offline djno

  • Newbie
  • *
  • Posts: 2
    • View Profile
IPsec tunnel looks OK but no firewall rules are generated
« on: February 06, 2006, 08:41:33 am »
Hello all,

I'm running a CARP system (pfsense 1.0-BETA1) and have been able to set up  IPsec tunnel with another Pfsense system (both have static IP's and VPN is running fine).
Now I would like to connect Road Warriors also with IPsec, I'm trying to do this with a software called TheGreenBow and using pre-shared keys.

I am able to open the tunnel, as the logs in TheGreenBow and Pfsense are showing, but then no traffic can be send trough, looks like no firewall rules permitting traffic between the two private networks are created in the Pfsense system.

When I try to connect the tunnel, this is what the logs are showing in Pfsense:
------------------------------------
racoon: INFO: respond new phase 1 negotiation: xx.yy.zz.220[500]<=>aa.bb.cc.133[500]
racoon: INFO: begin Aggressive mode.
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
racoon: INFO: received Vendor ID: DPD
racoon: INFO: ISAKMP-SA established xx.yy.zz.220[500]-aa.bb.cc.133[500] spi:46677973de0cca8f:a8c09e2b878512c2
racoon: INFO: respond new phase 2 negotiation: xx.yy.zz.220[0]<=>aa.bb.cc.133[0]
racoon: INFO: Update the generated policy : 192.168.1.34/32[0] 192.168.2.0/24[0] proto=any dir=in
racoon: INFO: IPsec-SA established: ESP/Tunnel aa.bb.cc.133[0]->xx.yy.zz.220[0] spi=236417513(0xe1771e9)
racoon: INFO: IPsec-SA established: ESP/Tunnel xx.yy.zz.220[0]->aa.bb.cc.133[0] spi=3157787005(0xbc38017d)
racoon: ERROR: such policy does not already exist: "192.168.1.34/32[0] 192.168.2.0/24[0] proto=any dir=in"
racoon: ERROR: such policy does not already exist: "192.168.2.0/24[0] 192.168.1.34/32[0] proto=any dir=out"
------------------------------------

I have read through tutorials and forums (I'm totally newbie) but didn't find any clue to my problem and any help will be really welcome.

thx in advance

djno







Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: IPsec tunnel looks OK but no firewall rules are generated
« Reply #1 on: February 06, 2006, 02:05:30 pm »
You shouldn't need any firewallrules and actually we are not yet able to filter IPSEC traffic anyway. I would check the greenbow side as the site to site connection is working. Also, are you connecting to the real IP or the CARP IP. If it is the CARP IP, have you configured the failover IPSEC settings correctly? If using CARP IPSEC it is also recommended to set "prefer older SAs" to enabled at system>advanced so there is no need to generate new SAs under a failovercondition (tunnel will only be down for about 1-2 seconds then).

Offline djno

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: IPsec tunnel looks OK but no firewall rules are generated
« Reply #2 on: February 07, 2006, 01:17:12 am »
I will check the GreenBow settings. And I'm connecting to the CARP IP.
The failover IPsec settings look good, well at least when I switch off the main fw, the backup fw creates also the IPsec tunnel (VPN always up)
Thank you for the hint concerning "prefer older SAs"

I know that the IPsec traffic cannot be filtered but  I still don't understand the following line in the IPsec logs

racoon: INFO: Update the generated policy : 192.168.1.34/32[0] 192.168.2.0/24[0] proto=any dir=in

Offline Quietlife2k

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: IPsec tunnel looks OK but no firewall rules are generated
« Reply #3 on: February 16, 2006, 05:14:14 pm »
I will check the GreenBow settings. And I'm connecting to the CARP IP.
The failover IPsec settings look good, well at least when I switch off the main fw, the backup fw creates also the IPsec tunnel (VPN always up)
Thank you for the hint concerning "prefer older SAs"

I know that the IPsec traffic cannot be filtered but  I still don't understand the following line in the IPsec logs

racoon: INFO: Update the generated policy : 192.168.1.34/32[0] 192.168.2.0/24[0] proto=any dir=in

I am also getting this problem, it would seem that the rules are not being generated and applied properly for on the fly (road warrior) connections.  Since "static" vpn's have the subnets etc setup from the get go I'm not surprised that they work with no error.

I have tried :-
TauVPN 0.36 0.36 0.40
The Green Bow 2.5.1.008

and all result in the same error in the ipsec logs.

Sadly I'm poking arround on the cmd line is my limit (and i could not find ipsec.conf to "setkey" it).