Netgate m1n1wall

Author Topic: 2 tunnels : same remote config, but 2 different local subnets  (Read 2067 times)

0 Members and 1 Guest are viewing this topic.

romegas

  • Guest
Hello,

I have two IPSEC tunnels created.

The remote parameters for both tunnels are exactly the same.

The only difference between the 2 tunnels is the local subnet. First tunnel is for local subnet 192.168.1.0, second tunnel is for local subnet 192.168.2.0

They both look ON (green) on the Ipsec Overview Status.

But I always have the following error message :

*************************************************
racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 10.76.20.92/32[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 10.76.20.92/32[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 10.76.20.92/32[0] 192.168.2.0/24[0] proto=any dir=in
racoon: ERROR: such policy already exists. anyway replace it: 10.76.20.92/32[0] 192.168.1.0/24[0] proto=any dir=in
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
*************************************************



Does pfsense allow to create tunnels that similar (i mean tunnels that differ only with local subnet) ?

And if so, will these errors message "lead" to some communication errors ?

Thank you.

(pfsense 1.2)

Offline heiko

  • Hero Member
  • *****
  • Posts: 663
  • Karma: +0/-0
  • Get a load of that!
    • View Profile
Re: 2 tunnels : same remote config, but 2 different local subnets
« Reply #1 on: April 28, 2008, 01:53:26 pm »
from the same wan ip with a different subnet on one side you need different FQDNīs. Parallel Tunnel with the same WAN IP runs only in the aggressive mode. The FQDN Name is your free choice....

Example:

192.168.6.0/24 ----> FQDN : dmz@pfsense.org --> 192.168.10.0/24 (Same WAN IP)
192.168.6.0/24 -----> FQDN : lan@pfsense.org --> 192.168.20.0/24 (Same WAN IP)

Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Re: 2 tunnels : same remote config, but 2 different local subnets
« Reply #2 on: June 06, 2008, 03:00:07 pm »
Sorry if this is dumb question but I am doing the same thing and was looking for a little more details.

I have the following:

MAN1 going to pfsense WAN w/ lan 172.16.22.0
MAN1 going to pfsense WAN w/ lan2 10.50.75.0

The MAN1 has one pub IP and one lan subnet, the WAN on other end has 2 lan subnets.

I tried to set the pfsense side that had 2 lan subnets to use My identifier: User FQDN: casa@mydomain.com on the first one and phones@mydomain.com on the second one however the VPN's went down and stayed dead. Do I need to set the other side to match on the User FQDN or did I miss something?

I am running 1.2final,

Thx

Offline heiko

  • Hero Member
  • *****
  • Posts: 663
  • Karma: +0/-0
  • Get a load of that!
    • View Profile
Re: 2 tunnels : same remote config, but 2 different local subnets
« Reply #3 on: June 06, 2008, 03:15:05 pm »
Yes, you need on both endpoint the same FQDN-identifier but different lan subnets, thatīs the trick

Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Re: 2 tunnels : same remote config, but 2 different local subnets
« Reply #4 on: June 06, 2008, 04:20:18 pm »
So because only 1 end has multi subnets this wont work? or am I missunderstanding and so long as I use FQDN and they match on both sides for both tunnels (each tunnel uniq FQDN of course) I am good?

One end has 1 pub and 1 lan subnet, other has 1 pub and 2 lan subnets.

Right now I have the original posters problem but they do work, just is a mess.