While it is down you can also pcap the IPsec traffic and see what SPD it is arriving for.
Something between the two endpoints is getting out of sync, apparently.
I would take a really close look at the IPsec logs and see what's happening at re-key time.
That's all rather hard to read/parse jumbled up like that with so much blocked out and cut down, but there is still a bit of info missing.
I still need to see:
The P2 settings (from the edit page, not the summary/list)
The interface config on Interfaces > OPT1
The output of ifconfig ipsec1000
The routing table entries for the ipsec1000 interface under Diagnostics > Routes
On all of mine no matter what I set in the P2 settings for the mask on the local network interface it makes /32 security associations in both directions. I have one pair set for /30 and another set for /24 and both work and show /32 for both ends in the SA list.
I don't have a USG to test against so there may be some quirk there.
Also, if you are going to mask/hide info in screenshots it's much better to use a contrasting color so it's obvious where the image has been altered. Use black for a white background, white for a dark background, etc. If it's masked out with the same color as the background it's difficult to discern what is hidden vs what might be incorrect/broken.
@nogbadthebad said in IPSEC VPN between 2 sites has constant ~20k traffic. How best to find out what it is?:
Have you tried a packet capture ?
I didn't realize pfSense had a packet capture. Thanks for suggesting it. Now the results. I ran a quick capture on ipsec and then found the busy ip address. A quick look at the lease assignments showed me it was my Uniden Police Scanner wifi dongle. Then it hit me. I run Proscan scanner software from my office that points to my Uniden scanner to capture fire calls in my town (using the "fire tone out" feature), and then email them to me so I can hear them on my phone. I totally forgot that I had that communication running all the time, but the packet capture quickly pointed it out.
Problem solved. Thanks for the tip.
Roveer
@dkase279 mine prevents the tunnel from working as client machines can not ping through to my main site via the VPN. I'm going to log a call with Netgate if possible as it's preventing service. I also might put logs on here once it happens again.
Hi ,
Thanks for you response.
First of all please accept my apologies for my appalling grammar and spelling in my original post. My brain must have been frazzled.
I have sorted it by using a different browser (chrome) why i didn't try this initially i have no idea.
Thanks
Danny
You have two choices:
Create a P2 entry for every combination of your local subnet and remote subnets.
Summarize the remote subnets into a larger network if they are closer together.
Do you have a diagram of the setup? Is there inbound or outbound NAT involved or only routing? What rules do you have passing the traffic? IKEv1 or IKEv2?
Here's the results:
--- Started update ---
Updating repositories metadata...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
done.
pfSense repository is up to date.
All repositories are up to date.
2.4.3_1 version of pfSense is available
Downloading upgrade packages...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (9 candidates): ......... done
Processing candidates (9 candidates): ......... done
The following 8 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
sqlite3: 3.21.0_1 -> 3.22.0_1 [pfSense]
pfSense-rc: 2.4.3 -> 2.4.3_1 [pfSense-core]
pfSense-kernel-pfSense: 2.4.3 -> 2.4.3_1 [pfSense-core]
pfSense-default-config: 2.4.3 -> 2.4.3_1 [pfSense-core]
pfSense-base: 2.4.3 -> 2.4.3_1 [pfSense-core]
pfSense: 2.4.3 -> 2.4.3_1 [pfSense]
perl5: 5.24.3 -> 5.24.4 [pfSense]
libnghttp2: 1.29.0 -> 1.31.1 [pfSense]
Number of packages to be upgraded: 8
67 MiB to be downloaded.
[1/8] Fetching sqlite3-3.22.0_1.txz: .......... done
[2/8] Fetching pfSense-rc-2.4.3_1.txz: .. done
[3/8] Fetching pfSense-kernel-pfSense-2.4.3_1.txz: .......... done
[4/8] Fetching pfSense-default-config-2.4.3_1.txz: . Done
System update failed!
--- Update ended with errors ---
System rebooted and shows:
Version 2.4.3-RELEASE-p1 (amd64)
built on Thu May 10 15:02:52 CDT 2018
FreeBSD 11.1-RELEASE-p10
IPSec status shows connected ...
Failing update have been reported by several users, so not new
Can't reproduce after freshly installing for a second time -- please note the previous installation was fresh and config restored as well.
I'm closing this as can't reproduce -- please let me know if is there anything else I can test for you guys.
Sorry - can't help with that message on the PA. Obviously doesn't like something.
If all of the P2s hard fail the other side might send a disconnect for the P1 which pfSense will honor.
Whatever the answer, the problem lies in the IPsec logs.
@gsmithe said in Disable old ciphers:
SHA1
Hey gsmithe,
i don't now your PCI scanner. Sometimes a scanner alerts at SHA1 too.
Check your Phase1/Phase2 config. If the configuration for DES/3DES is unchecked, this is not your problem.
Kind regards
The tunnel only work when the IP in the server is set manually but only in the 40.0/24 segment, dynamically don't work. The segment 41.0/24 does not send traffic to pfsense at all, even when the /23 is set up in Phase 2. Due to Policies and Prod enviroments working in another tunnels i can update the version.
During the problem, the Memory usage is about 6% of 8052MiB, the cpu usage is about 30%. In Idle mode the cpu usage is at 5-10% and the RAM at 6%.
We also have a second system (same hardware) with 24 tunnels, applying changes there take just a second.
@marcos-lang Could you please provide screenshots from your configuration and the ipsec status pages? Especially from SAD/SPD etc?
The use of public IP in NAT (I believe not)? > This should work without problems.
The difference in size of Local "real" and NAT'ed networks? > If you want to NAT your Local Network into a single ip you have to choose NAT/BINAT Type "Address" and NOT Network/32.
Should I use /24 on NAT'ed networks and create a 1:1 relation on both ends? > No
Should I create a VIP with the NAT'ed IP of Local Subnet (172.140.50.2/32)? > No
Should I create a static route for the NAT'ed IP of Remote Subnet (172.140.60.2/32)? > No. Routing is ignored for IPSec
Seems very close. All of mine show RUNNING though. Make sure you have followed the proper procedure to not only create the tunnel but to assign it for use.
https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-routed.html
Specifically:
found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
If my P1 entry is doing Aggressive with PSK for the "My IP address" and "Peer IP address" and it matches my proposals for hash and encryption...why can't it recognize my PSK?
I have IPSEC working very reliably between Fortinet and pfSense. Here are some notes:
I have set a Maximum MMS on the pfSense end (IPSEC -> Advanced) mine is currently 1390.
I use MAIN mode, I can see AGGRESSIVE mode mentioned in your log. I also use IKEv2 not v1. Also, if you have multiple P2s then tick "Split Connections".
If you use CARP then ensure you are not outbound NATting your IPSEC traffic.
DPD is enabled.
I also once "fixed" a problem with a reboot at both ends.
For anyone running into this problem, after much digging I found this is actually a problem with Rogers cellular service. You need to call Rogers in the interim and have them blacklist your IMEI from using IPv6. They are working on a more permanent fix...I opened a ticket and am currently waiting for them to blacklist mine but details are at this Rogers community thread.
http://communityforums.rogers.com/t5/Network-Coverage/Issues-with-IKEv2-IPSec-VPN-on-Rogers-LTE-3G/td-p/419136/page/8
D
Every step needs P2 entries for every possible combination of traffic.
On both sides of the tunnel from 1<->2, it needs P2s for 1-2 and 1-3.
On both sides of the tunnel from 2<->3, it needs P2s for 2-3 and 1-3.
Expanded a bit:
Site 1 tunnel 1<->2 has P2s:
Local 1 / Remote 2
Local 1 / Remote 3
Site 2 tunnel 2<->1 has P2s:
Local 2 / Remote 1
Local 3 / Remote 1
Site 2 tunnel 2<->3 has P2s:
Local 2 / Remote 3
Local 1 / Remote 3
Site 3 tunnel 3<->2 has P2s:
Local 3 / Remote 2
Local 3 / Remote 1
