You mention problems between 2 endpoints explicitly? Maybe investigate if there are line issues or if something is special about these endpoints (like running another firmware at their end or whatever).

the only reason I'm aware of that people were wanting to use gif devices is for filtering, now filtering is possible by default with enc(4) in current snapshots.

Hi,

I've the same problem, but using the 03-15-2007 Snapshot.
It seems like it works well only the first time (or after a reboot) when there is no SA…
I'll do some more test...
bye
Z

ok… looks like "vpn goes down" problem was fixed. the server has been up for more then 24 hours now. but i still can't ftp to remote sites over vpn. pcanywhere (and file transfer) works fine, i can ssh and scp to remote pc's and they can ftp to my office, but i cant ftp to them. does anybody know how to fix this? tnx

p.s. this _If you want to connect to a FTP server you need to add this workaround to your LAN tab.

Proto Source Port Destination Port Gateway TCP LAN net * 127.0.0.1 1 - 65535 *

Now the packets are forwarded correctly and you can connect to an FTP server._ is not helping.

ok… ftp problem was fixed too  8) as they say "if nothing works read the manual"  ;D ::)

Something like this could be done between sites that only run pfSense systems if some code was written for this kind of dead peer detection. Multiwan IPSEC is working with the latest changes in the snapshots, it just doesn'T detect failure or does failover.

Well there seems to be some intermittent issue with phase two on this tunnel.  Logs are below.  The only thing I can think of is that the lifetime doesn't match correctly because I see a new phase 2 negotiation from them every two minutes when they are connected.  It sounded like they specify their lifetimes in hours instead of seconds and their lifetime is set to 2 hours, I've got my end configured at 7200s.  Not sure how pf is seeing that during the negotiation, are there any more detailed logs I can look to see any additional details?

racoon: INFO: purged ISAKMP-SA spi=9564dbd685564852:333386a2d2c623da.
Mar 23 10:18:44 racoon: INFO: purging ISAKMP-SA spi=9564dbd685564852:333386a2d2c623da.
Mar 23 10:18:44 racoon: INFO: respond new phase 2 negotiation: me.me.me.me[500]<=>them.them.them.them[500]
Mar 23 10:18:44 racoon: INFO: ISAKMP-SA established me.me.me.me[500]-them.them.them.them[500] spi:9564dbd685564852:333386a2d2c623da
Mar 23 10:18:44 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Mar 23 10:18:43 racoon: INFO: begin Identity Protection mode.
Mar 23 10:18:43 racoon: INFO: respond new phase 1 negotiation: me.me.me.me[500]<=>them.them.them.them[500]
Mar 23 10:18:29 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument

Yes, perfect.
Thanks.

May i ask you if this is correct?
Client (MTU 1500) -> LAN (MTU 1500) -> IPSEC -> WAN (MTU 1300) -> INET <- WAN (MTU 1300) <- IPSEC <- LAN (MTU 1500) <- Client (MTU 1500)

Ok this is what I have now

WAN->LAN
ESP  *  *  qOthersDownH/qOthersUpH  m_Other IPSEC inbound     
   
  WAN->LAN
UDP  *  *
Port: 500  qOthersDownH/qOthersUpH  m_Other IPSEC inbound     
   
  LAN->WAN
UDP  *  *
Port: 500  qOthersUpH/qOthersDownH  m_Other IPSEC outbound     
   
  LAN->WAN
AH  *  *  qOthersUpH/qOthersDownH  m_Other IPSEC outbound     
   
  LAN->WAN
ESP  *  *  qOthersUpH/qOthersDownH  m_Other IPSEC outbound     
   
  WAN->LAN
AH  *  *  qOthersDownH/qOthersUpH  m_Other IPSEC inbound

Ony CARP can be used by the firewallitself to run services on. ProxyARP and Other ony can be forwarded. Change this IP to CARP and use the CARP IP as ipsec failover IP. Then it should work.

Sounds like lifetime mismatches.

Either way, check Prefer old IPsec SAs in System -> Advanced

Ok, thanks  ;D

No, one of the sites has to be static at least.

Does it use mainmode? If yes try using agressive. Maybe you get more options then.

I downloaded one from earlier today.  It's fixed.

Feb 28 14:23:21 racoon: ERROR: malformed cookie received.

The checkpoint seems to send something strange. Revisit all parameters and check if they are abolutely identical. Maybe try using mainmode instead of aggressive.

hmm.. still no luck for me =(

I increased the debugging in racoon and got a couple of more messages.

Feb 26 15:27:15 racoon: DEBUG: compute IV for phase2
Feb 26 15:27:15 racoon: DEBUG: phase1 last IV:
Feb 26 15:27:15 racoon: DEBUG: 4b27456a 80e0fb18 7776ecb0
Feb 26 15:27:15 racoon: DEBUG: hash(md5)
Feb 26 15:27:15 racoon: DEBUG: encryption(des)
Feb 26 15:27:15 racoon: DEBUG: phase2 IV computed:
Feb 26 15:27:15 racoon: DEBUG: 3b4841e3 df96bfd9
Feb 26 15:27:15 racoon: DEBUG: begin decryption.
Feb 26 15:27:15 racoon: DEBUG: encryption(des)
Feb 26 15:27:15 racoon: DEBUG: IV was saved for next processing:
Feb 26 15:27:15 racoon: DEBUG: df27599a 375cddd2
Feb 26 15:27:15 racoon: DEBUG: encryption(des)
Feb 26 15:27:15 racoon: DEBUG: with key:
Feb 26 15:27:15 racoon: DEBUG: e9eb3b33 990da27c
Feb 26 15:27:15 racoon: DEBUG: decrypted payload by IV:
Feb 26 15:27:15 racoon: DEBUG: 3b4841e3 df96bfd9
Feb 26 15:27:15 racoon: DEBUG: decrypted payload, but not trimed.
Feb 26 15:27:15 racoon: DEBUG: 0b000014 5ab258f3 61fe90e9 40ee109a 9bccc248 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 00000000 00000000 9cf90880 00000000 cccccccc 89000000 00000000 edfead
Feb 26 15:27:15 racoon: DEBUG: padding len=1
Feb 26 15:27:15 racoon: DEBUG: skip to trim padding.
Feb 26 15:27:15 racoon: DEBUG: decrypted.
Feb 26 15:27:15 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08100501 7776ecb0 000001fc 0b000014 5ab258f3 61fe90e9 40ee109a 9bccc248 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 000000
Feb 26 15:27:15 racoon: DEBUG: HASH with:
Feb 26 15:27:15 racoon: DEBUG: 7776ecb0 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 00000000 00000000 9cf90880 00000000 cccccccc 89000000 00000000 edfeadde 00000000 00000000 00000000 000000
Feb 26 15:27:15 racoon: DEBUG: hmac(hmac_md5)
Feb 26 15:27:15 racoon: DEBUG: HASH computed:
Feb 26 15:27:15 racoon: DEBUG: 5ab258f3 61fe90e9 40ee109a 9bccc248
Feb 26 15:27:15 racoon: DEBUG: hash validated.
Feb 26 15:27:15 racoon: DEBUG: begin.
Feb 26 15:27:15 racoon: DEBUG: seen nptype=8(hash)
Feb 26 15:27:15 racoon: DEBUG: seen nptype=11(notify)
Feb 26 15:27:15 racoon: DEBUG: succeed.
Feb 26 15:27:15 racoon: ERROR: unknown notify message, no phase2 handle found.
Feb 26 15:27:15 racoon: DEBUG: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0f6aa0b7(size=4).
Feb 26 15:27:25 racoon: DEBUG: 740 bytes from 222.222.222.222[500] to 111.111.111.111[500]
Feb 26 15:27:25 racoon: DEBUG: sockname 222.222.222.222[500]
Feb 26 15:27:25 racoon: DEBUG: send packet from 222.222.222.222[500]
Feb 26 15:27:25 racoon: DEBUG: send packet to 111.111.111.111[500]
Feb 26 15:27:25 racoon: DEBUG: 1 times of 740 bytes message will be sent to 111.111.111.111[500]
Feb 26 15:27:25 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 000002e4 1c43f877 ebfc8f3a 54065e15 07abf452 315cffa4 887305ce b6f5c26f c1a0cd31 61a1721b bc0df24e ce094267 5fc3c94a d1554af7 bd7087cf 945d88d9 fc0ee6fd 1647309b fb523882 ab1ea7af 2d7a3d89 578e3b14 1e097dfe 58db7db8 e788ea5b ab0438d1 a94792e5 addc4f21 eaab621a bdf8f5db 25ce6b85 085520f4 edd574d8 38804f11 e9565456 494f7844 2ff5e40d 9ec47e4b 0a24a4a1 974a1e2a f05c276e 8476bee5 beb74b78 c0fe1968 e8ee9315 d4ea2689 1961753d 8a7fb164 fb0ba8ee ad731045 35d22219 f31ad580 2f31739b 6a0b6c69 01faedfb 8141c308 f3957813 2a3dc623 7b3c8e7e 4bcb0230 681e260a 5c70de6c d46b361a 4be14556 0eab9e41 40987ca1 ed2d60c2 1b360fe0 47dcc708 c3ade704 c0a2ba5e d04895d5 c536529b 237a3589 3f1782a0 24ae286c f3866414 4dc69996 81099725 e1f2dc59 0e7e2fda 36b69512 e9b99ce2 0393acda c01e44b8 973cdd32 4e54c7fa 8fb66d56 146ca3db 3328274c f8ad8c6e e2726432 539f9d66 dd17f50d a7f53c87 40821ac1 a8366425 e42244bc 84d54a12 318c99e3 4ee0b715 a59abb41 a950181d 89e358
Feb 26 15:27:25 racoon: DEBUG: resend phase2 packet 294db8c80eed7940:2aff7afe6fec3335:0000a57a
Feb 26 15:27:35 racoon: DEBUG: 740 bytes from 222.222.222.222[500] to 111.111.111.111[500]
Feb 26 15:27:35 racoon: DEBUG: sockname 222.222.222.222[500]
Feb 26 15:27:35 racoon: DEBUG: send packet from 222.222.222.222[500]
Feb 26 15:27:35 racoon: DEBUG: send packet to 111.111.111.111[500]
Feb 26 15:27:35 racoon: DEBUG: 1 times of 740 bytes message will be sent to 111.111.111.111[500]
Feb 26 15:27:35 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 000002e4 1c43f877 ebfc8f3a 54065e15 07abf452 315cffa4 887305ce b6f5c26f c1a0cd31 61a1721b bc0df24e ce094267 5fc3c94a d1554af7 bd7087cf 945d88d9 fc0ee6fd 1647309b fb523882 ab1ea7af 2d7a3d89 578e3b14 1e097dfe 58db7db8 e788ea5b ab0438d1 a94792e5 addc4f21 eaab621a bdf8f5db 25ce6b85 085520f4 edd574d8 38804f11 e9565456 494f7844 2ff5e40d 9ec47e4b 0a24a4a1 974a1e2a f05c276e 8476bee5 beb74b78 c0fe1968 e8ee9315 d4ea2689 1961753d 8a7fb164 fb0ba8ee ad731045 35d22219 f31ad580 2f31739b 6a0b6c69 01faedfb 8141c308 f3957813 2a3dc623 7b3c8e7e 4bcb0230 681e260a 5c70de6c d46b361a 4be14556 0eab9e41 40987ca1 ed2d60c2 1b360fe0 47dcc708 c3ade704 c0a2ba5e d04895d5 c536529b 237a3589 3f1782a0 24ae286c f3866414 4dc69996 81099725 e1f2dc59 0e7e2fda 36b69512 e9b99ce2 0393acda c01e44b8 973cdd32 4e54c7fa 8fb66d56 146ca3db 3328274c f8ad8c6e e2726432 539f9d66 dd17f50d a7f53c87 40821ac1 a8366425 e42244bc 84d54a12 318c99e3 4ee0b715 a59abb41 a950181d 89e358
Feb 26 15:27:35 racoon: DEBUG: resend phase2 packet 294db8c80eed7940:2aff7afe6fec3335:0000a57a
Feb 26 15:27:45 racoon: ERROR: 111.111.111.111 give up to get IPsec-SA due to time up to wait.
Feb 26 15:27:45 racoon: DEBUG: an undead schedule has been deleted.

It seems like some packet wont get sent.

Anyone?