Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC WOODOO Pfsense RC1

    Scheduled Pinned Locked Moved
    IPsec
    2
    4
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      preatorian
      last edited by

      After Updating Pfsense to RC1, I get the same problem.. every, say hour/hour and a half (not time bound) IPsec falls (see log below). It goes down for few minutes and renegotiates, then comes up.. in this time, connections between remote locations fall down.
      ERROR about policy replacement is a no issue, as it is in fact just a message…
      But sygnal 15 ? Racoon shutdown ? hmm...

      I tried P1 config aggressive and main - both fail the sam way..
      using Identifyer - My IP address, pre shared key, 3DES, MD5 and lifetime of 86400 secs

      Phase 2
      ESP
      BLOWFISH, MD5 no PFS key group, 86400 sec lifetime
      Pinging a server on the remote lan/s.

      Best regards.
      Preatorian

      Aug 2 17:32:46 racoon: INFO: received Vendor ID: KAME/racoon
      Aug 2 17:32:46 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-BB.BB.BB.BB[500] spi:818744c516c14ffa:538d0a005e0610db
      Aug 2 17:32:47 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>BB.BB.BB.BB[0]
      Aug 2 17:32:47 racoon: INFO: IPsec-SA established: ESP/Tunnel BB.BB.BB.BB[0]->AA.AA.AA.AA[0] spi=109287135(0x68396df)
      Aug 2 17:32:47 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->BB.BB.BB.BB[0] spi=164563998(0x9cf0c1e)
      Aug 2 17:32:47 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000b8f7
      Aug 2 17:32:49 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000edb0
      Aug 2 17:32:57 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000b8f7
      Aug 2 17:32:58 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000edb0
      Aug 2 18:22:37 racoon: INFO: caught signal 15
      Aug 2 18:22:38 racoon: INFO: racoon shutdown
      Aug 2 18:22:39 racoon: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
      Aug 2 18:22:39 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
      Aug 2 18:22:39 racoon: INFO: fe80::204:e2ff:fee9:e3b1%ng2[500] used as isakmp port (fd=8)
      Aug 2 18:22:39 racoon: INFO: fe80::204:e2ff:fee9:e3b1%ng1[500] used as isakmp port (fd=9)
      Aug 2 18:22:39 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=10)
      Aug 2 18:22:39 racoon: INFO: ::1[500] used as isakmp port (fd=11)
      Aug 2 18:22:39 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=12)
      Aug 2 18:22:39 racoon: INFO: fe80::204:e2ff:fee9:e3b1%fxp0[500] used as isakmp port (fd=13)
      Aug 2 18:22:39 racoon: INFO: AA.AA.AA.AA[500] used as isakmp port (fd=14)
      Aug 2 18:22:39 racoon: INFO: fe80::2a0:f9ff:fe05:cf45%rl0[500] used as isakmp port (fd=15)
      Aug 2 18:22:39 racoon: INFO: fe80::204:e2ff:fee9:e3b1%sk0[500] used as isakmp port (fd=16)
      Aug 2 18:22:39 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=17)
      Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.0.1/32[0] proto=any dir=in
      Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 190.20.10.0/24[0] 192.168.0.0/24[0] proto=any dir=in
      Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 192.168.16.0/24[0] 192.168.0.0/24[0] proto=any dir=in
      Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.1/32[0] 192.168.0.0/24[0] proto=any dir=out
      Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 190.20.10.0/24[0] proto=any dir=out
      Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.16.0/24[0] proto=any dir=out
      Aug 2 18:23:00 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000abe3
      Aug 2 18:23:21 last message repeated 2 times Aug 2 18:24:13 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000c417
      Aug 2 18:24:33 last message repeated 2 times
      Aug 2 18:25:00 racoon: INFO: IPsec-SA request for BB.BB.BB.BB queued due to no phase1 found.
      Aug 2 18:25:00 racoon: INFO: initiate new phase 1 negotiation: AA.AA.AA.AA[500]<=>BB.BB.BB.BB[500]
      Aug 2 18:25:00 racoon: INFO: begin Identity Protection mode.
      Aug 2 18:25:00 racoon: INFO: received Vendor ID: KAME/racoon
      Aug 2 18:25:01 racoon: INFO: received Vendor ID: KAME/racoon
      Aug 2 18:25:01 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-BB.BB.BB.BB[500] spi:a6e545f6a12c5ab6:655b8822f063d9b1
      Aug 2 18:25:02 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>BB.BB.BB.BB[0]
      Aug 2 18:25:02 racoon: INFO: IPsec-SA established: ESP/Tunnel BB.BB.BB.BB[0]->AA.AA.AA.AA[0] spi=151851937(0x90d13a1)
      Aug 2 18:25:02 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->BB.BB.BB.BB[0] spi=77296916(0x49b7514)
      Aug 2 18:25:20 racoon: INFO: IPsec-SA request for CC.CC.CC.CC queued due to no phase1 found.
      Aug 2 18:25:20 racoon: INFO: initiate new phase 1 negotiation: AA.AA.AA.AA[500]<=>CC.CC.CC.CC[500]
      Aug 2 18:25:20 racoon: INFO: begin Identity Protection mode.
      Aug 2 18:25:20 racoon: INFO: received Vendor ID: DPD
      Aug 2 18:25:21 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:549f3b89283f92a3:ce235874b45c2300
      Aug 2 18:25:22 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
      Aug 2 18:25:22 racoon: INFO: IPsec-SA established: ESP/Tunnel CC.CC.CC.CC[0]->AA.AA.AA.AA[0] spi=130184044(0x7c2736c)
      Aug 2 18:25:22 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->CC.CC.CC.CC[0] spi=105454316(0x6491aec)
      –--------------------------

      Aug 2 16:44:25 racoon: ERROR: CC.CC.CC.CC give up to get IPsec-SA due to time up to wait.
      Aug 2 16:44:34 racoon: INFO: respond new phase 1 negotiation: AA.AA.AA.AA[500]<=>CC.CC.CC.CC[500]
      Aug 2 16:44:34 racoon: INFO: begin Identity Protection mode.
      Aug 2 16:44:34 racoon: INFO: received Vendor ID: DPD
      Aug 2 16:44:34 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:9d8828fff132d97d:e01f7e80d79ce9c9
      Aug 2 16:44:35 racoon: INFO: respond new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
      Aug 2 16:44:35 racoon: INFO: IPsec-SA established: ESP/Tunnel CC.CC.CC.CC[0]->AA.AA.AA.AA[0] spi=175908704(0xa7c2760)
      Aug 2 16:44:35 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->CC.CC.CC.CC[0] spi=193699577(0xb8b9ef9)
      Aug 2 17:32:37 racoon: INFO: purged IPsec-SA proto_id=ESP spi=193699577.
      Aug 2 17:32:37 racoon: INFO: respond new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
      Aug 2 17:32:38 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
      Aug 2 17:32:41 racoon: INFO: respond new phase 1 negotiation: AA.AA.AA.AA[500]<=>CC.CC.CC.CC[500]
      Aug 2 17:32:41 racoon: INFO: begin Identity Protection mode.
      Aug 2 17:32:41 racoon: INFO: received Vendor ID: DPD
      Aug 2 17:32:41 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:a2cb2090b1702450:90cd4325a60d18cb
      Aug 2 17:32:41 racoon: INFO: purging spi=175908704.
      Aug 2 17:32:42 racoon: INFO: respond new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
      Aug 2 17:32:42 racoon: INFO: IPsec-SA established: ESP/Tunnel CC.CC.CC.CC[0]->AA.AA.AA.AA[0] spi=51025277(0x30a957d)
      Aug 2 17:32:42 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->CC.CC.CC.CC[0] spi=80763934(0x4d05c1e) Aug 2 17:32:47 racoon: ERROR: none message must be encrypted
      Aug 2 17:32:58 last message repeated 3 times
      Aug 2 17:33:07 racoon: ERROR: CC.CC.CC.CC give up to get IPsec-SA due to time up to wait.
      Aug 2 17:33:08 racoon: ERROR: CC.CC.CC.CC give up to get IPsec-SA due to time up to wait.
      Aug 2 18:13:14 racoon: INFO: ISAKMP-SA expired AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:0b921a024c0b0b56:7ebf0298b4ef3ff6
      Aug 2 18:13:15 racoon: INFO: ISAKMP-SA deleted AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:0b921a024c0b0b56:7ebf0298b4ef3ff6
      Aug 2 18:22:37 racoon: INFO: purged IPsec-SA proto_id=ESP spi=80763934.
      Aug 2 18:22:38 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
      Aug 2 18:22:38 racoon: INFO: purging ISAKMP-SA spi=a2cb2090b1702450:90cd4325a60d18cb.
      Aug 2 18:22:38 racoon: INFO: Unknown IPsec-SA spi=51025277, hmmmm?
      Aug 2 18:22:38 racoon: INFO: purged IPsec-SA spi=51025277.
      Aug 2 18:22:38 racoon: INFO: purged IPsec-SA spi=102246445.
      Aug 2 18:22:38 racoon: INFO: purged ISAKMP-SA spi=a2cb2090b1702450:90cd4325a60d18cb.
      Aug 2 18:22:39 racoon: INFO: ISAKMP-SA deleted AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:a2cb2090b1702450:90cd4325a60d18cb
      Aug 2 18:23:00 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0] Aug 2 18:23:00 racoon: ERROR: none message must be encrypted
      Aug 2 18:23:21 last message repeated 2 times
      Aug 2 18:23:30 racoon: ERROR: CC.CC.CC.CC give up to get IPsec-SA due to time up to wait.
      Aug 2 18:24:13 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
      Aug 2 18:24:13 racoon: ERROR: none message must be encrypted
      Aug 2 18:24:33 last message repeated 2 times
      Aug 2 18:24:43 racoon: ERROR: CC.CC.CC.CC give up to get IPsec-SA due to time up to wait.
      Aug 2 18:25:20 racoon: INFO: respond new phase 1 negotiation: AA.AA.AA.AA[500]<=>CC.CC.CC.CC[500]
      Aug 2 18:25:20 racoon: INFO: begin Identity Protection mode.
      Aug 2 18:25:20 racoon: INFO: received Vendor ID: DPD
      Aug 2 18:25:21 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:549f3b89283f92a3:ce235874b45c2300
      Aug 2 18:25:22 racoon: INFO: respond new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
      Aug 2 18:25:22 racoon: INFO: IPsec-SA established: ESP/Tunnel CC.CC.CC.CC[0]->AA.AA.AA.AA[0] spi=105454316(0x6491aec)
      Aug 2 18:25:22 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->CC.CC.CC.CC[0] spi=130184044(0x7c2736c)
      Aug 2 19:03:05 racoon: INFO: ISAKMP-SA expired AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:74bc2e25ebc635f7:2350f4d786c4462d
      Aug 2 19:03:06 racoon: INFO: ISAKMP-SA deleted AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:74bc2e25ebc635f7:2350f4d786c4462d

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        What are the specs of this system?

        And btw, update to RC2 please.

        1 Reply Last reply Reply Quote 0
        • P
          preatorian
          last edited by

          Both FIrewalls are overkill PCs.. Pentium IV, 512 RAM, CF/IDE adapter.. realtek/intel 10/100/1000 NICs.
          Both brand new.

          Oh, I will reflash both ends, just need to jump in my car and drive for 190km to the other end of VPN :)
          Will let you know…

          Have you done some improvements on IPSEC / RACOON in the RC2 ?

          Best regards
          Preatorian

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            We did some IPSEC improvements in RC2 but they shouldn't affect establishing of a tunnel. I just wondered what your specs are as we had some funny effects with 64 MB RAM hardware at the hackathon where racoon exited too due to full memory but that shouldn't be the case with your boxes then.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post