Vpn goes down…

covex

hello everybody!
i have pfsense box running as a firewall/vpn server (p4/1gb ram/2x1gb intel nics). about 50 ipsec tunnels and couple of rules.
it looks like every now and then the ipsec service goes down without any reason and never comes back up, and the only way to revive it is to reboot the server. i have kiwi syslog running on my comp and i can't find anything wrong there besides that when it happens i'm not getting any log entries from the pfsense until i'll reboot it.
same thing was happening to my old openbsd vpn server and this is why i upgraded it to the pfsense.
please help!  :)

sullrich

This has been covered countless times.

Check the liftetimes and enable System -> Advanced -> Prefer old IPsec SAs

And no offense but search before posting.  It is considered rude for us to have to keep answering questions that have been answered prior.

covex

none taken. sorry about that, but i've been googling this for the last two days and couldn't find anything. also i had my old vpn server looked at and the only solution we could come up with is a script to restart isakmpd service.
i'll try your suggestion and will post here. shouldn't be long as my vpn goes down once or twice a day.

hoba

If it happens again please let us know which version you are running. If it's not a recent snapshot please try with one of these.

covex

i'm running 1.0.1-snapshot-02-27-2007 build on 03/06/07
and i was running really old version of openbsd on my old vpn server

hoba

So did it happen again with the changed config that Scott suggested? What's in the systemlogs when things fail?

covex

yes, it happened again today. here is a peace of the log around the event. i have system and vpn checked in for a log.
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=217182122(0xcf1efaa)
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=3879583483(0xe73dbefb)
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: ERROR: such policy does not already exist: "192.168.110.0/24[0] 192.168.1.0/24[0] proto=any dir=in"
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.110.0/24[0] proto=any dir=out"
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: respond new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: begin Identity Protection mode.
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:48aa9576aa4c1a5d:e07d27130e7932f8
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: Update the generated policy : 192.168.135.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=86804743(0x52c8907)
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=3913880512(0xe94913c0)
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: ERROR: such policy does not already exist: "192.168.135.0/24[0] 192.168.1.0/24[0] proto=any dir=in"
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.135.0/24[0] proto=any dir=out"
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:6f8cf8f974c92323:298bba7671b109ad
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: Update the generated policy : 192.168.102.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=68050139(0x40e5cdb)
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=3582458879(0xd587fbff)
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: ERROR: such policy does not already exist: "192.168.102.0/24[0] 192.168.1.0/24[0] proto=any dir=in"
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.102.0/24[0] proto=any dir=out"
2007-03-16 19:20:23 Auth.Notice 192.168.1.252 Mar 16 19:20:23 shutdown: reboot by root:
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: started, version 2.36 cachesize 150
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: compile time options: IPv6 GNU-getopt ISC-leasefile no-DBus no-I18N
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: reading /etc/resolv.conf
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: using nameserver XXX.XXX.XXX.XXX#53
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: using nameserver XXX.XXX.XXX.XXX#53
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: read /etc/hosts - 2 addresses
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: Internet Systems Consortium DHCP Server V3.0.5
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: Copyright 2004-2006 Internet Systems Consortium.
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: All rights reserved.
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)

i just wanna point out that exactly the same thing was happening to my old bsd vpn server. internet is up, but vpn is down. i can't even reestabish a tunnel from remote endpoint. only reboot helps.

hoba

@covex:

i just wanna point out that exactly the same thing was happening to my old bsd vpn server. internet is up, but vpn is down. i can't even reestabish a tunnel from remote endpoint. only reboot helps.

This looks like the problem exists in freebsd and is not caused by pfSense. Maybe file a bugreport at the appropriate freebsd list. Also provide info about the other peer. It might be caused by something at the other end sending something strange as I have't heard about this problem from anybody else yet.

sullrich

I still suspect lifetime mismatches.

covex

@sullrich:

I still suspect lifetime mismatches.

any suggestions on the values? i can try to change it tomorrow, though it is 50 tunnels we are talking about here  :o

all my endpoints are either linksys befvp41 or netgear fvs318v3

sullrich

Just make sure each size matches.  Find the most commonly used lifetime then change the rest to match.

Make sure phase 1 and phase 2 both match respectively.    IE: each machines phase 1 should match, and phase 2 should match.

Not sure of the best settings but I generally use 1500 for both phase 1 and 2.  This might not be the best value but so far it works great for me.

covex

wow this is small. i've never went lower 3600 before. i was going to go with 86400 for phase 1 and 28800 phase 2

hoba

3600 for both phases works for me without issues.

covex

i've just noticed two warning messages in the log
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: ::1[500] used as isakmp port (fd=13)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: fe80::20e:cff:fec2:c2b7%em1[500] used as isakmp port (fd=15)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: xxx.xxx.xxx.xxx[500] used as isakmp port (fd=16)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: fe80::20e:cff:fec2:c2c2%em0[500] used as isakmp port (fd=17)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: 192.168.1.252[500] used as isakmp port (fd=18)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
2007-03-17 17:41:16 Daemon.Notice 192.168.1.252 Mar 17 17:41:09 pftpx[458]: listening on 127.0.0.1 port 8021
2

covex

i've changed all settings to 28800 for phase 1 and 3600 for phase two and it is still going down every day. is there a difference for using mobile-users settings instead of ipsec tunnels for the hardware endpoints?
also ftp traffic is going one way only. remotes can get on the ftp site at my office but i can't ftp to them

z00te

same problem here… approx 40 tunnel with other pfsense and smoothwall...
please let me know if you found a solution...

tnx
Z

heiko

Hello,
i agree with HOBA. Set the lifetime on both phases to 3600. For me it works great!!
Greetings Heiko

covex

the only thing i've found so far is this http://securitytracker.com/alerts/2005/Mar/1013433.html. but it looks like it was fixed in 2005

covex

@heiko:

Hello,
i agree with HOBA. Set the lifetime on both phases to 3600. For me it works great!!
Greetings Heiko

hey man, how many tunnels you have? mobile users or static endpoints?

heiko

Whe you have static endpoints between Smothwall an pfsense, please set both phases to a lifetime of 3600. We tested it and it works with  pfsense 1.01 (not releng snapshot). Please test it in Phase 2 with 28800.

This settings works for pfsense and smothwall (ipcop)

This settings works for me:

Phase 1 lifetime: 3600 sec.
Encrypt. Alg. 3DES
HasH. MD5
DH Key Group: 2
Pre Shared Key: xxxx

Phase 2:
Protocol: ESP
Encrypt. Alg. only 3DES
Hash: only MD5
PFS Key Group : 2
Lifetime: 28800 or 3600 , you must try

On Smothwall you must set compression to OFF.

Please try

Greetings
heiko

Greetings
Heiko