Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Vpn goes down…

    Scheduled Pinned Locked Moved IPsec
    26 Posts 6 Posters 10.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sullrich
      last edited by

      This has been covered countless times.

      Check the liftetimes and enable System -> Advanced -> Prefer old IPsec SAs

      And no offense but search before posting.  It is considered rude for us to have to keep answering questions that have been answered prior.

      1 Reply Last reply Reply Quote 0
      • C
        covex
        last edited by

        none taken. sorry about that, but i've been googling this for the last two days and couldn't find anything. also i had my old vpn server looked at and the only solution we could come up with is a script to restart isakmpd service.
        i'll try your suggestion and will post here. shouldn't be long as my vpn goes down once or twice a day.

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by

          If it happens again please let us know which version you are running. If it's not a recent snapshot please try with one of these.

          1 Reply Last reply Reply Quote 0
          • C
            covex
            last edited by

            i'm running 1.0.1-snapshot-02-27-2007 build on 03/06/07
            and i was running really old version of openbsd on my old vpn server

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              So did it happen again with the changed config that Scott suggested? What's in the systemlogs when things fail?

              1 Reply Last reply Reply Quote 0
              • C
                covex
                last edited by

                yes, it happened again today. here is a peace of the log around the event. i have system and vpn checked in for a log.
                2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=217182122(0xcf1efaa)
                2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=3879583483(0xe73dbefb)
                2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: ERROR: such policy does not already exist: "192.168.110.0/24[0] 192.168.1.0/24[0] proto=any dir=in"
                2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.110.0/24[0] proto=any dir=out"
                2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: respond new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
                2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: begin Identity Protection mode.
                2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:48aa9576aa4c1a5d:e07d27130e7932f8
                2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
                2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: Update the generated policy : 192.168.135.0/24[0] 192.168.1.0/24[0] proto=any dir=in
                2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=86804743(0x52c8907)
                2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=3913880512(0xe94913c0)
                2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: ERROR: such policy does not already exist: "192.168.135.0/24[0] 192.168.1.0/24[0] proto=any dir=in"
                2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.135.0/24[0] proto=any dir=out"
                2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:6f8cf8f974c92323:298bba7671b109ad
                2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
                2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: Update the generated policy : 192.168.102.0/24[0] 192.168.1.0/24[0] proto=any dir=in
                2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=68050139(0x40e5cdb)
                2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=3582458879(0xd587fbff)
                2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: ERROR: such policy does not already exist: "192.168.102.0/24[0] 192.168.1.0/24[0] proto=any dir=in"
                2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.102.0/24[0] proto=any dir=out"
                2007-03-16 19:20:23 Auth.Notice 192.168.1.252 Mar 16 19:20:23 shutdown: reboot by root:
                2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: started, version 2.36 cachesize 150
                2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: compile time options: IPv6 GNU-getopt ISC-leasefile no-DBus no-I18N
                2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: reading /etc/resolv.conf
                2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: using nameserver XXX.XXX.XXX.XXX#53
                2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: using nameserver XXX.XXX.XXX.XXX#53
                2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: read /etc/hosts - 2 addresses
                2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: Internet Systems Consortium DHCP Server V3.0.5
                2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: Copyright 2004-2006 Internet Systems Consortium.
                2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: All rights reserved.
                2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
                2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
                2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
                2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
                2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)

                i just wanna point out that exactly the same thing was happening to my old bsd vpn server. internet is up, but vpn is down. i can't even reestabish a tunnel from remote endpoint. only reboot helps.

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  @covex:

                  i just wanna point out that exactly the same thing was happening to my old bsd vpn server. internet is up, but vpn is down. i can't even reestabish a tunnel from remote endpoint. only reboot helps.

                  This looks like the problem exists in freebsd and is not caused by pfSense. Maybe file a bugreport at the appropriate freebsd list. Also provide info about the other peer. It might be caused by something at the other end sending something strange as I have't heard about this problem from anybody else yet.

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    I still suspect lifetime mismatches.

                    1 Reply Last reply Reply Quote 0
                    • C
                      covex
                      last edited by

                      @sullrich:

                      I still suspect lifetime mismatches.

                      any suggestions on the values? i can try to change it tomorrow, though it is 50 tunnels we are talking about here  :o

                      all my endpoints are either linksys befvp41 or netgear fvs318v3

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        Just make sure each size matches.  Find the most commonly used lifetime then change the rest to match.

                        Make sure phase 1 and phase 2 both match respectively.    IE: each machines phase 1 should match, and phase 2 should match.

                        Not sure of the best settings but I generally use 1500 for both phase 1 and 2.  This might not be the best value but so far it works great for me.

                        1 Reply Last reply Reply Quote 0
                        • C
                          covex
                          last edited by

                          wow this is small. i've never went lower 3600 before. i was going to go with 86400 for phase 1 and 28800 phase 2

                          1 Reply Last reply Reply Quote 0
                          • H
                            hoba
                            last edited by

                            3600 for both phases works for me without issues.

                            1 Reply Last reply Reply Quote 0
                            • C
                              covex
                              last edited by

                              i've just noticed two warning messages in the log
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: ::1[500] used as isakmp port (fd=13)
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: fe80::20e:cff:fec2:c2b7%em1[500] used as isakmp port (fd=15)
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: xxx.xxx.xxx.xxx[500] used as isakmp port (fd=16)
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: fe80::20e:cff:fec2:c2c2%em0[500] used as isakmp port (fd=17)
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: 192.168.1.252[500] used as isakmp port (fd=18)
                              2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
                              2007-03-17 17:41:16 Daemon.Notice 192.168.1.252 Mar 17 17:41:09 pftpx[458]: listening on 127.0.0.1 port 8021
                              2

                              1 Reply Last reply Reply Quote 0
                              • C
                                covex
                                last edited by

                                i've changed all settings to 28800 for phase 1 and 3600 for phase two and it is still going down every day. is there a difference for using mobile-users settings instead of ipsec tunnels for the hardware endpoints?
                                also ftp traffic is going one way only. remotes can get on the ftp site at my office but i can't ftp to them

                                1 Reply Last reply Reply Quote 0
                                • Z
                                  z00te
                                  last edited by

                                  same problem here… approx 40 tunnel with other pfsense and smoothwall...
                                  please let me know if you found a solution...

                                  tnx
                                  Z

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    heiko
                                    last edited by

                                    Hello,
                                    i agree with HOBA. Set the lifetime on both phases to 3600. For me it works great!!
                                    Greetings Heiko

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      covex
                                      last edited by

                                      the only thing i've found so far is this http://securitytracker.com/alerts/2005/Mar/1013433.html. but it looks like it was fixed in 2005

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        covex
                                        last edited by

                                        @heiko:

                                        Hello,
                                        i agree with HOBA. Set the lifetime on both phases to 3600. For me it works great!!
                                        Greetings Heiko

                                        hey man, how many tunnels you have? mobile users or static endpoints?

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          heiko
                                          last edited by

                                          Whe you have static endpoints between Smothwall an pfsense, please set both phases to a lifetime of 3600. We tested it and it works with  pfsense 1.01 (not releng snapshot). Please test it in Phase 2 with 28800.

                                          This settings works for pfsense and smothwall (ipcop)

                                          This settings works for me:

                                          Phase 1 lifetime: 3600 sec.
                                          Encrypt. Alg. 3DES
                                          HasH. MD5
                                          DH Key Group: 2
                                          Pre Shared Key: xxxx

                                          Phase 2:
                                          Protocol: ESP
                                          Encrypt. Alg. only 3DES
                                          Hash: only MD5
                                          PFS Key Group : 2
                                          Lifetime: 28800 or 3600 , you must try

                                          On Smothwall you must set compression to OFF.

                                          Please try

                                          Greetings
                                          heiko

                                          Greetings
                                          Heiko

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            EmL
                                            last edited by

                                            Hi … i think it should work with both lifetimes (eg. 3600/3600 or 86400/28800). What is suggested in official RFCs you can read here http://www.faqs.org/rfcs/rfc4308.html (search for lifetime).

                                            Do you have a crypto card in your box? I have one and have also problems (especially after ip changes dynamic-static VPN) ... without my crypto card the tunnel keeps alive over an ip change ... maybe this can cause your problems?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.