Vpn goes down…
-
yes, it happened again today. here is a peace of the log around the event. i have system and vpn checked in for a log.
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=217182122(0xcf1efaa)
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=3879583483(0xe73dbefb)
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: ERROR: such policy does not already exist: "192.168.110.0/24[0] 192.168.1.0/24[0] proto=any dir=in"
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.110.0/24[0] proto=any dir=out"
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: respond new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
2007-03-16 16:54:06 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: begin Identity Protection mode.
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:06 racoon: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:48aa9576aa4c1a5d:e07d27130e7932f8
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: Update the generated policy : 192.168.135.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=86804743(0x52c8907)
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=3913880512(0xe94913c0)
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: ERROR: such policy does not already exist: "192.168.135.0/24[0] 192.168.1.0/24[0] proto=any dir=in"
2007-03-16 16:54:07 System3.Info 192.168.1.252 Mar 16 16:54:07 racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.135.0/24[0] proto=any dir=out"
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:6f8cf8f974c92323:298bba7671b109ad
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: Update the generated policy : 192.168.102.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=68050139(0x40e5cdb)
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->XXX.XXX.XXX.XXX[0] spi=3582458879(0xd587fbff)
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: ERROR: such policy does not already exist: "192.168.102.0/24[0] 192.168.1.0/24[0] proto=any dir=in"
2007-03-16 16:54:09 System3.Info 192.168.1.252 Mar 16 16:54:09 racoon: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.102.0/24[0] proto=any dir=out"
2007-03-16 19:20:23 Auth.Notice 192.168.1.252 Mar 16 19:20:23 shutdown: reboot by root:
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: started, version 2.36 cachesize 150
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: compile time options: IPv6 GNU-getopt ISC-leasefile no-DBus no-I18N
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: reading /etc/resolv.conf
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: using nameserver XXX.XXX.XXX.XXX#53
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: using nameserver XXX.XXX.XXX.XXX#53
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dnsmasq[367]: read /etc/hosts - 2 addresses
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: Internet Systems Consortium DHCP Server V3.0.5
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: Copyright 2004-2006 Internet Systems Consortium.
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: All rights reserved.
2007-03-16 19:21:45 Daemon.Info 192.168.1.252 Mar 16 19:21:39 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
2007-03-16 19:21:46 System3.Info 192.168.1.252 Mar 16 19:21:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)i just wanna point out that exactly the same thing was happening to my old bsd vpn server. internet is up, but vpn is down. i can't even reestabish a tunnel from remote endpoint. only reboot helps.
-
i just wanna point out that exactly the same thing was happening to my old bsd vpn server. internet is up, but vpn is down. i can't even reestabish a tunnel from remote endpoint. only reboot helps.
This looks like the problem exists in freebsd and is not caused by pfSense. Maybe file a bugreport at the appropriate freebsd list. Also provide info about the other peer. It might be caused by something at the other end sending something strange as I have't heard about this problem from anybody else yet.
-
I still suspect lifetime mismatches.
-
I still suspect lifetime mismatches.
any suggestions on the values? i can try to change it tomorrow, though it is 50 tunnels we are talking about here :o
all my endpoints are either linksys befvp41 or netgear fvs318v3
-
Just make sure each size matches. Find the most commonly used lifetime then change the rest to match.
Make sure phase 1 and phase 2 both match respectively. IE: each machines phase 1 should match, and phase 2 should match.
Not sure of the best settings but I generally use 1500 for both phase 1 and 2. This might not be the best value but so far it works great for me.
-
wow this is small. i've never went lower 3600 before. i was going to go with 86400 for phase 1 and 28800 phase 2
-
3600 for both phases works for me without issues.
-
i've just noticed two warning messages in the log
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: ::1[500] used as isakmp port (fd=13)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: fe80::20e:cff:fec2:c2b7%em1[500] used as isakmp port (fd=15)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: xxx.xxx.xxx.xxx[500] used as isakmp port (fd=16)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: fe80::20e:cff:fec2:c2c2%em0[500] used as isakmp port (fd=17)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: INFO: 192.168.1.252[500] used as isakmp port (fd=18)
2007-03-17 17:41:16 System3.Info 192.168.1.252 Mar 17 17:41:09 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
2007-03-17 17:41:16 Daemon.Notice 192.168.1.252 Mar 17 17:41:09 pftpx[458]: listening on 127.0.0.1 port 8021
2 -
i've changed all settings to 28800 for phase 1 and 3600 for phase two and it is still going down every day. is there a difference for using mobile-users settings instead of ipsec tunnels for the hardware endpoints?
also ftp traffic is going one way only. remotes can get on the ftp site at my office but i can't ftp to them -
same problem here… approx 40 tunnel with other pfsense and smoothwall...
please let me know if you found a solution...tnx
Z -
Hello,
i agree with HOBA. Set the lifetime on both phases to 3600. For me it works great!!
Greetings Heiko -
the only thing i've found so far is this http://securitytracker.com/alerts/2005/Mar/1013433.html. but it looks like it was fixed in 2005
-
Hello,
i agree with HOBA. Set the lifetime on both phases to 3600. For me it works great!!
Greetings Heikohey man, how many tunnels you have? mobile users or static endpoints?
-
Whe you have static endpoints between Smothwall an pfsense, please set both phases to a lifetime of 3600. We tested it and it works with pfsense 1.01 (not releng snapshot). Please test it in Phase 2 with 28800.
This settings works for pfsense and smothwall (ipcop)
This settings works for me:
Phase 1 lifetime: 3600 sec.
Encrypt. Alg. 3DES
HasH. MD5
DH Key Group: 2
Pre Shared Key: xxxxPhase 2:
Protocol: ESP
Encrypt. Alg. only 3DES
Hash: only MD5
PFS Key Group : 2
Lifetime: 28800 or 3600 , you must tryOn Smothwall you must set compression to OFF.
Please try
Greetings
heikoGreetings
Heiko -
Hi … i think it should work with both lifetimes (eg. 3600/3600 or 86400/28800). What is suggested in official RFCs you can read here http://www.faqs.org/rfcs/rfc4308.html (search for lifetime).
Do you have a crypto card in your box? I have one and have also problems (especially after ip changes dynamic-static VPN) ... without my crypto card the tunnel keeps alive over an ip change ... maybe this can cause your problems?
-
i don't have crypto card in my box and my problem is that vpn service is going down on the pfsense server completely, not just keep alive function.
i have all static ip's and remotes are equiped with either linksys befvp41 or netgear fvs318 routers.
i'll try to set everything to 3600 today, but i think the only thing will change is that my server will be going down more often. -
Are you using main or aggressive mode? I think I once helped out a user in the IRC channel with a vpn to a netgear router and the problem was either main mode or aggressive (don't know the details anymore) but if you are currently using the one maybe try the other option.
-
everything is set to main mode. i'll try 3600 tonight if this wont work i'll move from mobile users setup to ipsec tunnel for each connection, if this wont work either… i guess i'm going to be fired ;D :(
-
…still why is ftp traffic going one way only? everything is by default under "rules".
-
ok… looks like "vpn goes down" problem was fixed. the server has been up for more then 24 hours now. but i still can't ftp to remote sites over vpn. pcanywhere (and file transfer) works fine, i can ssh and scp to remote pc's and they can ftp to my office, but i cant ftp to them. does anybody know how to fix this? tnx
p.s. this _If you want to connect to a FTP server you need to add this workaround to your LAN tab.
Proto Source Port Destination Port Gateway TCP LAN net * 127.0.0.1 1 - 65535 *
Now the packets are forwarded correctly and you can connect to an FTP server._ is not helping.
ok… ftp problem was fixed too 8) as they say "if nothing works read the manual" ;D ::)