Upgraded from 1.0.1 to 1.2 RC1 and Ipsec is not working
-
I have 4 site-to-site tunnels that were in operation before I updated. Now, none of them are working after the upgrade, this is the log that I am getting from ipsecvpn.
Thanks
Aug 4 06:17:31 racoon: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
Aug 4 06:17:01 racoon: INFO: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0]
Aug 4 06:16:47 racoon: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
Aug 4 06:16:33 racoon: ERROR: phase1 negotiation failed due to time up. 3b144a9200d11f5a:0000000000000000
Aug 4 06:16:17 racoon: INFO: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0]
Aug 4 06:16:05 racoon: INFO: delete phase 2 handler.
Aug 4 06:16:05 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP xxx.xxx.xxx.xxx[0]->xxx.xxx.xxx.xxx[0]
Aug 4 06:16:03 racoon: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
Aug 4 06:15:33 racoon: INFO: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0]
Aug 4 06:15:32 racoon: INFO: begin Identity Protection mode.
Aug 4 06:15:32 racoon: INFO: initiate new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]
Aug 4 06:15:32 racoon: INFO: IPsec-SA request for xxx.xxx.xxx.xxx queued due to no phase1 found.
Aug 4 06:15:19 racoon: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
Aug 4 06:14:49 racoon: INFO: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0]
Aug 4 06:14:35 racoon: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
Aug 4 06:14:05 racoon: INFO: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0]
Aug 4 06:13:51 racoon: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait.
Aug 4 06:13:21 racoon: INFO: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>xxx.xxx.xxx.xxx[0] -
take a look at the firewall logs, is udp 500 and esp blocked on the wan?
-
I took a look at the firewall logs, and I do not see udp 500 and esp being blocked on the wan
-
The only action that he have done is update the firewall. Is not the first time that after update something is not working. This append to me too. Is not a good thing in an operational enviroment. The sensation is, is working? Don't touch. I think that pfsense have a lot of functionlities and is a good product, but I think too that need to be more serious in update questions.
Is not a criticize because pfsense is a free product and work so well. Is only a coment because I think that this point to improve.
Take this reply like a improve please, is not a bad criticize.
Cheers
-
We have updated all of our 1.01 pfsense boxes to the 1.2rc1, and all of our vpn´s works as it should, standalone and with a cluster. I think, there is no vpn bug in the 1.2, definitely works here…..
Are you really sure, that isakmp and esp are not blocked from the wan?
Greetings
Heiko -
I have to agree with the poster. With each update my one tunnel I have with a remote office has become more and more
erratic. Now it has stopped working completely with the same error.I've used the same tunnel for a few years with the same settings going back to m0n0wall.
There is a bug in pFsense concerning IPsec. -
There are no bugs concerning pfSense and IPSEC. I am running the latest version all over the place with multiple tunnels and it works fine.
-
Do you have working with mobile clients?
-
yes
static <–> mobile
static <--> static
mobile --> clusterand so on
-
When you upgrade to 1.2 you need to add IPsec rules for incoming IPsec traffic. I'm not sure if that's done automatically or not.
Though since your P1 is failing, it's not even getting that far.
What's at the other end of these tunnels?
I upgrade my half dozen or so boxes at home 2-3 times a week on average and have never had IPsec stop working.
-
I am having the same exact issue when trying to build a new vpn tunnel. I have one tunnel up and running, but I am trying to added soem additional tunnels and running in the extact message. I do have packet shaping running would this cause a issue.
RC -
I had same problem at attempt to connect through IPSEC FreeBSD 5.5 and pfsense 1.2 RC2.
racoon: INFO: IPsec-SA request for 192.168.1.100 queued due to no phase1 found.
Aug 30 13:50:19 racoon: INFO: initiate new phase 1 negotiation: 192.168.1.101[500]<=>192.168.1.100[500]
Aug 30 13:50:19 racoon: INFO: begin Aggressive mode.
Aug 30 13:50:19 racoon: INFO: received Vendor ID: DPD
Aug 30 13:50:19 racoon: WARNING: No ID match.
Aug 30 13:50:19 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Aug 30 13:50:20 racoon: INFO: ISAKMP-SA established 192.168.1.101[500]-192.168.1.100[500] spi:b85a286710483d05:9e0d8687a1f8c9c6
Aug 30 13:50:20 racoon: INFO: initiate new phase 2 negotiation: 192.168.1.101[500]<=>192.168.1.100[500]
Aug 30 13:50:50 racoon: ERROR: 192.168.1.100 give up to get IPsec-SA due to time up to wait.
Aug 30 13:51:05 racoon: INFO: initiate new phase 2 negotiation: 192.168.1.101[500]<=>192.168.1.100[500]SPD (Two lines)
Source Destination Direction Protocol Tunnel endpoints
10.3.3.0/24 10.3.0.0/24 ESP 192.168.1.100 - 192.168.1.101
10.3.0.0/24 10.3.3.0/24 ESP 192.168.1.101 - 192.168.1.100SAD (Only one line)
Source Destination Protocol SPI Enc. alg. Auth. alg.
192.168.1.100 192.168.1.101 ESP 01f5ce42 replay=0 pid=3138Show please a working configuration for IPSEC - FreeBSD.
Excuse for weak English.
Thanks.!–--------------------------------------------------------------------------------------------!
P.S.
::)
The problem was solved.
There was my mistake in SPD-rules in/etc/ipsec.conf (FreeBSD PC side).
!----------------------------------------------------------------------------------------------! -
racoon: INFO: begin Identity Protection mode.
Aug 30 22:56:52 racoon: INFO: respond new phase 1 negotiation: 208.xxx.xxx.xxx[500]<=>24.xxx.xxx.xxx[500]
Aug 30 22:56:52 racoon: ERROR: phase1 negotiation failed due to time up. 4e2e3df766fe2532:3a4a329759c15328
Aug 30 22:56:45 racoon: ERROR: none message must be encrypted
Aug 30 22:56:21 racoon: INFO: begin Identity Protection mode.
Aug 30 22:56:21 racoon: INFO: respond new phase 1 negotiation: 208.xxx.xxx.xxx[500]<=>24.xxx.xxx.xxx[500]
Aug 30 22:56:14 racoon: ERROR: none message must be encrypted
Aug 30 22:56:00 racoon: ERROR: phase1 negotiation failed due to time up. 3f04ad4d1ec3467e:fbfadb805c4f9318
Aug 30 22:55:53 racoon: ERROR: phase1 negotiation failed due to time up. 825956a98d394856:fafa1b816a4b816f
Aug 30 22:55:51 racoon: INFO: begin Identity Protection mode.
Aug 30 22:55:51 racoon: INFO: respond new phase 1 negotiation: 208.xxx.xxx.xxx[500]<=>24.xxx.xxx.xxx[500]
Aug 30 22:55:33 racoon: ERROR: none message must be encrypted
Aug 30 22:55:29 racoon: ERROR: none message must be encrypted
Aug 30 22:55:23 racoon: INFO: delete phase 2 handler.
Aug 30 22:55:23 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 24.xxx.xxx.xxx[0]->208.xxx.xxx.xxx[0]
Aug 30 22:55:21 last message repeated 2 timesThis is the error messages that I am getting when trying to configure the VPN tunnels. I have a new client that is coming on and it have to get this resolved or it will be a no go.
-
Have you added firewall rules to allow udp 500 and esp from the wan address of your pfsense box?
Is this a carp system or a single?
-
It is a system that only has one wan ip address.. Can you explain how to add the rules? I have not completely got a handle on how to create rules with pfsense yet.
RC -
I created a different post, but I finally got past my issue. i found that the phase1 password was too long to support the device that I was trying to connect too. I got that resolved and it is working great. thanks.
RC -
go to Firewall -> Rules the select the wan tab
then click the little square with a plus icon.
then create a rule to allow the ESP protocol and another to allow UDP port 500