IPSEC - RC1 and RC2
-
try the newest snapshot
http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/updates/pfSense-Full-And-Embedded-Update-1.2-RC2.tgz
and test it again
-
try the newest snapshot
http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/updates/pfSense-Full-And-Embedded-Update-1.2-RC2.tgz
and test it againIt is working now. Now there is only one error on Overview page: Warning: Invalid argument supplied for foreach() in /usr/local/www/diag_ipsec.php on line 103 but SAD and SPD view are OK.
-
fastcon68: Can you still replicate the problem where it starts rebooting when you add ipsec rules? If so, it's panic'ing and I'd like to have you get us a backtrace.
ssbaksa: Can you post a screenshot of that error?
-
I can second what ssbaksa observed.
After upgrading pfSense at my office to current snapshot: 1.2-RC2 built on Mon Sep 24 06:37:23 EDT 2007
the IPsec tunnel between home and office will not come up, instead I have these messages in the Diagnostics: System logs: IPSEC VPN:Last 500 IPSEC log entries
Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.100.0/24[0] 192.168.2.0/24[0] proto=any dir=out"
Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.2.0/24[0] 192.168.100.0/24[0] proto=any dir=in"
Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 217.x.y.z[0]->62.a.b.c[0] spi=223941049(0xd5911b9)
Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 62.a.b.c[0]->217.x.y.z[0] spi=234153441(0xdf4e5e1)
Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.2.0/24[0] 192.168.100.0/24[0] proto=any dir=in
Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 217.x.y.z[0]<=>62.a.b.c[0]
Sep 24 15:35:10 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 217.x.y.z[500]-62.a.b.c[500] spi:8bb2affd47f2274b:42ee99b4ee3f2066
Sep 24 15:35:10 racoon: INFO: received Vendor ID: DPD
Sep 24 15:35:10 racoon: INFO: begin Aggressive mode.
Sep 24 15:35:10 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 217.x.y.z[500]<=>62.a.b.c[500]
Sep 24 15:24:03 racoon: INFO: unsupported PF_KEY message REGISTER
Sep 24 15:24:03 racoon: INFO: fe80::…%fxp0[500] used as isakmp port (fd=24)
Sep 24 15:24:03 racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=23)
Sep 24 15:24:03 racoon: INFO: fe80::…%xl0[500] used as isakmp port (fd=22)
Sep 24 15:24:03 racoon: [Self]: INFO: 192.168.100.99[500] used as isakmp port (fd=21)
Sep 24 15:24:03 racoon: INFO: fe80::…%fxp1[500] used as isakmp port (fd=20)Actually, it worked before - had just used it and saw the same message as SSBAKSA on the newly created IPsec tab: Overview.
Since the tunnel doesn't come up there is no entry to show any more.
It was right underneath the 'Overview' tab on top of the following table header. -
@cmb:
ssbaksa: Can you post a screenshot of that error?
No luck there. Only one thing but that is GUI, tabs on IPSec log page change to BIG font and only on that tab - table is unafected.
-
you are right, i can duplicate…...
but the tunnel is up...., strange
-
Yeah, mine is up again as well but still shows those errors.
Took about half an hour or so with pfSense on both ends. Dunno why. -
@cmb:
Can you post a screenshot of that error?
Since no one posted this screenshot and the problem still exists in recent builds here we go:
![pfSense IPsec overview error.png](/public/imported_attachments/1/pfSense IPsec overview error.png)
![pfSense IPsec overview error.png_thumb](/public/imported_attachments/1/pfSense IPsec overview error.png_thumb) -
I have my pfsense firewall offline due to two issues.
1. If I enable the rule for IPSEC the firewall reboots every 5 minutes.
2. IPSEC passthrough quit.Let me know what I can due to give you all any information. I will even let you in the firewall remotely so that you can pull logs or any information.
RC
-
Problem still exist in RC3. I really like the new IPsec connection status symbols and the IPsec highlighting in the log files. It would be great if the mobile clients could be shown also.