1.2-RC4 IPSec Tunnel problem

heiko

with 1.2rc4 ipsec runs fine and stable, also with two static endpoints XOR and one dynamic and one static. Please doublecheck your config.

jle2005

Hi heiko and thank you very much for replying to my post. It's great to hear that you got your IPSec tunnel up and running.

Can you please describe a little about how you config your IPSec tunnel? I follow the tutorial "configuring IPsec-tunnels with 2 pfSense-systems between static IP and dynamic IP", but there is something I didnt' do right I guess.

By looking at the error log, can you tell what were that errors all about? Thanks once again.

heiko

Please post the screenshots of your webgui-tunnel

jle2005

heiko, I've decided to tear down the box and rebuilt it, and if I run into this problem again I will post a screenshots for you. Thank you very much

heiko

Ok, you have my attention

fastcon68

I had similar problem with 1.2r3.  It was odd I only had a problem after the upgrade.  I ended up rebuilding after I save my configuration and printed it out so i could rebuild.  That is not a option now.  My  configuration is too complex now.

i only upgrade when I run into a werid issue.  I have one issue now which I can't access the admin tool from https, from the wan side.  I have production to be concerned with and it cost too much to have it down.

RC

jle2005

Hi fastcon68,

The weirdest part is even I'm having those error logs, my IPSec tunnel is still up and running and I can transmit data back and forth between my sites.

fastcon68

I will check my log files to see if I am getting the same errors.  I post in a few mintes.  I am waiting for the site to come up.
RC

heiko

@jle2005:

Hi fastcon68,

The weirdest part is even I'm having those error logs, my IPSec tunnel is still up and running and I can transmit data back and forth between my sites.

Fine

jle2005

Hi heiko,

Is it really fine? does it effect the IPSec tunnel performance at all with those error logs?

heiko

@jle2005:

Hi heiko,

Is it really fine? does it effect the IPSec tunnel performance at all with those error logs?

I think you have the tunnel up and running! Which error logs do you mean?

jle2005

heiko,

I think you have the tunnel up and running! Which error logs do you mean?

The error logs below and those in my previous posts.

Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=223333855(0xd4fcddf)
Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=101796693(0x6114b55)
Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]
Jan 29 18:20:41    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=76670812(0x491e75c)
Jan 29 18:20:41    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=258166286(0xf634e0e)
Jan 29 18:20:41    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 63.252.x.x[500]-24.17.x.x[500] spi:57bbe8e812127d61:4ffe248e9b35525e
Jan 29 18:20:41    racoon: INFO: received Vendor ID: DPD
Jan 29 18:20:41    racoon: INFO: begin Aggressive mode.
Jan 29 18:20:41    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 63.252.x.x[500]<=>24.17.x.x[500]
Jan 29 18:07:39    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
Jan 29 18:07:38    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=27709746(0x1a6d132)
Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=156434038(0x952fe76)
Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=258166286(0xf634e0e)
Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=76670812(0x491e75c)
Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]

databeestje

The error messages about policy's not already existing is not a error.

This is normal. This does not affect the operation the tunnel.

Kind regards,

Seth

jle2005

Thanks for letting me know that Seth.