Ipsec not working with the last snapshot!

heiko · Aug 18, 2008, 3:13 PM

IPSEC isn´t working with the last snaphsot

Could not deterimine VPN endpoint for Lotte
Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for averdiek
Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for amvan
Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for seeman

…....

ask · Aug 19, 2008, 6:45 AM

Whoops. I wonder if it's related to the fix made to CARP support in http://forum.pfsense.org/index.php/topic,10905.0.html

ask (holding off on upgrading to a newer snapshot)

heiko · Aug 19, 2008, 7:25 AM

I will try the "very" last snaphsot and then we will see ;)

ask · Aug 19, 2008, 7:36 AM

@heiko:

I will try the "very" last snaphsot and then we will see ;)

It's working for me with "Sun Aug 17 23:20:33 EDT 2008".

heiko · Aug 19, 2008, 9:30 AM

This snapshot isn´t working
http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz

hm, perhaps "aggressive mode /FQDN problem" with mobile endpoint on the other side…

Regards heiko

sullrich · Aug 19, 2008, 5:05 PM

You will want to test a snapshot form the 18th.

heiko · Aug 19, 2008, 6:09 PM

Thanks Scott,
but under this link http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ i cannot find a newer snapshot as from the 17th.
Regards
Heiko

sullrich · Aug 19, 2008, 10:10 PM

Oops, too many 0's in our sleep statement on the builder box. It's now building.

ask · Aug 20, 2008, 12:05 AM

@sullrich:

You will want to test a snapshot form the 18th.

What did you fix since the Sun Aug 17 23:20:33 EDT 2008 snapshot?

Our IPsec connections stopped working today - getting lots of "racoon: ERROR: not acceptable Aggressive mode" errors. And if we set it to main mode in both ends we get "racoon: [{other-end}]: NOTIFY: the packet is retransmitted by {other-ip}[500]."

ask

ask · Aug 20, 2008, 8:18 AM

Gah - it just broke again here after running for about 5 hours on Tue Aug 19 23:27:49 EDT 2008.

Aug 20 01:09:21 gw-a racoon: INFO: phase2 sa deleted $gw-$remote
Aug 20 01:09:23 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
Aug 20 01:09:23 gw-a racoon: ERROR: failed to pre-process packet.
Aug 20 01:09:43 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
Aug 20 01:09:43 gw-a racoon: ERROR: failed to pre-process packet.

Restarting racoon got it going again. This was working flawlessly (other than not working on the CARP interface) for about a week on the Aug 12 snapshot – and for years with our NanoBSD systems (with the same remote configuration as now).

heiko · Aug 20, 2008, 9:04 AM

Now i have the newest snapshot but racoon didn´t work…

1.2.1-RC1
built on Tue Aug 19 23:37:31 EDT 2008

php: : Could not deterimine VPN endpoint for Lotte
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for averdiek
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for amvan
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann os
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann bi
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for nova
Aug 20 10:14:09 php: : Could not deterimine

and this on the ipsec tab:

Aug 20 10:14:26 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Aug 20 10:14:26 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=13)
Aug 20 10:14:26 racoon: INFO: Resize address pool from 0 to 255
Aug 20 10:14:26 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 20 10:14:26 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Aug 20 10:14:26 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
Aug 20 10:14:22 racoon: INFO: racoon shutdown
Aug 20 10:14:21 racoon: INFO: caught signal 15
Aug 20 10:14:21 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:21 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:11 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:11 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:10 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:10 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:10 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:09 racoon: INFO: unsupported PF_KEY message REGISTER
Aug 20 10:14:09 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:09 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:09 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:09 racoon: INFO: Resize address pool from 0 to 255
Aug 20 10:14:09 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 20 10:14:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Aug 20 10:14:09 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)

all of these tunnels are on the "agressive mode" to other 1.2 ipsec endpoints as a "mobile ipsec client".

With 1.2 all works great as it should. I have nothing changed in the configuration…..

Regards
heiko

PacDemon · Aug 21, 2008, 10:50 AM

I have the same Problem. I switch back to pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz, same problem.
But before i upgrade it works under this version pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz.

PD

heiko · Aug 21, 2008, 12:31 PM

I have had contact with a developer from pfsense and he will take a look into the code…..

PacDemon · Aug 21, 2008, 1:13 PM

Oh I hope they can fix it fast. I have in the moment one office offline :(

PD

heiko · Aug 21, 2008, 7:25 PM

Probably this week a fix is available…..

PacDemon · Aug 21, 2008, 8:32 PM

Oh, I hope it really. In the moment it is no new snapshot :(

Rgds,
PD

heiko · Aug 21, 2008, 8:41 PM

Heh, 1.21 is beta, not a release…. if you can make a downgrade to 1.2 release, make it...

PacDemon · Aug 22, 2008, 6:55 AM

Yea, i know.
Do you know that is possible to downgrade to 1.2 over the Firmaware update or I have to install new over a Image?

PD

heiko · Aug 22, 2008, 7:15 AM

I have not tested a downgrade. At the moment i haven´t new informations about the ipsec fix…...

First, i would make a downgrade to 1.2, if it fails you must install from a fresh 1.2 image.... :-\

Regards
heiko

If i have new informations, i post it as soon as possible...

PacDemon · Aug 22, 2008, 7:50 AM

Oh oh, the Hardware is 600 km form here. Hmm, i think i test it first on a another hardware if it is possible to downgrade from 1.2.1 to 1.2 back.

I let you know this.

PD