Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec not working with the last snapshot!

    Scheduled Pinned Locked Moved 1.2.1-RC Snapshot Feedback and Problems-RETIRED
    27 Posts 5 Posters 11.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      heiko
      last edited by

      This snapshot isn´t working
      http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz

      hm, perhaps "aggressive mode /FQDN problem" with mobile endpoint on the other side…

      Regards heiko

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        You will want to test a snapshot form the 18th.

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          Thanks Scott,
          but under this link http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ i cannot find a newer snapshot as from the 17th.
          Regards
          Heiko

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Oops, too many 0's in our sleep statement on the builder box.  It's now building.

            1 Reply Last reply Reply Quote 0
            • A
              ask
              last edited by

              @sullrich:

              You will want to test a snapshot form the 18th.

              What did you fix since the Sun Aug 17 23:20:33 EDT 2008 snapshot?

              Our IPsec connections stopped working today - getting lots of "racoon: ERROR: not acceptable Aggressive mode" errors.  And if we set it to main mode in both ends we get "racoon: [{other-end}]: NOTIFY: the packet is retransmitted by {other-ip}[500]."

              • ask
              1 Reply Last reply Reply Quote 0
              • A
                ask
                last edited by

                Gah - it just broke again here after running for about 5 hours on Tue Aug 19 23:27:49 EDT 2008.

                Aug 20 01:09:21 gw-a racoon: INFO: phase2 sa deleted $gw-$remote
                Aug 20 01:09:23 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
                Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
                Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
                Aug 20 01:09:23 gw-a racoon: ERROR: failed to pre-process packet.
                Aug 20 01:09:43 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
                Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
                Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
                Aug 20 01:09:43 gw-a racoon: ERROR: failed to pre-process packet.

                Restarting racoon got it going again.  This was working flawlessly (other than not working on the CARP interface) for about a week on the Aug 12 snapshot – and for years with our NanoBSD systems (with the same remote configuration as now).

                1 Reply Last reply Reply Quote 0
                • H
                  heiko
                  last edited by

                  Now i have the newest snapshot but racoon didn´t work…

                  1.2.1-RC1
                  built on Tue Aug 19 23:37:31 EDT 2008

                  php: : Could not deterimine VPN endpoint for Lotte
                  Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for averdiek
                  Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for amvan
                  Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann os
                  Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann bi
                  Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for nova
                  Aug 20 10:14:09 php: : Could not deterimine

                  and this on the ipsec tab:

                  Aug 20 10:14:26 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
                  Aug 20 10:14:26 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=13)
                  Aug 20 10:14:26 racoon: INFO: Resize address pool from 0 to 255
                  Aug 20 10:14:26 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
                  Aug 20 10:14:26 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
                  Aug 20 10:14:26 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
                  Aug 20 10:14:22 racoon: INFO: racoon shutdown
                  Aug 20 10:14:21 racoon: INFO: caught signal 15
                  Aug 20 10:14:21 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                  Aug 20 10:14:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                  Aug 20 10:14:21 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                  Aug 20 10:14:11 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                  Aug 20 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                  Aug 20 10:14:11 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                  Aug 20 10:14:10 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                  Aug 20 10:14:10 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                  Aug 20 10:14:10 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                  Aug 20 10:14:09 racoon: INFO: unsupported PF_KEY message REGISTER
                  Aug 20 10:14:09 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                  Aug 20 10:14:09 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                  Aug 20 10:14:09 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                  Aug 20 10:14:09 racoon: INFO: Resize address pool from 0 to 255
                  Aug 20 10:14:09 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
                  Aug 20 10:14:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
                  Aug 20 10:14:09 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)

                  all of these tunnels are on the "agressive mode" to other 1.2 ipsec endpoints as a "mobile ipsec client".

                  With 1.2 all works great as it should. I have nothing changed in the configuration…..

                  Regards
                  heiko

                  1 Reply Last reply Reply Quote 0
                  • P
                    PacDemon
                    last edited by

                    I have the same Problem. I switch back to pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz, same problem.
                    But before i upgrade it works under this version pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz.

                    PD

                    1 Reply Last reply Reply Quote 0
                    • H
                      heiko
                      last edited by

                      I have had contact with a developer from pfsense and he will take a look into the code…..

                      1 Reply Last reply Reply Quote 0
                      • P
                        PacDemon
                        last edited by

                        Oh I hope they can fix it fast. I have in the moment one office offline :(

                        PD

                        1 Reply Last reply Reply Quote 0
                        • H
                          heiko
                          last edited by

                          Probably this week a fix is available…..

                          1 Reply Last reply Reply Quote 0
                          • P
                            PacDemon
                            last edited by

                            Oh, I hope it really. In the moment it is no new snapshot :(

                            Rgds,
                            PD

                            1 Reply Last reply Reply Quote 0
                            • H
                              heiko
                              last edited by

                              Heh, 1.21 is beta, not a release…. if you can make a downgrade to 1.2 release, make it...

                              1 Reply Last reply Reply Quote 0
                              • P
                                PacDemon
                                last edited by

                                Yea, i know.
                                Do you know that is possible to downgrade to 1.2 over the Firmaware update or I have to install new over a Image?

                                PD

                                1 Reply Last reply Reply Quote 0
                                • H
                                  heiko
                                  last edited by

                                  I have not tested a downgrade. At the moment i haven´t new informations about the ipsec fix…...

                                  First, i would make a  downgrade to 1.2, if it fails you must install from a fresh 1.2 image.... :-\

                                  Regards
                                  heiko

                                  If i have new informations, i post it as soon as possible...

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    PacDemon
                                    last edited by

                                    Oh oh, the Hardware is 600 km form here. Hmm, i think i test it first on a another hardware if it is possible to downgrade from 1.2.1 to 1.2 back.

                                    I let you know this.

                                    PD

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      heiko
                                      last edited by

                                      please wait, i will test it also…

                                      Results: I have made a downgrade to 1.2 and the ipsec and all the other things runs as it should, but after the downgrade you must delete the SPD´s and then click save on the ipsec tunnel tab.... that´s it.

                                      Regards
                                      heiko

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        PacDemon
                                        last edited by

                                        Ohoh,
                                        be not work, it killed the complete box. No I sent out a new one out to our office.

                                        Hope they fix it in the 1.2.1 version.

                                        Greats,
                                        PD

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          heiko
                                          last edited by

                                          oh, very angrily….

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            databeestje
                                            last edited by

                                            I have just committed a fix into CVS which should fix this for PPPoE or PPtP WAN connections.

                                            Please test!

                                            I also need confirmation that DHCP, Static IPs and CARP interfaces still work!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.