Ipsec not working with the last snapshot!

heiko

Now i have the newest snapshot but racoon didn´t work…

1.2.1-RC1
built on Tue Aug 19 23:37:31 EDT 2008

php: : Could not deterimine VPN endpoint for Lotte
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for averdiek
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for amvan
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann os
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann bi
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for nova
Aug 20 10:14:09 php: : Could not deterimine

and this on the ipsec tab:

Aug 20 10:14:26 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Aug 20 10:14:26 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=13)
Aug 20 10:14:26 racoon: INFO: Resize address pool from 0 to 255
Aug 20 10:14:26 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 20 10:14:26 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Aug 20 10:14:26 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
Aug 20 10:14:22 racoon: INFO: racoon shutdown
Aug 20 10:14:21 racoon: INFO: caught signal 15
Aug 20 10:14:21 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:21 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:11 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:11 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:10 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:10 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:10 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:09 racoon: INFO: unsupported PF_KEY message REGISTER
Aug 20 10:14:09 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:09 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:09 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:09 racoon: INFO: Resize address pool from 0 to 255
Aug 20 10:14:09 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 20 10:14:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Aug 20 10:14:09 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)

all of these tunnels are on the "agressive mode" to other 1.2 ipsec endpoints as a "mobile ipsec client".

With 1.2 all works great as it should. I have nothing changed in the configuration…..

Regards
heiko

PacDemon

I have the same Problem. I switch back to pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz, same problem.
But before i upgrade it works under this version pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz.

PD

heiko

I have had contact with a developer from pfsense and he will take a look into the code…..

PacDemon

Oh I hope they can fix it fast. I have in the moment one office offline :(

PD

heiko

Probably this week a fix is available…..

PacDemon

Oh, I hope it really. In the moment it is no new snapshot :(

Rgds,
PD

heiko

Heh, 1.21 is beta, not a release…. if you can make a downgrade to 1.2 release, make it...

PacDemon

Yea, i know.
Do you know that is possible to downgrade to 1.2 over the Firmaware update or I have to install new over a Image?

PD

heiko

I have not tested a downgrade. At the moment i haven´t new informations about the ipsec fix…...

First, i would make a  downgrade to 1.2, if it fails you must install from a fresh 1.2 image.... :-\

Regards
heiko

If i have new informations, i post it as soon as possible...

PacDemon

Oh oh, the Hardware is 600 km form here. Hmm, i think i test it first on a another hardware if it is possible to downgrade from 1.2.1 to 1.2 back.

I let you know this.

PD

heiko

please wait, i will test it also…

Results: I have made a downgrade to 1.2 and the ipsec and all the other things runs as it should, but after the downgrade you must delete the SPD´s and then click save on the ipsec tunnel tab.... that´s it.

Regards
heiko

PacDemon

Ohoh,
be not work, it killed the complete box. No I sent out a new one out to our office.

Hope they fix it in the 1.2.1 version.

Greats,
PD

heiko

oh, very angrily….

databeestje

I have just committed a fix into CVS which should fix this for PPPoE or PPtP WAN connections.

Please test!

I also need confirmation that DHCP, Static IPs and CARP interfaces still work!

heiko

I will test it! Thanks Seth.

Regards
Heiko

databeestje

Any result? Does the silence mean it works now?

heiko

Sorry Seth, dynamic side to static side with "enabled mobile option" works now!! :D

This is strange, i think:
racoon: INFO: received broken Microsoft ID: FRAGMENTATION….

but this is pfsense to pfsense, any ideas?

Next week i will test "carp"!

Regards
heiko