Ipsec tunnel dropping

noneck

Unsure why my ipsec tunnel from pfsense to ISA 2006 keeps on dropping.

running the snapshot from http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/pfSense-Full-Update-1.2.1-RC1-20080815-2044.tgz

Here is some of the log:

Aug 20 22:57:55 racoon: ERROR: unknown Informational exchange received.
Aug 20 22:57:55 racoon: [Ishtar ADSL Internode]: INFO: IPsec-SA established: ESP 150.101.162.xx[0]->150.101.209.xx[0] spi=4166627886(0xf859b22e)
Aug 20 22:57:55 racoon: [Ishtar ADSL Internode]: INFO: IPsec-SA established: ESP 150.101.209.xx[0]->150.101.162.x[0] spi=138370093(0x83f5c2d)
Aug 20 22:57:55 racoon: WARNING: ignore CONNECTED notification.
Aug 20 22:57:54 racoon: [Ishtar ADSL Internode]: NOTIFY: the packet is retransmitted by 150.101.209.xx[500].
Aug 20 22:57:54 racoon: WARNING: attribute has been modified.
Aug 20 22:57:53 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 2 negotiation: 150.101.162.xx[500]<=>150.101.209.xx[500]
Aug 20 22:57:52 racoon: [Ishtar ADSL Internode]: INFO: ISAKMP-SA established 150.101.162.xx[500]-150.101.209.xx[500] spi:fd3405c933d69798:52a788b92f1c4bed
Aug 20 22:57:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Aug 20 22:57:50 racoon: INFO: received Vendor ID: FRAGMENTATION
Aug 20 22:57:50 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Aug 20 22:57:49 racoon: INFO: begin Identity Protection mode.
Aug 20 22:57:49 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 1 negotiation: 150.101.162.xx[500]<=>150.101.209.xx[500]
Aug 20 22:57:49 racoon: [Ishtar ADSL Internode]: INFO: IPsec-SA request for 150.101.209.xx queued due to no phase1 found.
Aug 20 22:57:39 racoon: [Ishtar ADSL Internode]: INFO: ISAKMP-SA deleted 150.101.162.xx[500]-150.101.209.xx[500] spi:e7f2967703a79592:d86f8ad93e61cbf3
Aug 20 22:57:38 racoon: ERROR: phase2 negotiation failed due to phase1 expired. e7f2967703a79592:d86f8ad93e61cbf3:0000d342
Aug 20 22:57:29 racoon: [Ishtar ADSL Internode]: INFO: ISAKMP-SA expired 150.101.162.xx[500]-150.101.209.xx[500] spi:e7f2967703a79592:d86f8ad93e61cbf3
Aug 20 22:57:28 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 2 negotiation: 150.101.162.xx[0]<=>150.101.209.xx[0]
Aug 20 22:56:20 racoon: [Ishtar ADSL Internode]: ERROR: 150.101.209.34 give up to get IPsec-SA due to time up to wait.
Aug 20 22:55:50 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 2 negotiation: 150.101.162.xx[0]<=>150.101.209.xx[0]
Aug 20 22:55:30 racoon: [Ishtar ADSL Internode]: ERROR: 150.101.209.34 give up to get IPsec-SA due to time up to wait.
Aug 20 22:55:00 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 2 negotiation: 150.101.162.xx[0]<=>150.101.209.xx[0]
Aug 20 22:54:58 racoon: [Ishtar ADSL Internode]: INFO: phase2 sa deleted 150.101.162.xx-150.101.209.xx
Aug 20 22:54:57 racoon: [Ishtar ADSL Internode]: INFO: phase2 sa expired 150.101.162.xx-150.101.209.xx
Aug 20 22:42:58 racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
Aug 20 22:42:58 racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
Aug 20 21:54:57 racoon: [Ishtar ADSL Internode]: INFO: IPsec-SA established: ESP 150.101.162.xx[0]->150.101.209.xx[0] spi=554608275(0x210ea693)
Aug 20 21:54:57 racoon: [Ishtar ADSL Internode]: INFO: IPsec-SA established: ESP 150.101.209.xx[0]->150.101.162.xx[0] spi=12453593(0xbe06d9)
Aug 20 21:54:57 racoon: WARNING: ignore CONNECTED notification.
Aug 20 21:54:56 racoon: WARNING: attribute has been modified.
Aug 20 21:54:55 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 2 negotiation: 150.101.162.xx[0]<=>150.101.209.xx[0]
Aug 20 21:54:52 racoon: [Self]: INFO: 150.101.162.xx[500] used as isakmp port (fd=15)
Aug 20 21:54:52 racoon: [Self]: INFO: 192.168.1.1[500] used as isakmp port (fd=14)
Aug 20 21:54:52 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 21:54:51 racoon: [Self]: INFO: 150.101.162.xx[500] used as isakmp port (fd=15)
Aug 20 21:54:51 racoon: [Self]: INFO: 192.168.1.1[500] used as isakmp port (fd=14)
Aug 20 21:54:51 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 21:54:50 racoon: INFO: unsupported PF_KEY message REGISTER
Aug 20 21:54:50 racoon: [Self]: INFO: 150.101.162.xx[500] used as isakmp port (fd=15)
Aug 20 21:54:50 racoon: [Self]: INFO: 192.168.1.1[500] used as isakmp port (fd=14)
Aug 20 21:54:50 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 21:54:50 racoon: [Self]: INFO: 150.101.162.xx[500] used as isakmp port (fd=15)
Aug 20 21:54:50 racoon: [Self]: INFO: 192.168.1.1[500] used as isakmp port (fd=14)
Aug 20 21:54:50 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 21:43:02 racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
Aug 20 21:43:02 racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
Aug 20 20:55:01 racoon: [Ishtar ADSL Internode]: INFO: IPsec-SA established: ESP 150.101.162.xx[0]->150.101.209.xx[0] spi=1082958469(0x408ca285)
Aug 20 20:55:01 racoon: [Ishtar ADSL Internode]: INFO: IPsec-SA established: ESP 150.101.209.xx[0]->150.101.162.xx[0] spi=119041472(0x7186dc0)

noneck

To the mods: Thanks for re-opening this.

I have upgraded to the latest pfsense 1.2.1 stable release. I can connect the ipsec tunnel and things work fine for a random amount of time ( sometimes hours, other times minutes).

When the tunnel gets dropped I normally try doing a ping -t xxx.xxx.xxx.xxx in Windows to get pfsense to reinitialize the tunnel. The tunnel does not reconnect and I get the following message repeated in the ipsec log file:

Jan 4 03:13:14 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 2 negotiation: 150.101.162.xx[0]<=>150.101.209.xx[0]
Jan 4 03:11:08 racoon: [Ishtar ADSL Internode]: ERROR: 150.101.209.xx give up to get IPsec-SA due to time up to wait.

I found some posts in the forums that said that deleting the ipsec SAD fixes this issue. This does not work for me. The only fix that I have found that works is to restart the racoon service. Once racoon service has been restarted the tunnel comes back up straight away (with the ping still going).

Has anyone got any ideas abut this?

My pfsense is installed on an old pc. Is there any extra debug logging that I can get from the console to assist with troubleshooting this issue?

Thanks.

noneck

Here is an extract of the log after a racoon service restart is done:

Jan 4 03:29:04 racoon: [Ishtar ADSL Internode]: INFO: IPsec-SA established: ESP 150.101.162.xx[0]->150.101.209.xx[0] spi=976108425(0x3a2e3b89)
Jan 4 03:29:04 racoon: [Ishtar ADSL Internode]: INFO: IPsec-SA established: ESP 150.101.209.xx[0]->150.101.162.xx[0] spi=74828175(0x475c98f)
Jan 4 03:29:04 racoon: WARNING: ignore CONNECTED notification.
Jan 4 03:29:04 racoon: WARNING: attribute has been modified.
Jan 4 03:29:04 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 2 negotiation: 150.101.162.xx[500]<=>150.101.209.xx[500]
Jan 4 03:29:03 racoon: [Ishtar ADSL Internode]: INFO: ISAKMP-SA established 150.101.162.xx[500]-150.101.209.xx[500] spi:d6f9d8b14729f326:22a8dfc94b342266
Jan 4 03:29:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan 4 03:29:02 racoon: INFO: received Vendor ID: FRAGMENTATION
Jan 4 03:29:02 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Jan 4 03:29:02 racoon: INFO: begin Identity Protection mode.
Jan 4 03:29:02 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 1 negotiation: 150.101.162.xx[500]<=>150.101.209.xx[500]
Jan 4 03:29:02 racoon: [Ishtar ADSL Internode]: INFO: IPsec-SA request for 150.101.209.xx queued due to no phase1 found.
Jan 4 03:28:57 racoon: [Self]: INFO: 192.168.1.1[500] used as isakmp port (fd=15)
Jan 4 03:28:57 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Jan 4 03:28:57 racoon: [Self]: INFO: 150.101.162.xx[500] used as isakmp port (fd=13)
Jan 4 03:28:57 racoon: INFO: unsupported PF_KEY message REGISTER
Jan 4 03:28:57 racoon: [Self]: INFO: 192.168.1.1[500] used as isakmp port (fd=15)
Jan 4 03:28:57 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Jan 4 03:28:57 racoon: [Self]: INFO: 150.101.162.xx[500] used as isakmp port (fd=13)
Jan 4 03:28:57 racoon: INFO: Resize address pool from 0 to 255
Jan 4 03:28:57 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Jan 4 03:28:57 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Jan 4 03:28:57 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
Jan 4 03:28:22 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 2 negotiation: 150.101.162.xx[0]<=>150.101.209.xx[0]
Jan 4 03:25:31 racoon: [Ishtar ADSL Internode]: ERROR: 150.101.209.xx give up to get IPsec-SA due to time up to wait.
Jan 4 03:25:01 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 2 negotiation: 150.101.162.xx[0]<=>150.101.209.xx[0]
Jan 4 03:24:26 racoon: [Ishtar ADSL Internode]: ERROR: 150.101.209.xx give up to get IPsec-SA due to time up to wait.
Jan 4 03:23:56 racoon: [Ishtar ADSL Internode]: INFO: initiate new phase 2 negotiation: 150.101.162.xx[0]<=>150.101.209.xx[0]

kingtux

I have the same problem…Any fix or places to look at?