IPsec site-to-site vpn been working for months, now dead

Guest

Hello guys!

I've been troubleshooting my site-to-site ipsec vpn for several hours now. I've had this vpn up and running for several of months and now all of a sudden, it just refuses to pass any traffic through the tunnels. It's pfsense on both ends.

The only thing that has changed was that a few days ago I moved the DHCP server from the fw to another machine. Don't think it has anything to do with anything though.

IPSEC logs say. On my local server:

Jan 5 13:32:22 racoon: [VPN tunnel to Keiv]: INFO: IPsec-SA established: ESP/Tunnel 82.99.xx.xxx[0]->195.137.xxx.xx[0] spi=13779038(0xd2405e)
Jan 5 13:32:22 racoon: [VPN tunnel to Keiv]: INFO: IPsec-SA established: ESP/Tunnel 195.137.xxx.xx[0]->82.99.xx.xxx[0] spi=127545448(0x79a3068)
Jan 5 13:32:22 racoon: [VPN tunnel to Keiv]: INFO: respond new phase 2 negotiation: 82.99.xx.xxx[0]<=>195.137.xxx.xx[0]
Jan 5 13:32:21 racoon: INFO: purging spi=6695884.
Jan 5 13:32:21 racoon: INFO: purging spi=93283993.
Jan 5 13:32:21 racoon: INFO: purging spi=170545371.
Jan 5 13:32:21 racoon: INFO: purging spi=118527171.
Jan 5 13:32:21 racoon: [VPN tunnel to Keiv]: INFO: ISAKMP-SA established 82.99.xx.xxx[500]-195.137.xxx.xx[500] spi:868c6604530711d7:4fdf183f84b90d02
Jan 5 13:32:21 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jan 5 13:32:21 racoon: INFO: received Vendor ID: DPD
Jan 5 13:32:21 racoon: INFO: begin Aggressive mode.
Jan 5 13:32:21 racoon: [VPN tunnel to Keiv]: INFO: respond new phase 1 negotiation: 82.99.xx.xxx[500]<=>195.137.xxx.xx[500]

On the Remote server:

Jan 5 14:32:22 racoon: [VPN tunnel to Malmoe]: INFO: IPsec-SA established: ESP/Tunnel 195.137.xxx.xx[0]->82.99.xx.xxx[0] spi=127545448(0x79a3068)
Jan 5 14:32:22 racoon: [VPN tunnel to Malmoe]: INFO: IPsec-SA established: ESP/Tunnel 82.99.xx.xxx[0]->195.137.xxx.xx[0] spi=13779038(0xd2405e)
Jan 5 14:32:22 racoon: [VPN tunnel to Malmoe]: INFO: initiate new phase 2 negotiation: 195.137.xxx.xx[500]<=>82.99.xx.xxx[500]
Jan 5 14:32:21 racoon: [VPN tunnel to Malmoe]: INFO: ISAKMP-SA established 195.137.xxx.xx[500]-82.99.xx.xxx[500] spi:868c6604530711d7:4fdf183f84b90d02
Jan 5 14:32:21 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jan 5 14:32:21 racoon: INFO: received Vendor ID: DPD
Jan 5 14:32:21 racoon: INFO: begin Aggressive mode.
Jan 5 14:32:21 racoon: [VPN tunnel to Malmoe]: INFO: initiate new phase 1 negotiation: 195.137.xxx.xx[500]<=>82.99.xx.xxx[500]
Jan 5 14:32:21 racoon: [VPN tunnel to Malmoe]: INFO: IPsec-SA request for 82.99.xx.xxx queued due to no phase1 found.
Jan 5 14:32:21 racoon: ERROR: such policy already exists. anyway replace it: 10.0.2.0/24[0] 10.0.1.0/24[0] proto=any dir=out
Jan 5 14:32:21 racoon: ERROR: such policy already exists. anyway replace it: 10.0.2.1/32[0] 10.0.2.0/24[0] proto=any dir=out
Jan 5 14:32:21 racoon: ERROR: such policy already exists. anyway replace it: 10.0.1.0/24[0] 10.0.2.0/24[0] proto=any dir=in
Jan 5 14:32:21 racoon: ERROR: such policy already exists. anyway replace it: 10.0.2.0/24[0] 10.0.2.1/32[0] proto=any dir=in
Jan 5 14:32:21 racoon: [Self]: INFO: 10.0.2.1[500] used as isakmp port (fd=19)
Jan 5 14:32:21 racoon: INFO: fe80::202:2aff:fee1:4a07%rl0[500] used as isakmp port (fd=18)
Jan 5 14:32:21 racoon: [Self]: INFO: 195.137.xxx.xx[500] used as isakmp port (fd=17)
Jan 5 14:32:21 racoon: INFO: fe80::2e0:4cff:fe39:3a39%rl1[500] used as isakmp port (fd=16)
Jan 5 14:32:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Jan 5 14:32:21 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Jan 5 14:32:21 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Jan 5 14:32:21 racoon: INFO: unsupported PF_KEY message REGISTER
Jan 5 14:32:21 racoon: [Self]: INFO: 10.0.2.1[500] used as isakmp port (fd=19)
Jan 5 14:32:21 racoon: INFO: fe80::202:2aff:fee1:4a07%rl0[500] used as isakmp port (fd=18)
Jan 5 14:32:21 racoon: [Self]: INFO: 195.137.xxx.xx[500] used as isakmp port (fd=17)
Jan 5 14:32:21 racoon: INFO: fe80::2e0:4cff:fe39:3a39%rl1[500] used as isakmp port (fd=16)
Jan 5 14:32:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
Jan 5 14:32:21 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Jan 5 14:32:21 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
Jan 5 14:32:21 racoon: INFO: Resize address pool from 0 to 255
Jan 5 14:32:21 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Jan 5 14:32:21 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jan 5 14:32:21 racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)

My network rules for ipsec is * on everthing on both ends.

Any ideas?? Please?!

heiko

1.2 or 1.2.1?

Please click the "save" Button again on the ipsec-page.
If this doesn´t help you can also delete all SPD´s on one side.

Why are you using the aggressive mode?

Guest

Thanks for answering Heiko,

I did try removing the SPDs atleast 10 times during the hours I troubleshooted. Then all of a sudden, when I gave up messing with it waiting for an answer here it just started to work again. I had a ping going and all of a sudden it started to reply. Very strange and it feels very insecure.

I'm using 1.2.

heiko

I have not problems with 1.2 except the mobile option/aggressive mode. But also this should be fixed in 1.21 relase. Please try the 1.21 version and if you can change the aggressive mode to the main mode.

Regards
Heiko

Guest

Great, I'll do that. Thanks Heiko…