Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Problems w/ FQDN

    1.2.3-PRERELEASE-TESTING snapshots - RETIRED
    2
    4
    3.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhudson4god
      last edited by

      I just upgraded to 1.2.3 and it seemed to have broken my IPsec tunnel to a Linksys endpoint.  That remote router has a dynamic IP, whereas the local router has a static.  I used to have to change the IP on the pfsense router to allow the tunnel to work.  I have NAT-T disabled on both sides.

      Some config details:

      P1:
      Mode aggressive
      3DES
      SHA1
      Group: 2
      Lifetime: 28800
      Auth: PSK

      P2:
      Proto: ESP
      3DES
      SHA1
      Group: 2
      Timeout: 3600

      Here is the log on the PFSense side:

      Feb 22 03:42:25 racoon: INFO: –-----------[500] used for NAT-T
      Feb 22 03:42:25 racoon: [Self]: INFO: –---------
      Feb 22 03:42:36 racoon: [To David's House]: INFO: phase2 sa deleted –------------------ - --------------
      Feb 22 03:42:35 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
      Feb 22 03:42:35 racoon: [To David's House]: INFO: phase2 sa expired –---------------- - -----------------
      Feb 22 03:42:25 racoon: INFO: --------------[500] used for NAT-T
      Feb 22 03:42:25 racoon: [Self]: INFO: –--[500] used as isakmp port (fd=15)
      Feb 22 03:42:25 racoon: INFO: 192.168.3.1[500] used for NAT-T
      Feb 22 03:42:25 racoon: [Self]: INFO: 192.168.3.1[500] used as isakmp port (fd=14)
      Feb 22 03:42:25 racoon: INFO: 127.0.0.1[500] used for NAT-T
      Feb 22 03:42:25 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
      Feb 22 03:42:16 racoon: INFO: –-------------[500] used for NAT-T
      Feb 22 03:42:16 racoon: [Self]: INFO: –-----------[500] used as isakmp port (fd=16)
      Feb 22 03:42:16 racoon: INFO: –--------[500] used for NAT-T
      Feb 22 03:42:16 racoon: [Self]: INFO: –------------[500] used as isakmp port (fd=15)
      Feb 22 03:42:16 racoon: INFO: 192.168.3.1[500] used for NAT-T
      Feb 22 03:42:16 racoon: [Self]: INFO: 192.168.3.1[500] used as isakmp port (fd=14)
      Feb 22 03:42:16 racoon: INFO: 127.0.0.1[500] used for NAT-T
      Feb 22 03:42:16 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
      Feb 22 03:42:13 racoon: INFO: begin Aggressive mode.
      Feb 22 03:42:13 racoon: [To David's House]: INFO: initiate new phase 1 negotiation: –-------------[500]<=>–--------------[500]
      Feb 22 03:42:13 racoon: [To David's House]: INFO: IPsec-SA request for –------------ queued due to no phase1 found.

      Thank you for any help in advance!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That's all it's logging?  Doesn't show a failure. Might get more useful info by running racoon in the foreground via a SSH session. From a command prompt, run:

        killall racoon
        racoon -f /var/etc/racoon.conf -F

        then try to connect from the other end and see what that logs to your SSH session.

        1 Reply Last reply Reply Quote 0
        • D
          dhudson4god
          last edited by

          Thanks for the quick reply!  Here is the output when I run racoon from the forground:

          
2009-02-22 04:52:48: WARNING: /var/etc/racoon.conf:3: "0660" admin port support not compiled in
2009-02-22 04:52:48: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
2009-02-22 04:52:48: INFO: 127.0.0.1[500] used for NAT-T
2009-02-22 04:52:48: INFO: ---------[500] used as isakmp port (fd=7)
2009-02-22 04:52:48: INFO: ---------[500] used for NAT-T
2009-02-22 04:52:48: INFO: ---------[500] used as isakmp port (fd=8)
2009-02-22 04:52:48: INFO: ---------[500] used for NAT-T
2009-02-22 04:52:48: INFO: ---------[500] used as isakmp port (fd=9)
2009-02-22 04:52:48: INFO: ---------[500] used for NAT-T
2009-02-22 04:52:59: INFO: IPsec-SA request for ------------ queued due to no phase1 found.
2009-02-22 04:52:59: INFO: initiate new phase 1 negotiation: -------------[500]<=>-------------[500]
2009-02-22 04:52:59: INFO: begin Aggressive mode.
2009-02-22 04:53:21: INFO: phase2 sa expired ------------ - ------------
2009-02-22 04:53:21: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
2009-02-22 04:53:22: INFO: phase2 sa deleted -------- - ----------
2009-02-22 04:53:43: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
2009-02-22 04:53:49: ERROR: phase1 negotiation failed due to time up. 2ed288d9c6e2ab01:0000000000000000
2009-02-22 04:53:52: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP --------------[500]->------------[500]
2009-02-22 04:53:52: INFO: delete phase 2 handler.
2009-02-22 04:54:05: INFO: IPsec-SA request for ------------- queued due to no phase1 found.

          Thanks Again!

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Doesn't really show anything useful, what's the other end logging?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.