Fix the VPN IPSEC Dead Peer Detection in 1.2.2 or 1.2.3 {$200}
-
path pre_shared_key "/var/etc/psk.txt"; path certificate "/var/etc"; remote 67.114.XXX.XXX { exchange_mode main; my_identifier address "12.238.XXX.XXX"; peers_identifier address 67.114.XXX.XXX; initial_contact on; #dpd_delay 120; # DPD poll every 120 seconds ike_frag on; support_proxy on; proposal_check obey; dpd_delay 20; proposal { encryption_algorithm blowfish; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 28800 secs; } lifetime time 28800 secs; } sainfo address 172.20.0.0/16 any address 192.168.100.0/24 any { encryption_algorithm rijndael; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group 2; lifetime time 86400 secs; } remote 69.12.XXX.XXX { exchange_mode main; my_identifier address "12.238.XXX.XXX"; peers_identifier address 69.12.XXX.XXX; initial_contact on; #dpd_delay 120; # DPD poll every 120 seconds ike_frag on; support_proxy on; proposal_check obey; dpd_delay 20; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 28800 secs; } lifetime time 28800 secs; } sainfo address 172.20.0.0/16 any address 10.20.30.0/24 any { encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group 2; lifetime time 86400 secs; } -
On my 1.2.3 RC1 system it shows up after initial_contact.
peers_identifier address x.x.x.x; initial_contact on; dpd_delay 30; ike_frag on; support_proxy on; proposal_check obey;I can't imagine the placement of dpd_delay would have an affect on it's effectiveness, though unless it was a bug in racoon.
Easy enough to change, through just move line 447 of /etc/inc/vpn.inc down a bit.
-
Yeah, it makes no difference for me where it is, so that's why I wanted to know more about kapara's config file.
Something else must have been changed that made it start working, as that doesn't seem to work for everyone.
-
Also I am using 1.2.2 Release embedded. Another thing was I was lazy and actually have 2 DPD entries at the same time. one for 120 and another for 20. Forgot to remove it and it is still there based on the exisiting vpn.inc
-
There is a patch that was just added this evening that may fix this, but I won't be able to test it more until tomorrow. If someone else who is seeing the DPD failure/IPSec stuck open issue could try pfSense-Full-Update-1.2.3-20090514-1908.tgz or later, it may behave differently.
-
Still broken here with the latest snapshots, but I have heard from other sources that there is some ongoing work with ipsec-tools that may result in a fix. So we'll have to wait and see what becomes of that.
-
Since I have mine working maybe it would be a good idea to move this to IPSEC rathern than the Bounty section.
-
Was this actually a successful bounty or did you just figure out how to ultimately make it work?
-
He got it working on his own.
The problem is now that nobody else can replicate his success on his own setup :)
I'll start a fresh thread on the IPSec forum for the remaining issue. Actually, it's a toss up between that and the 1.2.3-RC forum since that's what I'm testing on.
-
I can post any information that you would like on my setup. Just let me know what you want me to post. Also when I have had problems in the past I have done a complete rebuild of my system and manually entered all rules, aliases, etc by hand. This actually has fixed some problems of mine in the past rather than trying to figure out what went wrong. It seems that sometimes some changes that are made do not get removed properly or some thing do not get implemented properly and there is no "simple" way to fix it other than a manual rebuild. Though I am not a dev and do not understand the mechanisims of how it works in the background.
Let me know if I can post anything which might help.
-
I think what you already posted (vpn.inc and snippet of racoon.conf) is enough for the pfSense side.
If you have more information you wan to add, you can do so in the new thread I made:
http://forum.pfsense.org/index.php/topic,16274.0.html
-
Have you tried a clean install of 1.2 Release? Without importing any of the old configuration?I would be curious if it would work with a clean pfSense box.
