Racoon makes me sad, this tunnel will not stay up!
-
You may have something wrong in your tunnel config. The SPIs should match up between both sides, though in the reverse direction. For example the SPI should look like:
A -> B 00000001
B -> A 00000002on one side (this is an example, it's really like 0b23cb26) and
B -> A 00000001
A -> B 00000002on the other side of the tunnel.
That log error seems to suggest that it didn't fully establish the tunnel due to some kind of configuration mismatch. To help much more we'd need the logs from both ends of the tunnel, as well as full screenshots of the tunnel config screens (you can black out the public IPs and the PSK)
-
Well here's what you asked for. I hope it helps out :/
Site A (home base or HQ if you will)::
Site A (allow mobile connections page)::
Site B (backup site)::
The logs can be viewed at the following two links. Site A hasn't been as consistent as site B in keeping a log of whats going on. The data I uploaded to my server is fresh and these logs are current as you can see by the time stamps.
SITE A W/ Raw Filter Logging Enabled
http://www.inferno-wan.com/pfs/sitealog.htmlSITE B W/ Raw Filter Logging Enabled
http://www.inferno-wan.com/pfs/siteblog.htmlJust to remind who ever is helping me… I haven't touched my firewall settings in regards to IPsec allowance, mostly because the tunnel worked great last sunday and for multiple months before that (i even had to restart a couple times over those few months). I did look over the rules and make sure all IPsec applicable schema were entered properly, and they were. If for some reason it's possible that entries can become somehow corrupt, should i re-create the rules?
You know how you can be working on some type of annoyance for weeks and then you find the problem to be a stupid check box setting? If that's the case here, I'm gonna have a good laugh. But IMHO here, i don't think that's the case.
If i can post any more information please let me know.
-
I'm game for trying a different configuration if mine looks questionable.
-
Why are you using mobile tunnels? Are site A and site B dynamic IP?
If they are dynamic IP, they will need a different identifier, such as "sitea@example.com" and "siteb@example.com" and PSKs to match.
You'd probably be better off with static tunnels built between each site and using dyndns hostnames for the peer addresses if you have dynamic IPs.
-
I read in the documentation that if one IP is dynamic then Mobile clients had to be enabled. I will try disabling it.
Both sites use Time Warner as an ISP. There is only one hop in between the sites and ping times over the tunnel (when working) are an average of 18 ms.
Site A has a static IP address, and Site B has a dynamic address but it only changes when the modem sees a different mac being used. It hasn't changed in months. I doubt it will change any time soon either, once before i kept the same ip address under a dynamic account from them for over a year! lol. But my question has always been when configuring PFsense is does it matter that site b has a dynamic ip address even though it doesn't change?
-
ehhh :( I tried disabling it to no avail. Same problem. The logs look the same. :-\
-
Is one of the ends actually a private IP on WAN?
The logs you pasted show a phase 1 timeout, which either means a setting mismatch, which isn't the case based on your screenshots, or traffic not actually getting to the remote end. I suspect some other firewall is blocking that traffic before it gets to you.
-
nope no private ip on wan. I did a find all/replace all in macromedia before i posted. site a is static on wan, and site b is dynamic on wan, but that ip never changes. There are no other firewalls before the pfsense boxes, so if traffic is being blocked before racoon can handle it pfsense must be the culprit? Time warner doesn't block any ports or protocols specific to my application scenarios. Could i post any other information to aid in resolution?
-
Sooo, would reinstalling pfsense and starting from scratch be my best bet?
-
I tried reinstalling pfsense and it was to no avail! The tunnel would NOT STAY UP! I used 1.2.3 - RC1 iso, same install that i used for months and had a stable IPSEC site to site VPN. Can somebody please answer me this, is it possible that the hardware combination of both pfsense boxes could be the culprit? I'm using two old power spec boxes (micro center pcs) for pfsense. All four nics are different, and each machine contains a different processor. So is it possible that this could be a reason why the tunnel wont stay up? I'm out of ideas… should i assemble two brand new pfsense boxes with the same exact hardware configurations? I really need some help on this issue. I am more then willing to donate to FreeBSD if i can get my issue corrected. I am not in the position to spend XXX dollars on support because of lack of budget, so any help on this issue would be greatly appreciated. Site to site IPSEC VPN tunnels are not very user friendly from what i can see.... ???
- Luke
Fred's Appliance, LLC
www.fredsappliance.com
LRepko@fredsappliance.com
- Luke
-
I had similar issues with tunnels between 2 pfsense boxes not staying up. I'm running 1.2.2, so not sure how much of this is applicable. It seemed like to get the tunnels up I would just randomly restart and disable/reenable tunnels until they worked. Finally though I found something that seem to work every time. 1) Disabled both ends of the tunnel 2) setkey -FP on both ends of the tunnel 3) restarted both racoons 4) Reenabled the tunnels. Not sure if this will help or not. The way I finally fixed my tunnel stability issue was to change the lifetime to about 10 days for both phase 1 and phase 2, making sure not to set them to the same thing. I have no idea why this fixed the problem, but it did. Not sure if any of this will help you or not.
-
My IPSEC tunnels have always connected, but sometimes wouldn't reconnect. I switched to RC3 and a lot of this was fixed. The only tunnel I have problems with is one over a wireless connection.
If your tunnels are establishing, but no data passing, be sure to double-check your firewall to make sure there are IPSEC rules to allow it. I forgot to do this after replacing a pfsense router, and it caused me grief.
