Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec not working in 2.0

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    8 Posts 2 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jlepthien
      last edited by

      Hi there,

      I am using the snap from the 28th…

      This is what I see in my ipsec log:

      Dec 28 20:28:21 racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
      Dec 28 20:28:21 racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
      Dec 28 20:28:21 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
      Dec 28 20:28:21 racoon: ERROR: /var/etc/racoon.conf:19: "d" syntax error
      Dec 28 20:28:21 racoon: ERROR: fatal parse failure (1 errors)

      Line 19 reads:

      my_identifier dyn_dns 88.70.x.x;

      Any idea?

      | apple fanboy | music lover | network and security specialist | in love with cisco systems |

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Try next snap or https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/19ef51209b4ef6c15c330da3750db1ee9e59a6d7

        1 Reply Last reply Reply Quote 0
        • J
          jlepthien
          last edited by

          But I have the newest snap…

          Shall I wait until tomorrow?

          | apple fanboy | music lover | network and security specialist | in love with cisco systems |

          1 Reply Last reply Reply Quote 0
          • J
            jlepthien
            last edited by

            Can I simply edit this file manually after I mounted / rw? Or does this not survive a reboot?

            | apple fanboy | music lover | network and security specialist | in love with cisco systems |

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              Yes it survives. Just edit the file should be ok.

              1 Reply Last reply Reply Quote 0
              • J
                jlepthien
                last edited by

                Ok, that seems to be working now, but this simple IPSec, which worked before in 1.2.3-Release does not anymore…

                Here is a log excerpt:

                Dec 29 09:17:42 voldemort racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
                Dec 29 09:17:42 voldemort racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
                Dec 29 09:17:42 voldemort racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
                Dec 29 09:17:42 voldemort racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Protocol not available
                Dec 29 09:17:42 voldemort racoon: INFO: 88.70.x.x[4500] used as isakmp port (fd=14)
                Dec 29 09:17:42 voldemort racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Protocol not available
                Dec 29 09:17:42 voldemort racoon: INFO: 88.70.x.x[500] used as isakmp port (fd=15)
                Dec 29 09:17:42 voldemort racoon: INFO: unsupported PF_KEY message REGISTER
                Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.254/32[0] 10.0.100.0/24[0] proto=any dir=out
                Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.0/24[0] 10.0.100.254/32[0] proto=any dir=in
                Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.0/24[0] 192.168.100.0/24[0] proto=any dir=out
                Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 10.0.100.0/24[0] proto=any dir=in
                Dec 29 09:19:11 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
                Dec 29 09:19:11 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
                Dec 29 09:19:11 voldemort racoon: INFO: begin Aggressive mode.
                Dec 29 09:19:12 voldemort racoon: INFO: received Vendor ID: DPD
                Dec 29 09:19:12 voldemort racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
                Dec 29 09:19:12 voldemort racoon: INFO: ISAKMP-SA established 88.70.x.x[500]-213.178.x.x[500] spi:f8501bf9108f4a28:76828a5329d45919
                Dec 29 09:19:12 voldemort racoon: INFO: initiate new phase 2 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
                Dec 29 09:19:13 voldemort racoon: INFO: received RESPONDER-LIFETIME: 3600 seconds
                Dec 29 09:19:13 voldemort racoon: WARNING: RESPONDER-LIFETIME: lifetime mismatch
                Dec 29 09:19:13 voldemort racoon: INFO: IPsec-SA established: ESP 88.70.x.x[500]->213.178.x.x[500] spi=75203097(0x47b8219)
                Dec 29 09:19:13 voldemort racoon: INFO: IPsec-SA established: ESP 88.70.x.x[500]->213.178.x.x[500] spi=2773734705(0xa553d531)
                Dec 29 09:38:29 voldemort racoon: INFO: unsupported PF_KEY message REGISTER
                Dec 29 09:40:54 voldemort racoon: INFO: DPD: remote (ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919) seems to be dead.
                Dec 29 09:40:54 voldemort racoon: INFO: purging ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919.
                Dec 29 09:40:54 voldemort racoon: INFO: purged IPsec-SA spi=2773734705.
                Dec 29 09:40:54 voldemort racoon: INFO: purged IPsec-SA spi=75203097.
                Dec 29 09:40:54 voldemort racoon: INFO: purged ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919.
                Dec 29 09:40:55 voldemort racoon: INFO: ISAKMP-SA deleted 88.70.x.x[500]-213.178.x.x[500] spi:f8501bf9108f4a28:76828a5329d45919
                Dec 29 09:41:04 voldemort racoon: INFO: respond new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
                Dec 29 09:41:04 voldemort racoon: INFO: begin Aggressive mode.
                Dec 29 09:41:04 voldemort racoon: INFO: received Vendor ID: DPD
                Dec 29 09:41:05 voldemort racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
                Dec 29 09:41:06 voldemort racoon: NOTIFY: the packet is retransmitted by 213.178.x.x[500] (1).
                Dec 29 09:41:13 voldemort last message repeated 2 times
                Dec 29 09:41:55 voldemort racoon: ERROR: phase1 negotiation failed due to time up. f0dc60d957bf772f:9e743eaa7e86d145
                Dec 29 09:42:07 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
                Dec 29 09:43:34 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
                Dec 29 09:43:34 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
                Dec 29 09:43:34 voldemort racoon: INFO: begin Aggressive mode.
                Dec 29 09:44:05 voldemort racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 213.178.x.x[0]->88.70.x.x[0]
                Dec 29 09:44:05 voldemort racoon: INFO: delete phase 2 handler.
                Dec 29 09:44:24 voldemort racoon: ERROR: phase1 negotiation failed due to time up. b573a82910ca1086:0000000000000000
                Dec 29 09:44:42 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
                Dec 29 09:47:59 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
                Dec 29 09:47:59 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
                Dec 29 09:47:59 voldemort racoon: INFO: begin Aggressive mode.
                Dec 29 09:48:22 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
                Dec 29 09:48:31 voldemort racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 213.178.x.x[0]->88.70.x.x[0]
                Dec 29 09:48:31 voldemort racoon: INFO: delete phase 2 handler.
                Dec 29 09:48:50 voldemort racoon: ERROR: phase1 negotiation failed due to time up. 6b0b1e30ec5cce3f:0000000000000000

                This is a site to site VPN from my pfSense with DynDNS to our corporate WatchGuard running XTM 11.1…

                | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                1 Reply Last reply Reply Quote 0
                • J
                  jlepthien
                  last edited by

                  No I can see an error on the WatchGuard end:

                  2009-12-29 10:04:12 iked WARNING: Mismatched ID settings at peer 88.70.x.x:500 caused an authentication failure  Debug

                  But I think I have it right…

                  My identifier in Phase 1 is Dynamic DNS with my xxx.dyndns.org
                  Peer identifier in Phase 1 is IP Address with the correct static IP inserted.

                  Any hints?

                  | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                  1 Reply Last reply Reply Quote 0
                  • J
                    jlepthien
                    last edited by

                    Now I changed my identifier to user distinguished name on both ends and just entered user@domain without a .something at the end and the tunnel established ;)
                    I'll have a look at the stability right now.

                    Crossing fingers ;-)

                    | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.