IPSec not working in 2.0

jlepthien · Dec 28, 2009, 7:31 PM

Hi there,

I am using the snap from the 28th…

This is what I see in my ipsec log:

Dec 28 20:28:21 racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
Dec 28 20:28:21 racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
Dec 28 20:28:21 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Dec 28 20:28:21 racoon: ERROR: /var/etc/racoon.conf:19: "d" syntax error
Dec 28 20:28:21 racoon: ERROR: fatal parse failure (1 errors)

Line 19 reads:

my_identifier dyn_dns 88.70.x.x;

Any idea?

eri-- · Dec 28, 2009, 8:25 PM

Try next snap or https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/19ef51209b4ef6c15c330da3750db1ee9e59a6d7

jlepthien · Dec 28, 2009, 8:34 PM

But I have the newest snap…

Shall I wait until tomorrow?

jlepthien · Dec 28, 2009, 9:30 PM

Can I simply edit this file manually after I mounted / rw? Or does this not survive a reboot?

eri-- · Dec 28, 2009, 10:50 PM

Yes it survives. Just edit the file should be ok.

jlepthien · Dec 29, 2009, 8:56 AM

Ok, that seems to be working now, but this simple IPSec, which worked before in 1.2.3-Release does not anymore…

Here is a log excerpt:

Dec 29 09:17:42 voldemort racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
Dec 29 09:17:42 voldemort racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
Dec 29 09:17:42 voldemort racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Dec 29 09:17:42 voldemort racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Protocol not available
Dec 29 09:17:42 voldemort racoon: INFO: 88.70.x.x[4500] used as isakmp port (fd=14)
Dec 29 09:17:42 voldemort racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Protocol not available
Dec 29 09:17:42 voldemort racoon: INFO: 88.70.x.x[500] used as isakmp port (fd=15)
Dec 29 09:17:42 voldemort racoon: INFO: unsupported PF_KEY message REGISTER
Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.254/32[0] 10.0.100.0/24[0] proto=any dir=out
Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.0/24[0] 10.0.100.254/32[0] proto=any dir=in
Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.0/24[0] 192.168.100.0/24[0] proto=any dir=out
Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 10.0.100.0/24[0] proto=any dir=in
Dec 29 09:19:11 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
Dec 29 09:19:11 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
Dec 29 09:19:11 voldemort racoon: INFO: begin Aggressive mode.
Dec 29 09:19:12 voldemort racoon: INFO: received Vendor ID: DPD
Dec 29 09:19:12 voldemort racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Dec 29 09:19:12 voldemort racoon: INFO: ISAKMP-SA established 88.70.x.x[500]-213.178.x.x[500] spi:f8501bf9108f4a28:76828a5329d45919
Dec 29 09:19:12 voldemort racoon: INFO: initiate new phase 2 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
Dec 29 09:19:13 voldemort racoon: INFO: received RESPONDER-LIFETIME: 3600 seconds
Dec 29 09:19:13 voldemort racoon: WARNING: RESPONDER-LIFETIME: lifetime mismatch
Dec 29 09:19:13 voldemort racoon: INFO: IPsec-SA established: ESP 88.70.x.x[500]->213.178.x.x[500] spi=75203097(0x47b8219)
Dec 29 09:19:13 voldemort racoon: INFO: IPsec-SA established: ESP 88.70.x.x[500]->213.178.x.x[500] spi=2773734705(0xa553d531)
Dec 29 09:38:29 voldemort racoon: INFO: unsupported PF_KEY message REGISTER
Dec 29 09:40:54 voldemort racoon: INFO: DPD: remote (ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919) seems to be dead.
Dec 29 09:40:54 voldemort racoon: INFO: purging ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919.
Dec 29 09:40:54 voldemort racoon: INFO: purged IPsec-SA spi=2773734705.
Dec 29 09:40:54 voldemort racoon: INFO: purged IPsec-SA spi=75203097.
Dec 29 09:40:54 voldemort racoon: INFO: purged ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919.
Dec 29 09:40:55 voldemort racoon: INFO: ISAKMP-SA deleted 88.70.x.x[500]-213.178.x.x[500] spi:f8501bf9108f4a28:76828a5329d45919
Dec 29 09:41:04 voldemort racoon: INFO: respond new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
Dec 29 09:41:04 voldemort racoon: INFO: begin Aggressive mode.
Dec 29 09:41:04 voldemort racoon: INFO: received Vendor ID: DPD
Dec 29 09:41:05 voldemort racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Dec 29 09:41:06 voldemort racoon: NOTIFY: the packet is retransmitted by 213.178.x.x[500] (1).
Dec 29 09:41:13 voldemort last message repeated 2 times
Dec 29 09:41:55 voldemort racoon: ERROR: phase1 negotiation failed due to time up. f0dc60d957bf772f:9e743eaa7e86d145
Dec 29 09:42:07 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
Dec 29 09:43:34 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
Dec 29 09:43:34 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
Dec 29 09:43:34 voldemort racoon: INFO: begin Aggressive mode.
Dec 29 09:44:05 voldemort racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 213.178.x.x[0]->88.70.x.x[0]
Dec 29 09:44:05 voldemort racoon: INFO: delete phase 2 handler.
Dec 29 09:44:24 voldemort racoon: ERROR: phase1 negotiation failed due to time up. b573a82910ca1086:0000000000000000
Dec 29 09:44:42 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
Dec 29 09:47:59 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
Dec 29 09:47:59 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
Dec 29 09:47:59 voldemort racoon: INFO: begin Aggressive mode.
Dec 29 09:48:22 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
Dec 29 09:48:31 voldemort racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 213.178.x.x[0]->88.70.x.x[0]
Dec 29 09:48:31 voldemort racoon: INFO: delete phase 2 handler.
Dec 29 09:48:50 voldemort racoon: ERROR: phase1 negotiation failed due to time up. 6b0b1e30ec5cce3f:0000000000000000

This is a site to site VPN from my pfSense with DynDNS to our corporate WatchGuard running XTM 11.1…

jlepthien · Dec 29, 2009, 9:06 AM

No I can see an error on the WatchGuard end:

2009-12-29 10:04:12 iked WARNING: Mismatched ID settings at peer 88.70.x.x:500 caused an authentication failure Debug

But I think I have it right…

My identifier in Phase 1 is Dynamic DNS with my xxx.dyndns.org
Peer identifier in Phase 1 is IP Address with the correct static IP inserted.

Any hints?

jlepthien · Dec 29, 2009, 9:19 AM

Now I changed my identifier to user distinguished name on both ends and just entered user@domain without a .something at the end and the tunnel established ;)
I'll have a look at the stability right now.

Crossing fingers ;-)