• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSec not working in 2.0

2.0-RC Snapshot Feedback and Problems - RETIRED
2
8
5.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jlepthien
    last edited by Dec 28, 2009, 7:31 PM

    Hi there,

    I am using the snap from the 28th…

    This is what I see in my ipsec log:

    Dec 28 20:28:21 racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
    Dec 28 20:28:21 racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
    Dec 28 20:28:21 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Dec 28 20:28:21 racoon: ERROR: /var/etc/racoon.conf:19: "d" syntax error
    Dec 28 20:28:21 racoon: ERROR: fatal parse failure (1 errors)

    Line 19 reads:

    my_identifier dyn_dns 88.70.x.x;

    Any idea?

    | apple fanboy | music lover | network and security specialist | in love with cisco systems |

    1 Reply Last reply Reply Quote 0
    • E
      eri--
      last edited by Dec 28, 2009, 8:25 PM

      Try next snap or https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/19ef51209b4ef6c15c330da3750db1ee9e59a6d7

      1 Reply Last reply Reply Quote 0
      • J
        jlepthien
        last edited by Dec 28, 2009, 8:34 PM

        But I have the newest snap…

        Shall I wait until tomorrow?

        | apple fanboy | music lover | network and security specialist | in love with cisco systems |

        1 Reply Last reply Reply Quote 0
        • J
          jlepthien
          last edited by Dec 28, 2009, 9:30 PM

          Can I simply edit this file manually after I mounted / rw? Or does this not survive a reboot?

          | apple fanboy | music lover | network and security specialist | in love with cisco systems |

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by Dec 28, 2009, 10:50 PM

            Yes it survives. Just edit the file should be ok.

            1 Reply Last reply Reply Quote 0
            • J
              jlepthien
              last edited by Dec 29, 2009, 8:56 AM

              Ok, that seems to be working now, but this simple IPSec, which worked before in 1.2.3-Release does not anymore…

              Here is a log excerpt:

              Dec 29 09:17:42 voldemort racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
              Dec 29 09:17:42 voldemort racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
              Dec 29 09:17:42 voldemort racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
              Dec 29 09:17:42 voldemort racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Protocol not available
              Dec 29 09:17:42 voldemort racoon: INFO: 88.70.x.x[4500] used as isakmp port (fd=14)
              Dec 29 09:17:42 voldemort racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Protocol not available
              Dec 29 09:17:42 voldemort racoon: INFO: 88.70.x.x[500] used as isakmp port (fd=15)
              Dec 29 09:17:42 voldemort racoon: INFO: unsupported PF_KEY message REGISTER
              Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.254/32[0] 10.0.100.0/24[0] proto=any dir=out
              Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.0/24[0] 10.0.100.254/32[0] proto=any dir=in
              Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.0/24[0] 192.168.100.0/24[0] proto=any dir=out
              Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 10.0.100.0/24[0] proto=any dir=in
              Dec 29 09:19:11 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
              Dec 29 09:19:11 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
              Dec 29 09:19:11 voldemort racoon: INFO: begin Aggressive mode.
              Dec 29 09:19:12 voldemort racoon: INFO: received Vendor ID: DPD
              Dec 29 09:19:12 voldemort racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
              Dec 29 09:19:12 voldemort racoon: INFO: ISAKMP-SA established 88.70.x.x[500]-213.178.x.x[500] spi:f8501bf9108f4a28:76828a5329d45919
              Dec 29 09:19:12 voldemort racoon: INFO: initiate new phase 2 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
              Dec 29 09:19:13 voldemort racoon: INFO: received RESPONDER-LIFETIME: 3600 seconds
              Dec 29 09:19:13 voldemort racoon: WARNING: RESPONDER-LIFETIME: lifetime mismatch
              Dec 29 09:19:13 voldemort racoon: INFO: IPsec-SA established: ESP 88.70.x.x[500]->213.178.x.x[500] spi=75203097(0x47b8219)
              Dec 29 09:19:13 voldemort racoon: INFO: IPsec-SA established: ESP 88.70.x.x[500]->213.178.x.x[500] spi=2773734705(0xa553d531)
              Dec 29 09:38:29 voldemort racoon: INFO: unsupported PF_KEY message REGISTER
              Dec 29 09:40:54 voldemort racoon: INFO: DPD: remote (ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919) seems to be dead.
              Dec 29 09:40:54 voldemort racoon: INFO: purging ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919.
              Dec 29 09:40:54 voldemort racoon: INFO: purged IPsec-SA spi=2773734705.
              Dec 29 09:40:54 voldemort racoon: INFO: purged IPsec-SA spi=75203097.
              Dec 29 09:40:54 voldemort racoon: INFO: purged ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919.
              Dec 29 09:40:55 voldemort racoon: INFO: ISAKMP-SA deleted 88.70.x.x[500]-213.178.x.x[500] spi:f8501bf9108f4a28:76828a5329d45919
              Dec 29 09:41:04 voldemort racoon: INFO: respond new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
              Dec 29 09:41:04 voldemort racoon: INFO: begin Aggressive mode.
              Dec 29 09:41:04 voldemort racoon: INFO: received Vendor ID: DPD
              Dec 29 09:41:05 voldemort racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
              Dec 29 09:41:06 voldemort racoon: NOTIFY: the packet is retransmitted by 213.178.x.x[500] (1).
              Dec 29 09:41:13 voldemort last message repeated 2 times
              Dec 29 09:41:55 voldemort racoon: ERROR: phase1 negotiation failed due to time up. f0dc60d957bf772f:9e743eaa7e86d145
              Dec 29 09:42:07 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
              Dec 29 09:43:34 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
              Dec 29 09:43:34 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
              Dec 29 09:43:34 voldemort racoon: INFO: begin Aggressive mode.
              Dec 29 09:44:05 voldemort racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 213.178.x.x[0]->88.70.x.x[0]
              Dec 29 09:44:05 voldemort racoon: INFO: delete phase 2 handler.
              Dec 29 09:44:24 voldemort racoon: ERROR: phase1 negotiation failed due to time up. b573a82910ca1086:0000000000000000
              Dec 29 09:44:42 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
              Dec 29 09:47:59 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
              Dec 29 09:47:59 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
              Dec 29 09:47:59 voldemort racoon: INFO: begin Aggressive mode.
              Dec 29 09:48:22 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
              Dec 29 09:48:31 voldemort racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 213.178.x.x[0]->88.70.x.x[0]
              Dec 29 09:48:31 voldemort racoon: INFO: delete phase 2 handler.
              Dec 29 09:48:50 voldemort racoon: ERROR: phase1 negotiation failed due to time up. 6b0b1e30ec5cce3f:0000000000000000

              This is a site to site VPN from my pfSense with DynDNS to our corporate WatchGuard running XTM 11.1…

              | apple fanboy | music lover | network and security specialist | in love with cisco systems |

              1 Reply Last reply Reply Quote 0
              • J
                jlepthien
                last edited by Dec 29, 2009, 9:06 AM

                No I can see an error on the WatchGuard end:

                2009-12-29 10:04:12 iked WARNING: Mismatched ID settings at peer 88.70.x.x:500 caused an authentication failure  Debug

                But I think I have it right…

                My identifier in Phase 1 is Dynamic DNS with my xxx.dyndns.org
                Peer identifier in Phase 1 is IP Address with the correct static IP inserted.

                Any hints?

                | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                1 Reply Last reply Reply Quote 0
                • J
                  jlepthien
                  last edited by Dec 29, 2009, 9:19 AM

                  Now I changed my identifier to user distinguished name on both ends and just entered user@domain without a .something at the end and the tunnel established ;)
                  I'll have a look at the stability right now.

                  Crossing fingers ;-)

                  | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                  1 Reply Last reply Reply Quote 0
                  4 out of 8
                  • First post
                    4/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.