IPSEC on pfsense 2.0 error

_igor_ · Jan 5, 2010, 12:21 AM

When I set up IPSEC I get this error whatever I try:

php: /vpn_ipsec.php: The command '/usr/local/sbin/racoonctl -s /var/run/racoon.sock reload-config' returned exit code '1', the output was 'send: Bad file descriptor'

Anyone knows what this means? Its now since Juli like this. Its so annoying…

IPSEC logs only this (reverse order):

Jan 5 00:54:41	racoon: INFO: unsupported PF_KEY message REGISTER
Jan 5 00:54:41	racoon: [Self]: INFO: 78.34.x.x[500] used as isakmp port (fd=15)
Jan 5 00:54:41	racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Protocol not available
Jan 5 00:54:41	racoon: [Self]: INFO: 78.34.x.x[4500] used as isakmp port (fd=14)
Jan 5 00:54:41	racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Protocol not available
Jan 5 00:54:41	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Jan 5 00:54:41	racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
Jan 5 00:54:41	racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)

On the other side its a static IP, my one is dyn. I can ping the other side.

rugby · Jan 8, 2010, 11:45 AM

I get the same error between 2 PFSense 2.0 boxes. I can get both boxes to do IPSec tunnels to Sg560's no problem, but not to each other:

Jan 8 06:37:20 racoon: INFO: unsupported PF_KEY message REGISTER
Jan 8 06:41:12 racoon: INFO: unsupported PF_KEY message REGISTER

I've quadruple checked my config, even done a static to static and tried lots of different options and still no go.

jimp · Jan 8, 2010, 2:51 PM

@rugby:

I get the same error between 2 PFSense 2.0 boxes. I can get both boxes to do IPSec tunnels to Sg560's no problem, but not to each other:

Jan 8 06:37:20 racoon: INFO: unsupported PF_KEY message REGISTER
Jan 8 06:41:12 racoon: INFO: unsupported PF_KEY message REGISTER

I've quadruple checked my config, even done a static to static and tried lots of different options and still no go.

That error is normal, it's not fatal. If you see no other messages, then your tunnel isn't even attempting to be established. Try to ping a far side IP from a client and see what happens, or try to ping a near side IP from the other end. There are a few IPsec troubleshooting docs on the wiki that might help, too.

rugby · Jan 8, 2010, 3:28 PM

I get this when I try to connect to a remote host:

Jan 8 10:27:18 racoon: [Home2Office]: ERROR: couldn't find the pskey for X.X.X.X.
Jan 8 10:27:18 racoon: ERROR: failed to process packet.
Jan 8 10:27:18 racoon: ERROR: phase1 negotiation failed.

jimp · Jan 8, 2010, 8:00 PM

@rugby:

I get this when I try to connect to a remote host:

Jan 8 10:27:18 racoon: [Home2Office]: ERROR: couldn't find the pskey for X.X.X.X.
Jan 8 10:27:18 racoon: ERROR: failed to process packet.
Jan 8 10:27:18 racoon: ERROR: phase1 negotiation failed.

Are your sure your pre-shared keys are correct and match up on both sides? And your local and remote networks and subnet masks? Such errors are typically due to a settings mismatch on one end or the other.

rugby · Jan 8, 2010, 10:08 PM

I was absolutely sure the keys were identical, but I had to pull one of the 2.0 boxes due to flakiness at our office and go back to an SG there for the time being.