Need help testing ipsec-tools 0.8.0
-
ipsec-tools is nearing version 0.8.0 release and this is the version we're going to include in 2.0. It's confirmed to fix two issues (DPD not functioning, and incorrect return code from racoonctl), and confirmed working with mobile clients (iPhone Cisco client), site to site connections, and multiple P2s per P1. DPD not working is the last remaining issue aside from a couple kernel panics before 2.0-RC1 and this looks to fix it.
This will be in snapshots before too long (a few days, needs some manual source hacking to compile at the moment), you can test now though by going to a command prompt and running:
cd /usr/local/sbin/
fetch http://cvs.pfsense.org/~cmb/0/ipsectools-0.8.0b2-hybrid.tgz
tar zxvf ipsectools-0.8.0b2-hybrid.tgz
chmod +x racoon*
rm ipsectools-0.8.0b2-hybrid.tgzthen go to Status>Services and restart racoon.
NOTE: that is i386 only. AMD64 version here:
http://cvs.pfsense.org/~cmb/0/ipsectools-0.8.0b2-amd64-hybrid.tgzwhich is currently entirely untested, all the test setups I have are i386.
-
bump.
Would appreciate feedback, this has been running in a variety of scenarios working well for me.
-
Chris,
can you do this from the GUI or is this done from the console? I haven't had any luck from the GUI but maybe I'm not doing it right.
Roy…
-
Tested it with my setup and it is working fine.
I have single P1 with single P2 for roadwarriors (iPhone) using Mutual RSA + Xauth.
Not sure how to test if DPD is working fine, but I see this in the logs:Feb 6 21:45:04 abc racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.103.1/32[0] proto=any dir=out" Feb 6 21:46:31 abc racoon: [a.b.c.d] INFO: DPD: remote (ISAKMP-SA spi=b238e67c4f68f38b:34914d21787f0188) seems to be dead. Feb 6 21:46:31 abc racoon: INFO: purging ISAKMP-SA spi=b238e67c4f68f38b:34914d21787f0188:000089c1. Feb 6 21:46:31 abc racoon: INFO: generated policy, deleting it.which makes me to believe it is working fine.
-
You can only follow the exact instructions I gave from a SSH session or at the console, exec.php isn't going to keep that 'cd' between commands so you'll have to modify that a bit to do it there.
The DPD log was always there, it just previously didn't actually remove the SA. After it detects the dead peer ("DPD remote … seems to be dead"), it should no longer have that SA shown under Status>IPsec, SAD tab.
I've confirmed DPD works in a wide range of configurations, and everything else looks to be working fine too. Additional reports welcome.
-
2 days with no issues with a site2site tunnel to a Cisco PIX 501. No heavy traffic as this was a proof-of-concept for me using IPSec.
-
Running on build Sun Feb 6 05:09:46 EST 2011 for about 6 hours - no problem between two pfsense boxes running a VPN
Regards
Andrew
-
Installed here and seems to be ok. I have a couple of vpns setup to a couple of Sonicwall Units, i.e. NS240 and a TZ170 I believe. It appears to be working with no problem.
Andy
-
I installed the AMD64 version successfully, and was able to establish a tunnel, but I had difficulty stacking AES-256 for both phase 1 and phase 2. does this make any since?
I am currently running a AES-256 phase 1 and a blowfish-256 phase 2 successfully
-
Seems to be working fine. Tested with both m0n0wall and pfSense 1.23. Only tested AES 128.
Roy…
-
Can you tell us when this is included in the snapshots as it seems to be working well and I do not want to revert to earlier version by updating from the "wrong" snapshot
Thanks
Andrew
-
Works fine on NanoBSD. 6 tunnels up with Blowfish 128 bits and remote endpoint pfSense (mix of 1.2.3 and 2.0b5).
-
Can you tell us when this is included in the snapshots as it seems to be working well and I do not want to revert to earlier version by updating from the "wrong" snapshot
The stock source doesn't build on FreeBSD and I haven't gotten a response to that, we're going to update our port with the change needed in the mean time and then it'll be in snapshots, may be a day or two. The systems I'm running it on get updated quite a bit so that's a heck of an annoyance for me too. I'll post back here when it's done.
-
I just switched the snapshots over to use ipsec-tools 0.8. It should be in the next new snapshots that will upload later today.
-
Thanks jimp!
re-installing it with every new snapshot was a pain.
Roy…
-
newest snapshot does indeed have this in it now.
-
I'm sad to report some problem we have with 0.8 that we did not have with a snapshot from the week before.
I'm using x509 with a unique cert assigned to each of ~ 10 mobile peers.
I had to switch from using asn1 dn for id on both sides to using the server's ip on one side and asn1 dn on the client to get through phase1 - I don't know why that happened (forgot to grab logs of that)
Now i have all the mobile client connected again with one fairly minor problem (detailed below)
At a site with two clients behind the same NAT,
when one gets DPDed (i'm makin' it a verb dammit)the other sa gets deleted 10 seconds later.
Should this go upstream?
Feb 16 20:44:32 cujo racoon: [96.233.121.193] INFO: DPD: remote (ISAKMP-SA spi=1b1561a52a7ee073:72a9610bf3426989
) seems to be dead.
Feb 16 20:44:32 cujo racoon: INFO: purging ISAKMP-SA spi=1b1561a52a7ee073:72a9610bf3426989.
Feb 16 20:44:32 cujo racoon: INFO: generated policy, deleting it.
Feb 16 20:44:32 cujo racoon: INFO: purged IPsec-SA spi=2355238107.
Feb 16 20:44:32 cujo racoon: INFO: purged IPsec-SA spi=181612763.
Feb 16 20:44:32 cujo racoon: INFO: purged ISAKMP-SA spi=1b1561a52a7ee073:72a9610bf3426989.
Feb 16 20:44:33 cujo racoon: INFO: ISAKMP-SA deleted 216.177.7.226[4500]-96.233.121.193[4500] spi:1b1561a52a7ee0
73:72a9610bf3426989
Feb 16 20:44:42 cujo racoon: INFO: generated policy, deleting it.
Feb 16 20:44:42 cujo racoon: INFO: purged IPsec-SA proto_id=ESP spi=698705967.
Feb 16 20:44:42 cujo racoon: INFO: purging ISAKMP-SA spi=61974f5574b5226a:6b9d10203bcb3a5d.
Feb 16 20:44:42 cujo racoon: INFO: purged IPsec-SA spi=67173315.
Feb 16 20:44:42 cujo racoon: INFO: purged ISAKMP-SA spi=61974f5574b5226a:6b9d10203bcb3a5d.
Feb 16 20:44:43 cujo racoon: INFO: ISAKMP-SA deleted 216.177.7.226[4500]-96.233.121.193[28505] spi:61974f5574b5226a:6b9d10203bcb3a5d
