Need help testing ipsec-tools 0.8.0
-
bump.
Would appreciate feedback, this has been running in a variety of scenarios working well for me.
-
Chris,
can you do this from the GUI or is this done from the console? I haven't had any luck from the GUI but maybe I'm not doing it right.
Roy…
-
Tested it with my setup and it is working fine.
I have single P1 with single P2 for roadwarriors (iPhone) using Mutual RSA + Xauth.
Not sure how to test if DPD is working fine, but I see this in the logs:Feb 6 21:45:04 abc racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.103.1/32[0] proto=any dir=out" Feb 6 21:46:31 abc racoon: [a.b.c.d] INFO: DPD: remote (ISAKMP-SA spi=b238e67c4f68f38b:34914d21787f0188) seems to be dead. Feb 6 21:46:31 abc racoon: INFO: purging ISAKMP-SA spi=b238e67c4f68f38b:34914d21787f0188:000089c1. Feb 6 21:46:31 abc racoon: INFO: generated policy, deleting it.which makes me to believe it is working fine.
-
You can only follow the exact instructions I gave from a SSH session or at the console, exec.php isn't going to keep that 'cd' between commands so you'll have to modify that a bit to do it there.
The DPD log was always there, it just previously didn't actually remove the SA. After it detects the dead peer ("DPD remote … seems to be dead"), it should no longer have that SA shown under Status>IPsec, SAD tab.
I've confirmed DPD works in a wide range of configurations, and everything else looks to be working fine too. Additional reports welcome.
-
2 days with no issues with a site2site tunnel to a Cisco PIX 501. No heavy traffic as this was a proof-of-concept for me using IPSec.
-
Running on build Sun Feb 6 05:09:46 EST 2011 for about 6 hours - no problem between two pfsense boxes running a VPN
Regards
Andrew
-
Installed here and seems to be ok. I have a couple of vpns setup to a couple of Sonicwall Units, i.e. NS240 and a TZ170 I believe. It appears to be working with no problem.
Andy
-
I installed the AMD64 version successfully, and was able to establish a tunnel, but I had difficulty stacking AES-256 for both phase 1 and phase 2. does this make any since?
I am currently running a AES-256 phase 1 and a blowfish-256 phase 2 successfully
-
Seems to be working fine. Tested with both m0n0wall and pfSense 1.23. Only tested AES 128.
Roy…
-
Can you tell us when this is included in the snapshots as it seems to be working well and I do not want to revert to earlier version by updating from the "wrong" snapshot
Thanks
Andrew
-
Works fine on NanoBSD. 6 tunnels up with Blowfish 128 bits and remote endpoint pfSense (mix of 1.2.3 and 2.0b5).
-
Can you tell us when this is included in the snapshots as it seems to be working well and I do not want to revert to earlier version by updating from the "wrong" snapshot
The stock source doesn't build on FreeBSD and I haven't gotten a response to that, we're going to update our port with the change needed in the mean time and then it'll be in snapshots, may be a day or two. The systems I'm running it on get updated quite a bit so that's a heck of an annoyance for me too. I'll post back here when it's done.
-
I just switched the snapshots over to use ipsec-tools 0.8. It should be in the next new snapshots that will upload later today.
-
Thanks jimp!
re-installing it with every new snapshot was a pain.
Roy…
-
newest snapshot does indeed have this in it now.
-
I'm sad to report some problem we have with 0.8 that we did not have with a snapshot from the week before.
I'm using x509 with a unique cert assigned to each of ~ 10 mobile peers.
I had to switch from using asn1 dn for id on both sides to using the server's ip on one side and asn1 dn on the client to get through phase1 - I don't know why that happened (forgot to grab logs of that)
Now i have all the mobile client connected again with one fairly minor problem (detailed below)
At a site with two clients behind the same NAT,
when one gets DPDed (i'm makin' it a verb dammit)the other sa gets deleted 10 seconds later.
Should this go upstream?
Feb 16 20:44:32 cujo racoon: [96.233.121.193] INFO: DPD: remote (ISAKMP-SA spi=1b1561a52a7ee073:72a9610bf3426989
) seems to be dead.
Feb 16 20:44:32 cujo racoon: INFO: purging ISAKMP-SA spi=1b1561a52a7ee073:72a9610bf3426989.
Feb 16 20:44:32 cujo racoon: INFO: generated policy, deleting it.
Feb 16 20:44:32 cujo racoon: INFO: purged IPsec-SA spi=2355238107.
Feb 16 20:44:32 cujo racoon: INFO: purged IPsec-SA spi=181612763.
Feb 16 20:44:32 cujo racoon: INFO: purged ISAKMP-SA spi=1b1561a52a7ee073:72a9610bf3426989.
Feb 16 20:44:33 cujo racoon: INFO: ISAKMP-SA deleted 216.177.7.226[4500]-96.233.121.193[4500] spi:1b1561a52a7ee0
73:72a9610bf3426989
Feb 16 20:44:42 cujo racoon: INFO: generated policy, deleting it.
Feb 16 20:44:42 cujo racoon: INFO: purged IPsec-SA proto_id=ESP spi=698705967.
Feb 16 20:44:42 cujo racoon: INFO: purging ISAKMP-SA spi=61974f5574b5226a:6b9d10203bcb3a5d.
Feb 16 20:44:42 cujo racoon: INFO: purged IPsec-SA spi=67173315.
Feb 16 20:44:42 cujo racoon: INFO: purged ISAKMP-SA spi=61974f5574b5226a:6b9d10203bcb3a5d.
Feb 16 20:44:43 cujo racoon: INFO: ISAKMP-SA deleted 216.177.7.226[4500]-96.233.121.193[28505] spi:61974f5574b5226a:6b9d10203bcb3a5d
