Need help testing ipsec-tools 0.8.0
-
Running on build Sun Feb 6 05:09:46 EST 2011 for about 6 hours - no problem between two pfsense boxes running a VPN
Regards
Andrew
-
Installed here and seems to be ok. I have a couple of vpns setup to a couple of Sonicwall Units, i.e. NS240 and a TZ170 I believe. It appears to be working with no problem.
Andy
-
I installed the AMD64 version successfully, and was able to establish a tunnel, but I had difficulty stacking AES-256 for both phase 1 and phase 2. does this make any since?
I am currently running a AES-256 phase 1 and a blowfish-256 phase 2 successfully
-
Seems to be working fine. Tested with both m0n0wall and pfSense 1.23. Only tested AES 128.
Roy…
-
Can you tell us when this is included in the snapshots as it seems to be working well and I do not want to revert to earlier version by updating from the "wrong" snapshot
Thanks
Andrew
-
Works fine on NanoBSD. 6 tunnels up with Blowfish 128 bits and remote endpoint pfSense (mix of 1.2.3 and 2.0b5).
-
Can you tell us when this is included in the snapshots as it seems to be working well and I do not want to revert to earlier version by updating from the "wrong" snapshot
The stock source doesn't build on FreeBSD and I haven't gotten a response to that, we're going to update our port with the change needed in the mean time and then it'll be in snapshots, may be a day or two. The systems I'm running it on get updated quite a bit so that's a heck of an annoyance for me too. I'll post back here when it's done.
-
I just switched the snapshots over to use ipsec-tools 0.8. It should be in the next new snapshots that will upload later today.
-
Thanks jimp!
re-installing it with every new snapshot was a pain.
Roy…
-
newest snapshot does indeed have this in it now.
-
I'm sad to report some problem we have with 0.8 that we did not have with a snapshot from the week before.
I'm using x509 with a unique cert assigned to each of ~ 10 mobile peers.
I had to switch from using asn1 dn for id on both sides to using the server's ip on one side and asn1 dn on the client to get through phase1 - I don't know why that happened (forgot to grab logs of that)
Now i have all the mobile client connected again with one fairly minor problem (detailed below)
At a site with two clients behind the same NAT,
when one gets DPDed (i'm makin' it a verb dammit)the other sa gets deleted 10 seconds later.
Should this go upstream?
Feb 16 20:44:32 cujo racoon: [96.233.121.193] INFO: DPD: remote (ISAKMP-SA spi=1b1561a52a7ee073:72a9610bf3426989
) seems to be dead.
Feb 16 20:44:32 cujo racoon: INFO: purging ISAKMP-SA spi=1b1561a52a7ee073:72a9610bf3426989.
Feb 16 20:44:32 cujo racoon: INFO: generated policy, deleting it.
Feb 16 20:44:32 cujo racoon: INFO: purged IPsec-SA spi=2355238107.
Feb 16 20:44:32 cujo racoon: INFO: purged IPsec-SA spi=181612763.
Feb 16 20:44:32 cujo racoon: INFO: purged ISAKMP-SA spi=1b1561a52a7ee073:72a9610bf3426989.
Feb 16 20:44:33 cujo racoon: INFO: ISAKMP-SA deleted 216.177.7.226[4500]-96.233.121.193[4500] spi:1b1561a52a7ee0
73:72a9610bf3426989
Feb 16 20:44:42 cujo racoon: INFO: generated policy, deleting it.
Feb 16 20:44:42 cujo racoon: INFO: purged IPsec-SA proto_id=ESP spi=698705967.
Feb 16 20:44:42 cujo racoon: INFO: purging ISAKMP-SA spi=61974f5574b5226a:6b9d10203bcb3a5d.
Feb 16 20:44:42 cujo racoon: INFO: purged IPsec-SA spi=67173315.
Feb 16 20:44:42 cujo racoon: INFO: purged ISAKMP-SA spi=61974f5574b5226a:6b9d10203bcb3a5d.
Feb 16 20:44:43 cujo racoon: INFO: ISAKMP-SA deleted 216.177.7.226[4500]-96.233.121.193[28505] spi:61974f5574b5226a:6b9d10203bcb3a5d
