Empty Status: IPsec: SPD

rlai000

Updated to the latest 2.0-RC1 (i386) built on Thu Mar 3 10:56:18 EST 2011

All my VPN links are down. I checked that I've empty Status: IPsec: SPD

IPSEC logs doesn't show anything particular (just these lines):
Mar 3 14:16:16 racoon: INFO: @(#)ipsec-tools 0.8.0.beta3 (http://ipsec-tools.sourceforge.net)
Mar 3 14:16:16 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Mar 3 14:16:16 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Mar 3 14:16:16 racoon: [Unknown Gateway/Dynamic]: INFO: xxx.xxx.xxx.xxx[4500] used for NAT-T
Mar 3 14:16:16 racoon: [Self]: INFO: xxx.xxx.xxx.xxx[4500] used as isakmp port (fd=16)
Mar 3 14:16:16 racoon: INFO: xxx.xxx.xxx.xxx[500] used for NAT-T
Mar 3 14:16:16 racoon: [Self]: INFO: xxx.xxx.xxx.xxx[500] used as isakmp port (fd=17)

But the "cat /tmp/rules.debug" shows:

VPN Rules

ERROR! Unable to determine remote IPsec peer address for gw0-xxxxx.com

ERROR! Unable to determine remote IPsec peer address for gw10-xxxxx.com

ERROR! Unable to determine remote IPsec peer address for gw12-xxxxx.com

ERROR! Unable to determine remote IPsec peer address for gw16-xxxxx.com

ERROR! Unable to determine remote IPsec peer address for gw20-xxxxx.com

ERROR! Unable to determine remote IPsec peer address for gw21-xxxxx.com

ERROR! Unable to determine remote IPsec peer address for gw22-xxxxx.com

ERROR! Unable to determine remote IPsec peer address for gw50-xxxxx.com

ERROR! Unable to determine remote IPsec peer address for gw51-xxxxx.com

ERROR! Unable to determine remote IPsec peer address for gw55-xxxxx.com

ERROR! Unable to determine remote IPsec peer address for gw52-xxxxx.com

It seems the VPN doesn't like fqdn.

-Raylund

eri--

They will get there until dns is available.
Check your dns settings.

rlai000

Updated to the latest 2.0-RC1 (i386) built on Thu Mar 3 17:43:05 EST 2011 just now.

Wow! A lot of errors.

First, I cannot go to internet.

2nd, the System log has:
Mar 4 01:09:01 php: : The command '/usr/local/sbin/relayd -f /var/etc/relayd.conf' returned exit code '1', the output was '/var/etc/relayd.conf:3: syntax error no redirections, nothing to do'
Mar 4 01:09:02 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:117: syntax error /tmp/rules.debug:118: syntax error pfctl: Syntax error in config file: pf rules not loaded'
Mar 4 01:09:02 php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:117: syntax error /tmp/rules.debug:118: syntax error pfctl: Syntax error in config file: pf rules not loaded The line in question reads [117]: pass in quick on $IPsec proto from any to any keep state label "USER_RULE: Default allow IPsec to any rule"
Mar 4 01:09:02 php: : There were error(s) loading the rules: /tmp/rules.debug:117: syntax error /tmp/rules.debug:118: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [117]: pass in quick on $IPsec proto from any to any keep state label "USER_RULE: Default allow IPsec to any rule"

The last 3 have happened 3 times.

Then, there was empty Firewall log (usually there should have something blocked).

The IPsec log a lot of errors:
racoon: [xxx.xxx.xxx.xxx] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
racoon: [xxx.xxx.xxx.xxx] ERROR: can't start the quick mode, there is no ISAKMP-SA, bd8a52536b41cf9d:f61e62e8f12fb17f:0000789d

Of course none of my VPN links connect.

I then reverted back to snapshot 2.0-RC1 (i386) built on Wed Mar 2 07:45:55 EST 2011

I still cannot go to internet (which I could with this snapshot before); still got the System log errors as above; still got empty Firewall log.

But my VPN links were connected.

I should restore my backup configuration to get pfSense running without error.

-Raylund

rlai000

After yesterday's problematic snapshot, today's latest 2.0-RC1 (i386) built on Fri Mar 4 09:42:39 EST 2011 still has VPN problem.

Status: IPsec: SPD is empty; just shows "No IPsec security policies."

I still have a bunch of "ERROR! Unable to determine remote IPsec peer address for gwx-xxxxx.com" on "cat /tmp/rules.debug".

I could go to internet; i.e. nothing wrong with DNS.

Firewall log has a lot of "block Mar 4 14:30:03 WAN zzz.zzz.zzz.zzz:500 xxx.xxx.xxx.xxx:500 UDP"

IPsec log still has that few lines.

I then restarted service racoon.

Then Status: IPsec: SPD populated with proper entries. But funny I still have a bunch of "ERROR! Unable to determine remote IPsec peer address for gwx-xxxxx.com" on "cat /tmp/rules.debug".

I'm still getting "block Mar 4 14:30:03 WAN zzz.zzz.zzz.zzz:500 xxx.xxx.xxx.xxx:500 UDP" on Firewall log.

I waited for some times and the VPN links didn't automatically reconnect. I've 2 VPN links connected but both are initiated by me on the LAN.

I need to initiate the VPN links one-by-one from pfSense GUI (Status: IPsec).

-Raylund

eri--

Are you sure the dns resolves for that entry?

Please post your system log/ipsec log and your config screenshots.

rlai000

I updated to the latest snapshot (2.0-RC1 (i386) built on Fri Mar 4 14:07:09 EST 2011)

The traceroute is working for the fqdn; i.e. no problem on the DNS.

Traceroute.JPG_thumb

rlai000

System log shows no error of this latest snapshot

![System log.JPG](/public/imported_attachments/1/System log.JPG)
![System log.JPG_thumb](/public/imported_attachments/1/System log.JPG_thumb)

rlai000

The VPN still not working. These are the only few lines in the log.

![IPsec log.JPG](/public/imported_attachments/1/IPsec log.JPG)
![IPsec log.JPG_thumb](/public/imported_attachments/1/IPsec log.JPG_thumb)

rlai000

This is my VPN configuration.

VPN.JPG_thumb

rlai000

This is one of my VPNs typical Phase 1

![VPN P1.JPG](/public/imported_attachments/1/VPN P1.JPG)
![VPN P1.JPG_thumb](/public/imported_attachments/1/VPN P1.JPG_thumb)

rlai000

This is my typical Phase 2

![VPN P2.JPG](/public/imported_attachments/1/VPN P2.JPG)
![VPN P2.JPG_thumb](/public/imported_attachments/1/VPN P2.JPG_thumb)

rlai000

I think the following actions may give a clue for the developer to look at the problem I have.

I updated to the latest snapshot 2.0-RC1 (i386) built on Mon Mar 7 12:03:17 EST 2011. And as to eliminate the possibility that my configuration is not compatible to the new version of config, I reset my pfSense to factory default and re-configured all setting one-by-one.

After reboot, I still got empty entries on IPsec:SPD and the "# ERROR! Unable to determine remote IPsec peer address for gw0-xxxxx.com" on cat /tmp/rules.debug

The following actions get the VPN working again:

I went to System: General Setup and "just" click on the Save button. Then no more "# ERROR! Unable to determine remote IPsec peer address for gw0-xxxxx.com" on cat /tmp/rules.debug. Instead, I got all the normal rules:

VPN Rules

pass out on $WAN route-to ( fxp1 99.237.xxx.xxx ) proto udp from any to 96.48.xxx.xxx port = 500 keep state label "IPsec: 0.x_Surrey_shaw - outbound isakmp"
pass in on $WAN reply-to ( fxp1 99.237.xxx.xxx ) proto udp from 96.48.xxx.xxx to any port = 500 keep state label "IPsec: 0.x_Surrey_shaw - inbound isakmp"

And no more "block Mar 4 14:30:03 WAN zzz.zzz.zzz.zzz:500 xxx.xxx.xxx.xxx:500 UDP" on Firewall log.

I went to Status: Services and restarted service racoon. Then all the SPD are properly populated.

Although I still got a lot of errors on IPsec log, eventually my VPNs are connected:
racoon: [xxx.xxx.xxx.xxx] ERROR: can't start the quick mode, there is no ISAKMP-SA, bd8a52536b41cf9d:f61e62e8f12fb17f:0000789d

But there still the same error mentioned in this thread:
Some VPN (IPSec) not reconnect, http://forum.pfsense.org/index.php/topic,33389.0.html

That's if my pfSense "responded" to my 3 remote sites, after some seconds (various in 10 to 35 seconds), pfSense would say that "DPD: remote (ISAKMP-SA spi=3fd652be49324ed5:360a5981b545c374) seems to be dead" and the ISAKMP-SA will be deleted.

If my pfSense "initiated" the link, the connection will be solid.

-Raylund

rlai000

Is it only me I've this problem? So, I would like to make sure I haven't done something wrong or my configuration is anything special that I now installed the RC iso and then updated to the latest snapshot.

I just changed the LAN IP and changed admin password then I did the latest snapshot update.

Upon rebooted after the update, I set only one VPN link. Nothing special just the same normal setting shown in my previous screenshots.

The VPN link connected right the way. No problem at all.

But when I reboot my pfSense, the same scenario happened again:

"No IPsec security policies." on SPD
I've "# ERROR! Unable to determine remote IPsec peer address for gw0-shaw-xxx.xxx" on the "cat /tmp/rules.debug" log

The only solution is to click on the Save button on GUI "System: General Setup" to let pfSense to create proper VPN rules. And to restart racoon service to have proper SPD entries.

Or, to make the link survive upon rebooting, I specified an IP address instead of FQDN in the "Remote gateway" of "VPN: IPsec: Edit Phase 1".

It seems that the VPN's Remote gateway FQDN doesn't resolve during pfSense startup. That's why I could "add" a VPN link without problem but cannot survive upon rebooting.

The other error is on the DPD that mentioned in the thread http://forum.pfsense.org/index.php/topic,33389.0.html

I tried to re-create the VPN on the remote site SonicWall NSA240 and without luck. The VPN link still has "DPD: remote seems to be dead" and "ISAKMP-SA deleted" in seconds. If I disabled DPD, everything works fine.

-Raylund

mxx

I also have to restart racoon after each upgrade since the snapshots that followed rc1 (don't know about rc1 itself), but I can't find the error you mention in the logs.
At least not when I last checked and that was ~10hours after I restarted racoon.
I'm using main mode + rsa certs

rlai000

It's odd that only me have this problem. I've installed from fresh and nothing changed on settings except the admin password and created one single VPN.

Are you using FQDN for the Remote gateway?

This is the root of the problem. racoon couldn't resolve the Remote gateway with FQDN specified so that pfSense couldn't create the proper firewall rules and IPsec SPD upon reboot. That's why if I changed the FQDN to IP address, the VPN works upon reboot.

I'm out of clue now and don't why only me have this.

-Raylund

andrew0401

We have exactly the same problem using FQDN to craete an IPSEC VPN to to a dynamic IP also running pfsense 2.0. But if we restart racoon we get the usual messages detailed above and then it connects.

It seens that if racoon starts before DNS is updated then it just "hangs" unable to do anything - can racoon be made dependent upon the first DNS update before it attempts to start?

Andrew

tzerpa

I've a similar problem like the one posted by raylund (see my post http://forum.pfsense.org/index.php/topic,33621.0.html ).

But I think something is happen and no one are interested to check or help in depth to solve it.

I've experience since 1994 installing and configuring routers.

I've found pfSense as and extraordinary solution but in my opinion the RC1 looks like a beta instead of a Release Candidate.

Tito

luma

I found the problem for IPsec FQDN config.

I proposed a fix on http://redmine.pfsense.org/issues/1356

Maybe that helps

Regards

luma

Ermal has just commited a working fix. Will be there in the next snapshot!

rlai000

Yes, the snapshot 2.0-RC1 (i386) built on Wed Mar 16 17:04:38 EDT 2011 fixed the problem.

All my VPN links connected right after reboot.

Thanks.

-Raylund