Empty Status: IPsec: SPD
-
System log shows no error of this latest snapshot
![System log.JPG](/public/imported_attachments/1/System log.JPG)
![System log.JPG_thumb](/public/imported_attachments/1/System log.JPG_thumb) -
The VPN still not working. These are the only few lines in the log.
![IPsec log.JPG](/public/imported_attachments/1/IPsec log.JPG)
![IPsec log.JPG_thumb](/public/imported_attachments/1/IPsec log.JPG_thumb) -
This is my VPN configuration.
-
This is one of my VPNs typical Phase 1
![VPN P1.JPG](/public/imported_attachments/1/VPN P1.JPG)
![VPN P1.JPG_thumb](/public/imported_attachments/1/VPN P1.JPG_thumb) -
This is my typical Phase 2
![VPN P2.JPG](/public/imported_attachments/1/VPN P2.JPG)
![VPN P2.JPG_thumb](/public/imported_attachments/1/VPN P2.JPG_thumb) -
I think the following actions may give a clue for the developer to look at the problem I have.
I updated to the latest snapshot 2.0-RC1 (i386) built on Mon Mar 7 12:03:17 EST 2011. And as to eliminate the possibility that my configuration is not compatible to the new version of config, I reset my pfSense to factory default and re-configured all setting one-by-one.
After reboot, I still got empty entries on IPsec:SPD and the "# ERROR! Unable to determine remote IPsec peer address for gw0-xxxxx.com" on cat /tmp/rules.debug
The following actions get the VPN working again:
- I went to System: General Setup and "just" click on the Save button. Then no more "# ERROR! Unable to determine remote IPsec peer address for gw0-xxxxx.com" on cat /tmp/rules.debug. Instead, I got all the normal rules:
VPN Rules
pass out on $WAN route-to ( fxp1 99.237.xxx.xxx ) proto udp from any to 96.48.xxx.xxx port = 500 keep state label "IPsec: 0.x_Surrey_shaw - outbound isakmp"
pass in on $WAN reply-to ( fxp1 99.237.xxx.xxx ) proto udp from 96.48.xxx.xxx to any port = 500 keep state label "IPsec: 0.x_Surrey_shaw - inbound isakmp"And no more "block Mar 4 14:30:03 WAN zzz.zzz.zzz.zzz:500 xxx.xxx.xxx.xxx:500 UDP" on Firewall log.
- I went to Status: Services and restarted service racoon. Then all the SPD are properly populated.
Although I still got a lot of errors on IPsec log, eventually my VPNs are connected:
racoon: [xxx.xxx.xxx.xxx] ERROR: can't start the quick mode, there is no ISAKMP-SA, bd8a52536b41cf9d:f61e62e8f12fb17f:0000789dBut there still the same error mentioned in this thread:
Some VPN (IPSec) not reconnect, http://forum.pfsense.org/index.php/topic,33389.0.htmlThat's if my pfSense "responded" to my 3 remote sites, after some seconds (various in 10 to 35 seconds), pfSense would say that "DPD: remote (ISAKMP-SA spi=3fd652be49324ed5:360a5981b545c374) seems to be dead" and the ISAKMP-SA will be deleted.
If my pfSense "initiated" the link, the connection will be solid.
-Raylund
-
Is it only me I've this problem? So, I would like to make sure I haven't done something wrong or my configuration is anything special that I now installed the RC iso and then updated to the latest snapshot.
I just changed the LAN IP and changed admin password then I did the latest snapshot update.
Upon rebooted after the update, I set only one VPN link. Nothing special just the same normal setting shown in my previous screenshots.
The VPN link connected right the way. No problem at all.
But when I reboot my pfSense, the same scenario happened again:
-
"No IPsec security policies." on SPD
-
I've "# ERROR! Unable to determine remote IPsec peer address for gw0-shaw-xxx.xxx" on the "cat /tmp/rules.debug" log
The only solution is to click on the Save button on GUI "System: General Setup" to let pfSense to create proper VPN rules. And to restart racoon service to have proper SPD entries.
Or, to make the link survive upon rebooting, I specified an IP address instead of FQDN in the "Remote gateway" of "VPN: IPsec: Edit Phase 1".
It seems that the VPN's Remote gateway FQDN doesn't resolve during pfSense startup. That's why I could "add" a VPN link without problem but cannot survive upon rebooting.
The other error is on the DPD that mentioned in the thread http://forum.pfsense.org/index.php/topic,33389.0.html
I tried to re-create the VPN on the remote site SonicWall NSA240 and without luck. The VPN link still has "DPD: remote seems to be dead" and "ISAKMP-SA deleted" in seconds. If I disabled DPD, everything works fine.
-Raylund
-
-
I also have to restart racoon after each upgrade since the snapshots that followed rc1 (don't know about rc1 itself), but I can't find the error you mention in the logs.
At least not when I last checked and that was ~10hours after I restarted racoon.
I'm using main mode + rsa certs -
It's odd that only me have this problem. I've installed from fresh and nothing changed on settings except the admin password and created one single VPN.
Are you using FQDN for the Remote gateway?
This is the root of the problem. racoon couldn't resolve the Remote gateway with FQDN specified so that pfSense couldn't create the proper firewall rules and IPsec SPD upon reboot. That's why if I changed the FQDN to IP address, the VPN works upon reboot.
I'm out of clue now and don't why only me have this.
-Raylund
-
We have exactly the same problem using FQDN to craete an IPSEC VPN to to a dynamic IP also running pfsense 2.0. But if we restart racoon we get the usual messages detailed above and then it connects.
It seens that if racoon starts before DNS is updated then it just "hangs" unable to do anything - can racoon be made dependent upon the first DNS update before it attempts to start?
Andrew
-
I've a similar problem like the one posted by raylund (see my post http://forum.pfsense.org/index.php/topic,33621.0.html ).
But I think something is happen and no one are interested to check or help in depth to solve it.
I've experience since 1994 installing and configuring routers.
I've found pfSense as and extraordinary solution but in my opinion the RC1 looks like a beta instead of a Release Candidate.
Tito
-
I found the problem for IPsec FQDN config.
I proposed a fix on http://redmine.pfsense.org/issues/1356
Maybe that helps
Regards
-
Ermal has just commited a working fix. Will be there in the next snapshot!
-
Yes, the snapshot 2.0-RC1 (i386) built on Wed Mar 16 17:04:38 EDT 2011 fixed the problem.
All my VPN links connected right after reboot.
Thanks.
-Raylund