Mobile ipsec problem since upgrade from pfsense 2.0.1 to 2.0.2

dneuhaeuser

Hi!

I had a perfectly working setup but since upgrade from 2.0.1 to 2.0.2 there seems to be a problem with mobile ipsec connections:

the first client always connects fine and traffic is flowing nicely.
client can even disconnect and reconnect multiple times without problem.

BUT when a second client connects: the IPsec tunnel comes up, but NO traffic is going through the tunnel.
from this point on, the first client is also affected and cannot communicate through the tunnel anymore.

when restarting the racoon service I can reproduce the behavior from the start.

here are my logs:

first client connection:

–----------------------------------
Feb 16 17:31:07 racoon: [Self]: INFO: IPsec-SA established: ESP 217.88.191.65[500]->84.61.40.187[500] spi=171222001(0xa34a3f1)
Feb 16 17:31:07 racoon: [Self]: INFO: IPsec-SA established: ESP 217.88.191.65[500]->84.61.40.187[500] spi=64138542(0x3d2ad2e)
Feb 16 17:31:07 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Feb 16 17:31:07 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Feb 16 17:31:07 racoon: INFO: no policy found, try to generate the policy : 10.10.10.1/32[0] 192.168.10.0/24[0] proto=any dir=in
Feb 16 17:31:07 racoon: [Self]: INFO: respond new phase 2 negotiation: 217.88.191.65[4500]<=>84.61.40.187[4500]
Feb 16 17:31:06 racoon: WARNING: Ignored attribute 28683
Feb 16 17:31:06 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Feb 16 17:31:06 racoon: INFO: login succeeded for user "arbor"
Feb 16 17:31:06 racoon: INFO: Using port 0
Feb 16 17:31:06 racoon: [Self]: INFO: ISAKMP-SA established 217.88.191.65[4500]-84.61.40.187[4500] spi:8f6c764bcc522d9e:b95ad93d3b218a15
Feb 16 17:31:06 racoon: INFO: Sending Xauth request
Feb 16 17:31:06 racoon: INFO: NAT detected: PEER
Feb 16 17:31:06 racoon: [84.61.40.187] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Feb 16 17:31:06 racoon: INFO: NAT-D payload #1 doesn't match
Feb 16 17:31:06 racoon: [84.61.40.187] INFO: Hashing 84.61.40.187[4500] with algo #2
Feb 16 17:31:06 racoon: INFO: NAT-D payload #0 verified
Feb 16 17:31:06 racoon: [Self]: [217.88.191.65] INFO: Hashing 217.88.191.65[4500] with algo #2
Feb 16 17:31:06 racoon: [Self]: INFO: NAT-T: ports changed to: 84.61.40.187[4500]<->217.88.191.65[4500]
Feb 16 17:31:05 racoon: INFO: Adding xauth VID payload.
Feb 16 17:31:05 racoon: [Self]: [217.88.191.65] INFO: Hashing 217.88.191.65[500] with algo #2
Feb 16 17:31:05 racoon: [84.61.40.187] INFO: Hashing 84.61.40.187[500] with algo #2
Feb 16 17:31:05 racoon: INFO: Adding remote and local NAT-D payloads.
Feb 16 17:31:05 racoon: [84.61.40.187] INFO: Selected NAT-T version: RFC 3947
Feb 16 17:31:05 racoon: INFO: received Vendor ID: DPD
Feb 16 17:31:05 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Feb 16 17:31:05 racoon: INFO: received Vendor ID: RFC 3947
Feb 16 17:31:05 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 16 17:31:05 racoon: INFO: begin Aggressive mode.
Feb 16 17:31:05 racoon: [Self]: INFO: respond new phase 1 negotiation: 217.88.191.65[500]<=>84.61.40.187[500]
Feb 16 17:30:21 racoon: INFO: unsupported PF_KEY message REGISTER
Feb 16 17:30:21 racoon: [Self]: INFO: 217.88.191.65[500] used as isakmp port (fd=15)
Feb 16 17:30:21 racoon: [Self]: INFO: 217.88.191.65[500] used for NAT-T
Feb 16 17:30:21 racoon: [Self]: INFO: 217.88.191.65[4500] used as isakmp port (fd=14)
Feb 16 17:30:21 racoon: [Self]: INFO: 217.88.191.65[4500] used for NAT-T
Feb 16 17:30:21 racoon: INFO: Resize address pool from 0 to 253
Feb 16 17:30:21 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 16 17:30:21 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Feb 16 17:30:21 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
–----------------------------------

SAD status:

Source Destination Protocol SPI Enc. alg. Auth. alg. Data
217.88.191.65[4500] 84.61.40.187[4500] ESP-UDP 0a34a3f1 aes-cbc hmac-sha1 5248 B
84.61.40.187[4500] 217.88.191.65[4500] ESP-UDP 03d2ad2e aes-cbc hmac-sha1 952 B

–----------------------------------

everything OK!

now second client connecting:

–----------------------------------
Feb 16 17:35:33 racoon: ERROR: failed to begin ipsec sa negotication.
Feb 16 17:35:33 racoon: ERROR: no configuration found for 84.61.40.187.
Feb 16 17:35:30 racoon: ERROR: failed to begin ipsec sa negotication.
Feb 16 17:35:30 racoon: ERROR: no configuration found for 84.61.40.187.
Feb 16 17:35:26 racoon: ERROR: failed to begin ipsec sa negotication.
Feb 16 17:35:26 racoon: ERROR: no configuration found for 84.61.40.187.
Feb 16 17:35:23 racoon: ERROR: failed to begin ipsec sa negotication.
Feb 16 17:35:23 racoon: ERROR: no configuration found for 84.61.40.187.
Feb 16 17:35:19 racoon: [Self]: INFO: IPsec-SA established: ESP 217.88.191.65[500]->84.61.40.187[500] spi=1862747522(0x6f074582)
Feb 16 17:35:19 racoon: [Self]: INFO: IPsec-SA established: ESP 217.88.191.65[500]->84.61.40.187[500] spi=49923734(0x2f9c696)
Feb 16 17:35:19 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Feb 16 17:35:19 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Feb 16 17:35:19 racoon: INFO: Update the generated policy : 10.10.10.1/32[0] 192.168.10.0/24[0] proto=any dir=in
Feb 16 17:35:19 racoon: [Self]: INFO: respond new phase 2 negotiation: 217.88.191.65[4500]<=>84.61.40.187[1024]
Feb 16 17:35:19 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Feb 16 17:35:19 racoon: INFO: login succeeded for user "arbor"
Feb 16 17:35:19 racoon: INFO: Using port 0
Feb 16 17:35:19 racoon: [84.61.40.187] INFO: received INITIAL-CONTACT
Feb 16 17:35:19 racoon: [Self]: INFO: ISAKMP-SA established 217.88.191.65[4500]-84.61.40.187[1024] spi:e7d991a17e594cbd:c3149752cda23c0e
Feb 16 17:35:19 racoon: INFO: Sending Xauth request
Feb 16 17:35:19 racoon: INFO: NAT detected: ME PEER
Feb 16 17:35:19 racoon: INFO: NAT-D payload #1 doesn't match
Feb 16 17:35:19 racoon: [84.61.40.187] INFO: Hashing 84.61.40.187[1024] with algo #2
Feb 16 17:35:19 racoon: INFO: NAT-D payload #0 doesn't match
Feb 16 17:35:19 racoon: [Self]: [217.88.191.65] INFO: Hashing 217.88.191.65[4500] with algo #2
Feb 16 17:35:19 racoon: [Self]: INFO: NAT-T: ports changed to: 84.61.40.187[1024]<->217.88.191.65[4500]
Feb 16 17:35:19 racoon: INFO: Adding xauth VID payload.
Feb 16 17:35:19 racoon: [Self]: [217.88.191.65] INFO: Hashing 217.88.191.65[500] with algo #2
Feb 16 17:35:19 racoon: [84.61.40.187] INFO: Hashing 84.61.40.187[500] with algo #2
Feb 16 17:35:19 racoon: INFO: Adding remote and local NAT-D payloads.
Feb 16 17:35:19 racoon: [84.61.40.187] INFO: Selected NAT-T version: RFC 3947
Feb 16 17:35:19 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 16 17:35:19 racoon: INFO: received Vendor ID: DPD
Feb 16 17:35:19 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 16 17:35:19 racoon: INFO: received Vendor ID: RFC 3947
Feb 16 17:35:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 16 17:35:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 16 17:35:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Feb 16 17:35:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Feb 16 17:35:19 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 16 17:35:19 racoon: INFO: begin Aggressive mode.
Feb 16 17:35:19 racoon: [Self]: INFO: respond new phase 1 negotiation: 217.88.191.65[500]<=>84.61.40.187[500]
–----------------------------------

SAD status:

Source Destination Protocol SPI Enc. alg. Auth. alg. Data
84.61.40.187[1024] 217.88.191.65[4500] ESP-UDP 02f9c696 aes-cbc hmac-sha1 10006 B
217.88.191.65[4500] 84.61.40.187[4500] ESP-UDP 6f074582 aes-cbc hmac-sha1 0 B

–----------------------------------

no traffic flowing back here !!

is this possibly a bug in 2.0.2???

--Dennis

dneuhaeuser

I just discovered that SPD's of disconnected clients are not removed in 2.0.2 anymore…

in 2.0.1 they are reliably removed...
just cross-checked that on another 2.0.1 installation.

I suppose this has to do with the problem !?

DT

I have the same problem after updating to 2.0.2 on my Alix 2D13.  I switched back to the previous boot slice and the problem persisted so I re-flashed with 2.0.1, restored my config and things were back to normal.  I use both iOS 6.1 and Shrew Soft clients - works fantastic on 2.0.1

gamejia

anybody have any ideas on what is causing this?

jimp

If you have a chance, take a backup and try a pfSense 2.1 snapshot, it's using a newer version of IPsec tools (racoon).

There were a few changes to IPsec from 2.0.1 to 2.0.2 but not that I'm aware of that would cause problems with mobile client SAs.

Do make sure that you have "Prefer old IPsec SA" unchecked under System > Advanced on the Misc tab.