Ipsec tunnels / latest snapshot

monkfish · Apr 18, 2013, 4:26 PM

Hello,

Just wanted to report a strange symptom I saw with my dev rig on both x86 and x64 architecture.

Upgraded to Thu Apr 18 07:43:22 EDT 2013 build and some (but not all) ipsec tunnels did not re-establish. Its nothing to do with protocol/settings mismatch between two tunnels.

Inspected /var/etc/ipsec/racoon.conf and it appears that for the broken tunnels, phase 1 entries were not (re)written although the phase 2 entries were.

I worked around this by disabling the affected phase 1 entries then re-enabling in the gui. The config file was then written correctly and the tunnel established. This happened on all my dev boxes but did not affect all tunnels, only some.

I wouldn't know if any of the affected tunnels had at any time been disabled then re-enabled, so some stale flag/config was hanging around but can confirm that at the time of upgrade all the tunnels were enabled and online, it was after update/reboot this manifested itself.

I hope this might make sense and somebody could reproduce - I certainly had issues but cannot quite work out why.

Rob

Thanks for pfsense!

monkfish · Apr 19, 2013, 2:30 PM

OK, its happened again today updating an x64 platform to 2.1-BETA1 (amd64) built on Thu Apr 18 19:43:20 EDT 2013

Same symptoms - tunnels were configured, enabled, established and saved. Had rebooted machine prior to update where everything was online.

Did update and boom, two out of three tunnels do not have the phase 1 entries listed in /var/etc/ipsec/racoon.conf.

The machines in question havent ever been "messed with" on the command line, everythings been done through the gui. Somethings not right and I can only report the symptoms.

As above, I am of the belief its something to do with ticking the "disable" phase 1 at some point in the past, there could possibly be a stale flag somewhere. I can only report what I see, never saw this before and suddenly with last few builds its started manifesting itself.

Rob

eri-- · Apr 19, 2013, 2:56 PM

You are using any hostnames in your ipsec configs?

monkfish · Apr 19, 2013, 5:02 PM

Hi, thanks for looking

To answer that, yes all tunnels are configured with hostnames not ip addresses.

Most of them are dynamic dns entries against a certain domain, and these in turn resolve to ADSL or fibre service providers. Would reverse dns have anything to do with this then?

Cheers

Rob

dhatz · Apr 19, 2013, 6:36 PM

It was probably the issue with filterdns reported here http://forum.pfsense.org/index.php/topic,61316.0.html which was fixed today.

monkfish · Apr 19, 2013, 8:55 PM

Evening! not sure I am confused by timezone or if

2.1-BETA1 (i386) built on Fri Apr 19 05:23:51 EDT 2013

should have fixed it?

I just updated one machine to the above where same symptoms happened. Its written only phase 2 entries to /var/etc/ipsec/racoon.conf; not a single phase one entry was written. Again, going to ipsec menu, ticking disable, saving, then unticking and saving again has worked around it.

Not sure what to post in way of diagnostics for anybody to inspect if required.

Rob

monkfish · Apr 22, 2013, 9:43 AM

Hello, to report its done it again updating as per below.

Current version: 2.1-BETA1
Built On: Fri Apr 19 07:42:13 EDT 2013
New version: Sat Apr 20 19:56:40 EDT 2013

No phase 1 entries have been written to the config file.

eri-- · Apr 22, 2013, 8:22 PM

Try a tomorrow snapshot or gitsync.