Address mismatched log flood
-
Hello everybody,
I've a working IPSec tunnel, but the log is flooded with this:
Jan 28 10:51:30 racoon: [vpn1]: [x.x.x.229] WARNING: remote address mismatched. db=x.x.x.229[4500], act=x.x.x.229[10012] Jan 28 10:51:35 racoon: [vpn1]: [x.x.x.229] WARNING: remote address mismatched. db=x.x.x.229[4500], act=x.x.x.229[10012] Jan 28 10:51:46 racoon: [vpn1]: [x.x.x.229] WARNING: remote address mismatched. db=x.x.x.229[4500], act=x.x.x.229[10012] Jan 28 10:51:51 racoon: [vpn1]: [x.x.x.229] WARNING: remote address mismatched. db=x.x.x.229[4500], act=x.x.x.229[10012]Look like a NAT-T issue. Network setup is:
pfSense <–> Wireless link (PPPoE) <--> Internet <--> Adsl router (NAT) <--> Fortigate
I've other tunnels with similar configuration which does not show issues.
Any idea?
Regards,
Corrado -
The issue seemed to go away yesterday when I restarted racoon, but today is back again.
I wuold like to put racoon in debug mode, but I'm concerned about leaving debug mode on for a day or longer on a box with a dozen active tunnels.
Is it possible to set debug mode on a single tunnel?
Regards,
Corrado -
**FIXED **
I got the issue on 2 tunnels out of a dozen.
Apart log flood, the tunnels get stuck after a few weeks.
The affected tunnels originated from the same ISP.I fixed the issue disabiling NAT-T.
UDP encapsulation of IPSEC (NAT-T) kicks in as soon as NAT is detected, despite many SOHO routers can forward ESP when properly configured.I suggest to always try IPSEC without NAT-T first.
If it works you save 8 bytes / packet (no extra UDP header) and lower the chances to get packets fragmentations (seems IPSEC MTU is not adjusted subtracting 8 bytes when using NAT-T).Regards,
Corrado