Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec

    2.2 Snapshot Feedback and Problems - RETIRED
    5
    30
    18.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Raul RamosR
      Raul Ramos
      last edited by

      2.2-ALPHA (amd64)
      built on Sun Apr 20 23:14:40 CDT 2014
      nanobsd (1g)

      
Apr 21 10:46:48	charon: 16[CFG] received stroke: loglevel -1 for cfg
Apr 21 10:46:47	charon: 15[CFG] received stroke: loglevel -1 for job
Apr 21 10:46:47	charon: 13[CFG] received stroke: loglevel -1 for chd
Apr 21 10:46:47	charon: 00[JOB] spawning 16 worker threads
Apr 21 10:46:47	charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
Apr 21 10:46:47	charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
Apr 21 10:46:47	charon: 00[CFG] loaded 0 RADIUS server configurations
Apr 21 10:46:47	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
Apr 21 10:46:47	charon: 00[CFG] loaded IKE secret for *******@gmail.com
Apr 21 10:46:47	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Apr 21 10:46:47	charon: 00[CFG] reading directory failed
Apr 21 10:46:47	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/crls' failed: No such file or directory
Apr 21 10:46:47	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
Apr 21 10:46:47	charon: 00[CFG] reading directory failed
Apr 21 10:46:47	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/acerts' failed: No such file or directory
Apr 21 10:46:47	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Apr 21 10:46:47	charon: 00[CFG] reading directory failed
Apr 21 10:46:47	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/ocspcerts' failed: No such file or directory
Apr 21 10:46:47	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Apr 21 10:46:47	charon: 00[CFG] reading directory failed
Apr 21 10:46:47	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/aacerts' failed: No such file or directory
Apr 21 10:46:47	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Apr 21 10:46:47	charon: 00[CFG] reading directory failed
Apr 21 10:46:47	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/cacerts' failed: No such file or directory
Apr 21 10:46:47	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Apr 21 10:46:47	charon: 00[CFG] ipseckey plugin is disabled
Apr 21 10:46:47	charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Apr 21 10:46:47	charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Apr 21 10:46:47	charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, FreeBSD 10.0-STABLE, amd64)
Apr 21 10:45:55	charon: 00[DMN] initialization failed - aborting charon
Apr 21 10:45:55	charon: 00[LIB] failed to load 2 critical plugin features
Apr 21 10:45:55	charon: 00[CFG] loaded 0 RADIUS server configurations
Apr 21 10:45:55	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
Apr 21 10:45:55	charon: 00[CFG] loaded IKE secret for *********@gmail.com
Apr 21 10:45:55	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Apr 21 10:45:55	charon: 00[CFG] reading directory failed
Apr 21 10:45:55	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/crls' failed: No such file or directory
Apr 21 10:45:55	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
Apr 21 10:45:55	charon: 00[CFG] reading directory failed
Apr 21 10:45:55	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/acerts' failed: No such file or directory
Apr 21 10:45:55	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Apr 21 10:45:55	charon: 00[CFG] reading directory failed
Apr 21 10:45:55	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/ocspcerts' failed: No such file or directory
Apr 21 10:45:55	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Apr 21 10:45:55	charon: 00[CFG] reading directory failed
Apr 21 10:45:55	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/aacerts' failed: No such file or directory
Apr 21 10:45:55	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Apr 21 10:45:55	charon: 00[CFG] reading directory failed
Apr 21 10:45:55	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/cacerts' failed: No such file or directory
Apr 21 10:45:55	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'

      pfSense:
      ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
      Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
      NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

      1 Reply Last reply Reply Quote 0
      • K
        kanylbullen
        last edited by

        UPDATE: Switched to latest snapshot.

        Hi, I am also having trouble setting up IPSEC.

        2.2-ALPHA (amd64)
        built on Thu Apr 24 13:57:57 CDT 2014

        Last 50 IPsec log entries
Apr 25 14:44:33	charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Apr 25 14:44:33	charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Apr 25 14:44:33	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Apr 25 14:44:33	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/cacerts' failed: No such file or directory
Apr 25 14:44:33	charon: 00[CFG] reading directory failed
Apr 25 14:44:33	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Apr 25 14:44:33	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/aacerts' failed: No such file or directory
Apr 25 14:44:33	charon: 00[CFG] reading directory failed
Apr 25 14:44:33	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Apr 25 14:44:33	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/ocspcerts' failed: No such file or directory
Apr 25 14:44:33	charon: 00[CFG] reading directory failed
Apr 25 14:44:33	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Apr 25 14:44:33	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/acerts' failed: No such file or directory
Apr 25 14:44:33	charon: 00[CFG] reading directory failed
Apr 25 14:44:33	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
Apr 25 14:44:33	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/crls' failed: No such file or directory
Apr 25 14:44:33	charon: 00[CFG] reading directory failed
Apr 25 14:44:33	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Apr 25 14:44:33	charon: 00[CFG] loaded IKE secret for 81.209.25.2
Apr 25 14:44:33	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
Apr 25 14:44:33	charon: 00[CFG] loaded 0 RADIUS server configurations
Apr 25 14:44:33	charon: 00[LIB] failed to load 2 critical plugin features
Apr 25 14:44:33	charon: 00[DMN] initialization failed - aborting charon
Apr 25 14:44:35	charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, FreeBSD 10.0-STABLE, amd64)
Apr 25 14:44:35	charon: 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1
Apr 25 14:44:35	charon: 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: CUSTOM:libcharon-receiver
Apr 25 14:44:35	charon: 00[CFG] ipseckey plugin is disabled
Apr 25 14:44:35	charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Apr 25 14:44:35	charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Apr 25 14:44:35	charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Apr 25 14:44:35	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/cacerts' failed: No such file or directory
Apr 25 14:44:35	charon: 00[CFG] reading directory failed
Apr 25 14:44:35	charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Apr 25 14:44:35	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/aacerts' failed: No such file or directory
Apr 25 14:44:35	charon: 00[CFG] reading directory failed
Apr 25 14:44:35	charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Apr 25 14:44:35	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/ocspcerts' failed: No such file or directory
Apr 25 14:44:35	charon: 00[CFG] reading directory failed
Apr 25 14:44:35	charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Apr 25 14:44:35	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/acerts' failed: No such file or directory
Apr 25 14:44:35	charon: 00[CFG] reading directory failed
Apr 25 14:44:35	charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
Apr 25 14:44:35	charon: 00[LIB] opening directory '/var/etc/ipsec/ipsec.d/crls' failed: No such file or directory
Apr 25 14:44:35	charon: 00[CFG] reading directory failed
Apr 25 14:44:35	charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Apr 25 14:44:35	charon: 00[CFG] loaded IKE secret for 81.209.25.2
Apr 25 14:44:35	charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
Apr 25 14:44:35	charon: 00[CFG] loaded 0 RADIUS server configurations
Apr 25 14:44:35	charon: 00[LIB] failed to load 2 critical plugin features
Apr 25 14:44:35	charon: 00[DMN] initialization failed - aborting charon
        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Can you try with latest snapshots and see the results?

          1 Reply Last reply Reply Quote 0
          • C
            charliem
            last edited by

            @ermal:

            Can you try with latest snapshots and see the results?

            Does not work for me either.  Fresh snapshot install, restore 2.1.2 working config.  IPSEC road warrior worked under 2.1.2, but same clients see negotiation time outs with 2.2 snapshots.

            IPSEC is shown as not running on the dashboard.  I'd suggest not turning off logging for alpha builds, leave it at some reasonable level, like 1.  I see logging turned off for cfg, job, chd, ike, mgr, dmn, like:

            
charon: 12[CFG] received stroke: loglevel -1 for cfg

            I can turn on logging and post some logs if needed.

            1 Reply Last reply Reply Quote 0
            • C
              charliem
              last edited by

              @charliem:

              IPSEC is shown as not running on the dashboard.  I'd suggest not turning off logging for alpha builds, leave it at some reasonable level, like 1.  I see logging turned off for cfg, job, chd, ike, mgr, dmn, like:

              
charon: 12[CFG] received stroke: loglevel -1 for cfg

              I can turn on logging and post some logs if needed.

              Never mind the logging comments; I just now see that logging level is selectable on 'advanced settings' tab of IPSEC configuration.  Nice!  I'll check it out, they are all set to silent by default.

              1 Reply Last reply Reply Quote 0
              • C
                charliem
                last edited by

                Looking through /etc/inc/ipsec.php, I think a few errors have crept in with the change to StrongSwan:

                function ipsec_smp_dump_status() {
        global $config, $g, $custom_listtags;

        if (!file_exists("{$g['varrun_path']}/charon.xml")) {
                log_error("IPSec daemon seems to have issues or not running!");
                return;
        }

        $fd = @fsockopen("unix://{$g['varrun_path']}/charon.xml");
        if (!$fd) {
                log_error("Could not read status from ipsec");
                return;

                The first check should be for charon.pid rather than charon.xml to see if ipsec is running.  This should explain why the pfSense gui shows ipsec as not running.

                Second, the socket connection attempt should to charon.ctl, rather than charon.xml, for communicating with the stroke plugin.  This should explain why the ipsec log level setting changes in the gui are not honored.

                [2.2-ALPHA][root@pfsense.localdomain]/var/run(22): ls -l /var/run/charon*
srwxrwx---  1 root  wheel  0 May  2 10:57 /var/run/charon.ctl
-rw-r--r--  1 root  wheel  6 May  2 10:57 /var/run/charon.pid
srwxrwx---  1 root  wheel  0 May  2 10:57 /var/run/charon.wlst
[2.2-ALPHA][root@pfsense.localdomain]/var/run(23):
                1 Reply Last reply Reply Quote 0
                • E
                  eri--
                  last edited by

                  Its using the xmp plugin and those paths are correct.

                  You should see why smp plugin is not loading?

                  1 Reply Last reply Reply Quote 0
                  • C
                    charliem
                    last edited by

                    @ermal:

                    Its using the xmp plugin and those paths are correct.

                    You should see why smp plugin is not loading?

                    You are right, smp plugin is not loading; Here is a restart log:

                    May  6 16:03:00 pfsense charon: 00[DMN] signal of type SIGINT received. Shutting down
May  6 16:03:11 pfsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.1, FreeBSD 10.0-STABLE, amd64)
May  6 16:03:11 pfsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
May  6 16:03:11 pfsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
May  6 16:03:11 pfsense charon: 00[CFG] ipseckey plugin is disabled
May  6 16:03:11 pfsense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
May  6 16:03:11 pfsense charon: 00[CFG]   loaded ca certificate "C=US, xxxxxx CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0'
May  6 16:03:11 pfsense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
May  6 16:03:11 pfsense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
May  6 16:03:11 pfsense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
May  6 16:03:11 pfsense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
May  6 16:03:11 pfsense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
May  6 16:03:11 pfsense charon: 00[CFG]   loaded IKE secret for vpnusers@moschelhome.com
May  6 16:03:11 pfsense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such fi
le or directory
May  6 16:03:11 pfsense charon: 00[CFG] loaded 0 RADIUS server configurations
May  6 16:03:11 pfsense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fip
s-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-sim
 eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-ea
p whitelist addrblock
May  6 16:03:11 pfsense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
May  6 16:03:11 pfsense charon: 00[JOB] spawning 16 worker threads
May  6 16:03:11 pfsense charon: 04[CFG] received stroke: add connection 'con1-1'
May  6 16:03:11 pfsense charon: 04[CFG] added configuration 'con1-1'
May  6 16:03:11 pfsense charon: 04[CFG] received stroke: route 'con1-1'
May  6 16:03:11 pfsense charon: 04[CFG] installing trap failed, remote address unknown
May  6 16:03:11 pfsense charon: 13[CFG] received stroke: add connection 'con1-1'
May  6 16:03:11 pfsense charon: 13[CFG] added child to existing configuration 'con1-1'
May  6 16:03:11 pfsense charon: 13[CFG] received stroke: route 'con1-1'
May  6 16:03:11 pfsense charon: 13[CFG] installing trap failed, remote address unknown
May  6 16:08:22 pfsense charon: 08[CFG] rereading secrets
May  6 16:08:22 pfsense charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
May  6 16:08:22 pfsense charon: 08[CFG]   loaded IKE secret for vpnusers@xxxxx.com
May  6 16:08:22 pfsense charon: 08[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
May  6 16:08:22 pfsense charon: 08[CFG]   loaded ca certificate "C=US, xxxxxxxxxx, CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0'
May  6 16:08:22 pfsense charon: 08[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
May  6 16:08:22 pfsense charon: 08[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
May  6 16:08:22 pfsense charon: 08[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
May  6 16:08:22 pfsense charon: 08[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
May  6 16:08:23 pfsense charon: 13[CFG] received stroke: loglevel 1 for dmn
May  6 16:08:23 pfsense charon: 08[CFG] received stroke: loglevel 0 for mgr
May  6 16:08:23 pfsense charon: 13[CFG] received stroke: loglevel 1 for ike
May  6 16:08:23 pfsense charon: 08[CFG] received stroke: loglevel -1 for chd
May  6 16:08:23 pfsense charon: 13[CFG] received stroke: loglevel -1 for job
May  6 16:08:24 pfsense charon: 07[CFG] received stroke: loglevel -1 for cfg
May  6 16:22:30 pfsense charon: 16[NET] <1> received packet: from 173.15.xx.37[500] to 24.74.xx.yy[500] (564 bytes)

                    Note this: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)

                    I will try to up the [LIB] logging level and restart ipsec, but I have not signed the TLA so I can't look into the configuration or build side.

                    1 Reply Last reply Reply Quote 0
                    • E
                      eri--
                      last edited by

                      Its not related to tool repo at all you have everything in that image.

                      Can you show me the ldd /usr/local/lib/ipsec/plugins/libstrongswan-smp.so
                      Somehow you are missing a dependency there.

                      1 Reply Last reply Reply Quote 0
                      • C
                        charliem
                        last edited by

                        @ermal:

                        Can you show me the ldd /usr/local/lib/ipsec/plugins/libstrongswan-smp.so
                        Somehow you are missing a dependency there.

                        There is no such plugin on my system, and I guess you need the tools repo to figure out why it's not being built.  This is an AMD64 image from yesterday.

                        [2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(4): find / -iname \*smp\*
/kernels/kernel_SMP.gz
[2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(5): ls -l plugins
total 1220
-rwxr-xr-x  1 root  wheel    9349 May  6 05:20 libstrongswan-addrblock.so
-rwxr-xr-x  1 root  wheel   38028 May  6 05:20 libstrongswan-aes.so
-rwxr-xr-x  1 root  wheel   12613 May  6 05:20 libstrongswan-attr.so
-rwxr-xr-x  1 root  wheel   17666 May  6 05:20 libstrongswan-blowfish.so
-rwxr-xr-x  1 root  wheel   10380 May  6 05:20 libstrongswan-cmac.so
-rwxr-xr-x  1 root  wheel   12403 May  6 05:20 libstrongswan-constraints.so
-rwxr-xr-x  1 root  wheel   10856 May  6 05:20 libstrongswan-curl.so
-rwxr-xr-x  1 root  wheel   29206 May  6 05:20 libstrongswan-des.so
-rwxr-xr-x  1 root  wheel    9161 May  6 05:20 libstrongswan-dnskey.so
-rwxr-xr-x  1 root  wheel   19555 May  6 05:20 libstrongswan-eap-aka-3gpp2.so
-rwxr-xr-x  1 root  wheel   21748 May  6 05:20 libstrongswan-eap-aka.so
-rwxr-xr-x  1 root  wheel   10874 May  6 05:20 libstrongswan-eap-dynamic.so
-rwxr-xr-x  1 root  wheel    9472 May  6 05:20 libstrongswan-eap-identity.so
-rwxr-xr-x  1 root  wheel   11081 May  6 05:20 libstrongswan-eap-md5.so
-rwxr-xr-x  1 root  wheel   25868 May  6 05:20 libstrongswan-eap-mschapv2.so
-rwxr-xr-x  1 root  wheel   19188 May  6 05:20 libstrongswan-eap-peap.so
-rwxr-xr-x  1 root  wheel   48981 May  6 05:20 libstrongswan-eap-radius.so
-rwxr-xr-x  1 root  wheel   14671 May  6 05:20 libstrongswan-eap-sim-file.so
-rwxr-xr-x  1 root  wheel   22144 May  6 05:20 libstrongswan-eap-sim.so
-rwxr-xr-x  1 root  wheel    9642 May  6 05:20 libstrongswan-eap-tls.so
-rwxr-xr-x  1 root  wheel   18983 May  6 05:20 libstrongswan-eap-ttls.so
-rwxr-xr-x  1 root  wheel    9219 May  6 05:20 libstrongswan-fips-prf.so
-rwxr-xr-x  1 root  wheel   34630 May  6 05:20 libstrongswan-gmp.so
-rwxr-xr-x  1 root  wheel   10151 May  6 05:20 libstrongswan-hmac.so
-rwxr-xr-x  1 root  wheel   12819 May  6 05:20 libstrongswan-ipseckey.so
-rwxr-xr-x  1 root  wheel   36303 May  6 05:20 libstrongswan-kernel-pfkey.so
-rwxr-xr-x  1 root  wheel   26592 May  6 05:20 libstrongswan-kernel-pfroute.so
-rwxr-xr-x  1 root  wheel    9550 May  6 05:20 libstrongswan-md4.so
-rwxr-xr-x  1 root  wheel   10110 May  6 05:20 libstrongswan-md5.so
-rwxr-xr-x  1 root  wheel    7390 May  6 05:20 libstrongswan-nonce.so
-rwxr-xr-x  1 root  wheel  103975 May  6 05:20 libstrongswan-openssl.so
-rwxr-xr-x  1 root  wheel   19993 May  6 05:20 libstrongswan-pem.so
-rwxr-xr-x  1 root  wheel   19897 May  6 05:20 libstrongswan-pgp.so
-rwxr-xr-x  1 root  wheel   14472 May  6 05:20 libstrongswan-pkcs1.so
-rwxr-xr-x  1 root  wheel   14979 May  6 05:20 libstrongswan-pkcs12.so
-rwxr-xr-x  1 root  wheel   34623 May  6 05:20 libstrongswan-pkcs7.so
-rwxr-xr-x  1 root  wheel    9657 May  6 05:20 libstrongswan-pkcs8.so
-rwxr-xr-x  1 root  wheel   10008 May  6 05:20 libstrongswan-pubkey.so
-rwxr-xr-x  1 root  wheel    9426 May  6 05:20 libstrongswan-random.so
-rwxr-xr-x  1 root  wheel   10070 May  6 05:20 libstrongswan-rc2.so
-rwxr-xr-x  1 root  wheel   12288 May  6 05:20 libstrongswan-resolve.so
-rwxr-xr-x  1 root  wheel   15030 May  6 05:20 libstrongswan-revocation.so
-rwxr-xr-x  1 root  wheel   14382 May  6 05:20 libstrongswan-sha1.so
-rwxr-xr-x  1 root  wheel   16210 May  6 05:20 libstrongswan-sha2.so
-rwxr-xr-x  1 root  wheel   14942 May  6 05:20 libstrongswan-socket-default.so
-rwxr-xr-x  1 root  wheel   13568 May  6 05:20 libstrongswan-sshkey.so
-rwxr-xr-x  1 root  wheel  101821 May  6 05:20 libstrongswan-stroke.so
-rwxr-xr-x  1 root  wheel   16166 May  6 05:20 libstrongswan-unbound.so
-rwxr-xr-x  1 root  wheel   15377 May  6 05:20 libstrongswan-updown.so
-rwxr-xr-x  1 root  wheel   12132 May  6 05:20 libstrongswan-whitelist.so
-rwxr-xr-x  1 root  wheel   90623 May  6 05:20 libstrongswan-x509.so
-rwxr-xr-x  1 root  wheel   10314 May  6 05:20 libstrongswan-xauth-eap.so
-rwxr-xr-x  1 root  wheel   12961 May  6 05:20 libstrongswan-xauth-generic.so
-rwxr-xr-x  1 root  wheel   10345 May  6 05:20 libstrongswan-xcbc.so
[2.2-ALPHA][root@pfsense.localdomain]/usr/local/lib/ipsec(6):

                        [edit: add system info]

                        1 Reply Last reply Reply Quote 0
                        • E
                          eri--
                          last edited by

                          Ok fixed should show up on upcoming snaps.

                          Thank you for the help.

                          1 Reply Last reply Reply Quote 0
                          • C
                            charliem
                            last edited by

                            @ermal:

                            Ok fixed should show up on upcoming snaps.

                            Well, the smp plugin is loaded OK now and charon.xml socket is created in /var/run.  (I note on the StronSwan plugins wiki page, the smp plugin is still classified as 'in development / incomplete').  There are still some issues:

                            • gui still shows that ipsec is stopped
                            • I still get the "unable to load 6 plugin features (5 due to unmet dependencies)" in the ipsec log
                            • Log level setting changes from the gui are not honored (but I do get the 'changes have been successfully applied' banner).
                            • Strangely, each line in the log is duplicated; not initially, but only after "12[CFG] received stroke: loglevel 1 for cfg" line [1]

                            [1] Actually the lines for negotiation are not exact duplicates: one line is preceded by the logging level like so:

                            May  7 13:33:44 pfsense charon: 08[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May  7 13:33:44 pfsense charon: 08[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID

                            But this is far enough along for me to dig deeper and try to figure out why the negotiation is failing.

                            Thanks for looking into this.

                            1 Reply Last reply Reply Quote 0
                            • C
                              charliem
                              last edited by

                              As of: Current version: 2.2-ALPHA Built On: Sun May 11 03:46:29 CDT 2014

                              @charliem:

                              • gui still shows that ipsec is stopped

                              This one is fixed

                              • I still get the "unable to load 6 plugin features (5 due to unmet dependencies)" in the ipsec log

                              This one is still there

                              • Log level setting changes from the gui are not honored (but I do get the 'changes have been successfully applied' banner).

                              This one is fixed

                              • Strangely, each line in the log is duplicated; not initially, but only after "12[CFG] received stroke: loglevel 1 for cfg" line [1]

                              This one is still there

                              To date I've not been able to get Ipsec to work; I'm trying to get PSK mode working in road warrior mode, and charon is claiming to not find a shared key.  Configuration was working with 2.1.2, though by now I've tried lots of different configs.  Could be the 'ipseckey plugin is disabled' that's causing the issue?:

                              May 11 23:35:01 pfsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, FreeBSD 10.0-STABLE, amd64)
                              May 11 23:35:01 pfsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
                              May 11 23:35:01 pfsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
                              May 11 23:35:01 pfsense charon: 00[CFG] ipseckey plugin is disabled
                              May 11 23:35:01 pfsense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
                              May 11 23:35:01 pfsense charon: 00[CFG]  loaded ca certificate "C=US, ST=xxxxxxxxxxx CN=internal-ca" from '/var/etc/ipsec/ipsec.d/cacerts/067991fe.0'
                              May 11 23:35:01 pfsense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
                              May 11 23:35:01 pfsense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
                              May 11 23:35:01 pfsense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
                              May 11 23:35:01 pfsense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
                              May 11 23:35:01 pfsense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
                              May 11 23:35:01 pfsense charon: 00[CFG]**  loaded IKE secret for vpnusers@no_place_special.com**
                              May 11 23:35:01 pfsense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such fi
                              le or directory
                              May 11 23:35:01 pfsense charon: 00[CFG] loaded 0 RADIUS server configurations
                              May 11 23:35:01 pfsense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5
                              random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fip
                              s-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap
                              -sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xaut
                              h-eap whitelist addrblock
                              May 11 23:35:01 pfsense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
                              May 11 23:35:01 pfsense charon: 00[JOB] spawning 16 worker threads

                              Failing to find PSK:

                              May 12 16:48:01 pfsense charon: 11[IKE] IKE_SA con1-1[26] state change: CONNECTING => DESTROYING
May 12 16:48:01 pfsense charon: 11[IKE] <con1-1|26>IKE_SA con1-1[26] state change: CONNECTING => DESTROYING
May 12 16:48:06 pfsense charon: 11[NET] received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes)
May 12 16:48:06 pfsense charon: 11[NET] <27> received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes)
May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received NAT-T (RFC 3947) vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] received FRAGMENTATION vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received FRAGMENTATION vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] received Cisco Unity vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <27> received Cisco Unity vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] 173.xx.yy.zzz is initiating a Aggressive Mode IKE_SA
May 12 16:48:06 pfsense charon: 11[IKE] <27> 173.xx.yy.zzz is initiating a Aggressive Mode IKE_SA
May 12 16:48:06 pfsense charon: 11[IKE] IKE_SA (unnamed)[27] state change: CREATED => CONNECTING
May 12 16:48:06 pfsense charon: 11[IKE] <27> IKE_SA (unnamed)[27] state change: CREATED => CONNECTING
May 12 16:48:06 pfsense charon: 11[CFG] looking for pre-shared key peer configs matching 24.aa.bb.ccc...173.xx.yy.zzz[vpnusers@no_place_special.com]
May 12 16:48:06 pfsense charon: 11[CFG] <27> looking for pre-shared key peer configs matching 24.aa.bb.ccc...173.xx.yy.zzz[vpnusers@no_place_special.com]
May 12 16:48:06 pfsense charon: 11[CFG] selected peer config "con1-1"
May 12 16:48:06 pfsense charon: 11[CFG] <27> selected peer config "con1-1"
May 12 16:48:06 pfsense charon: 11[IKE] sending XAuth vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending XAuth vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] sending DPD vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending DPD vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] sending FRAGMENTATION vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending FRAGMENTATION vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>sending NAT-T (RFC 3947) vendor ID
May 12 16:48:06 pfsense charon: 11[IKE] no shared key found for '24.aa.bb.ccc'[24.aa.bb.ccc] - 'vpnusers@no_place_special.com'[173.xx.yy.zzz]
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>no shared key found for '24.aa.bb.ccc'[24.aa.bb.ccc] - 'vpnusers@no_place_special.com'[173.xx.yy.zzz]
May 12 16:48:06 pfsense charon: 11[IKE] queueing INFORMATIONAL task
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>queueing INFORMATIONAL task
May 12 16:48:06 pfsense charon: 11[IKE] activating new tasks
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>activating new tasks
May 12 16:48:06 pfsense charon: 11[IKE]   activating INFORMATIONAL task
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>activating INFORMATIONAL task
May 12 16:48:06 pfsense charon: 11[NET] sending packet: from 24.aa.bb.ccc[500] to 173.xx.yy.zzz[500] (56 bytes)
May 12 16:48:06 pfsense charon: 11[NET] <con1-1|27>sending packet: from 24.aa.bb.ccc[500] to 173.xx.yy.zzz[500] (56 bytes)
May 12 16:48:06 pfsense charon: 11[IKE] IKE_SA con1-1[27] state change: CONNECTING => DESTROYING
May 12 16:48:06 pfsense charon: 11[IKE] <con1-1|27>IKE_SA con1-1[27] state change: CONNECTING => DESTROYING
May 12 16:48:11 pfsense charon: 11[NET] received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500] (564 bytes)
May 12 16:48:11 pfsense charon: 11[NET] <28> received packet: from 173.xx.yy.zzz[500] to 24.aa.bb.ccc[500]</con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|27></con1-1|26>
                              1 Reply Last reply Reply Quote 0
                              • E
                                eri--
                                last edited by

                                Can you try next snapshots?

                                Also if you get issues on matching the ID try using an PSK with a name of 'allusers'.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  charliem
                                  last edited by

                                  Works for me now, thanks.  I did add 'any' and 'allusers', and also changed the client to use ip address as remote identity rather than 'key identifier'.  Not sure which did it.

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    Check the format of ipsec.secrets. I added some code yesterday to make it properly honor the mobile tunnel identifier when it otherwise wouldn't.

                                    Using allusers can help but it sets up an anonymous PSK which may not be what you want for general mobile IPsec (but it would be what someone wants for L2TP+IPsec)

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      charliem
                                      last edited by

                                      Yep, the image I'm using already has that commit.  Just now I took out the anonymous allusers and any PSK, and added the remote IP address.  It still connects OK with IP, I'll try to test key id later.

                                      I'm seeing the connection being destroyed due to initiator not reauthenticating though, but that may well be a config problem on the client end (shrewsoft).  Client is unaware that the connection is dropped.  Not sure why a timeout is announced 9 minutes before it's scheduled, and then the connection is dropped immediately.  What happened to the 9 minutes?

                                      May 16 13:14:29 pfsense charon: 05[IKE] <con1-1|19>initiator did not reauthenticate as requested
May 16 13:14:29 pfsense charon: 05[IKE] IKE_SA con1-1[19] will timeout in 9 minutes
May 16 13:14:29 pfsense charon: 05[IKE] <con1-1|19>IKE_SA con1-1[19] will timeout in 9 minutes
May 16 13:14:56 pfsense charon: 07[IKE] <con1-1|19>delaying task initiation, QUICK_MODE exchange in progress
May 16 13:15:00 pfsense charon: 07[IKE] giving up after 5 retransmits
May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>giving up after 5 retransmits
May 16 13:15:00 pfsense charon: 07[IKE] unable to reestablish IKE_SA due to asymmetric setup
May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>unable to reestablish IKE_SA due to asymmetric setup
May 16 13:15:00 pfsense charon: 07[IKE] IKE_SA con1-1[19] state change: ESTABLISHED => DESTROYING
May 16 13:15:00 pfsense charon: 07[IKE] <con1-1|19>IKE_SA con1-1[19] state change: ESTABLISHED => DESTROYING
May 16 13:15:00 pfsense charon: 07[CFG] lease 192.168.3.1 by '10.5.60.58' went offline
May 16 13:15:00 pfsense charon: 07[CFG] <con1-1|19>lease 192.168.3.1 by '10.5.60.58' went offline</con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19></con1-1|19>
                                      1 Reply Last reply Reply Quote 0
                                      • jimpJ
                                        jimp Rebel Alliance Developer Netgate
                                        last edited by

                                        There are still some issues, some fixed by the commits made today (gitsync if you can't wait) but a couple more I'm about to create tickets for as they're not so simple.

                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          In short:

                                          • Snap from this morning can't have more than one concurrent user connected, fixed now
                                          • "Provide a list of accessible networks to clients" doesn't seem to work, but it does work if you specify the policy on the client (Shrew, Android) or if the client ignores that and tunnels everything anyway (iOS).
                                          • "Tunnel All" only works if you add a P2 with 0.0.0.0/0 as local
                                          • If the same user connects twice, the first connection is cut off (good/intentional behavior, but may be different from 2.1)

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            charliem
                                            last edited by 

                                            [2.2-ALPHA][root@pfsense.localdomain]/root(4): cat /etc/version.buildtime
Mon May 19 13:13:23 CDT 2014
[2.2-ALPHA][root@pfsense.localdomain]/root(5): ipsec pki
exec: /usr/local/bin/pki: not found
[2.2-ALPHA][root@pfsense.localdomain]/root(6): find / -iname pki
[2.2-ALPHA][root@pfsense.localdomain]/root(7):

                                            Is this intentional?  Any valid reason not to include it?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.