Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec mobile client problems: no virtual IP found for %any …

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    24 Posts 4 Posters 14.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eri--
      last edited by

      Its easy setkey -PD setkey -D

      and ipsec logs.

      1 Reply Last reply Reply Quote 0
      • C
        charliem
        last edited by

        This may well be a configuration error on my part, but still, it was working earlier.  I don't see any errors on either the client or pfSense side, just no traffic.  This capture is with pfSense "Built On: Thu Sep 11 09:25:40 CDT 2014"

        Here
        xx.yy.zz.132 is the WAN connection on the pfSense box,
        aaa.bbb.ccc.137 is the WAN connection of the client,
        192.168.2.0/24 is the LAN behind pfSense,
        192.168.3.1 is the virtual IP assigned to the client.  Client is on a NAT'd LAN network 10.5.60.0/24

        setkey -D and setkey -PD output (note that 'lastused' time never changes from creation time):

        xx.yy.zz.132 aaa.bbb.ccc.137 
        	esp mode=tunnel spi=1572953404(0x5dc15d3c) reqid=1(0x00000001)
        	E: rijndael-cbc  50725a75 f02eb788 f888fb98 da4872b6 c16c47c5 8f87ae3b 4b184b01 cd6c1c99
        	A: hmac-sha1  c9cc9950 a4d5c037 825fe8ef 4927e83e bb8390c2
        	seq=0x00000000 replay=32 flags=0x00000000 state=mature 
        	created: Sep 11 12:02:46 2014	current: Sep 11 12:03:49 2014
        	diff: 63(s)	hard: 3600(s)	soft: 2674(s)
        	last:                     	hard: 0(s)	soft: 0(s)
        	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
        	allocated: 0	hard: 0	soft: 0
        	sadb_seq=1 pid=8606 refcnt=1
        aaa.bbb.ccc.137 xx.yy.zz.132 
        	esp mode=any spi=3482626703(0xcf94aa8f) reqid=1(0x00000001)
        	E: rijndael-cbc  dd784cd1 86593380 9fddc58a 5d4179b5 0080d03d 43a46c1d b8879113 110cf70e
        	A: hmac-sha1  519fb0a9 f4bcac6f 8318e207 072fe9cc 845d4620
        	seq=0x00000000 replay=32 flags=0x00000000 state=mature 
        	created: Sep 11 12:02:46 2014	current: Sep 11 12:03:49 2014
        	diff: 63(s)	hard: 3600(s)	soft: 2546(s)
        	last:                     	hard: 0(s)	soft: 0(s)
        	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
        	allocated: 0	hard: 0	soft: 0
        	sadb_seq=0 pid=8606 refcnt=1
        
        192.168.3.1[any] 192.168.2.0/24[any] any
        	in ipsec
        	esp/tunnel/aaa.bbb.ccc.137-xx.yy.zz.132/unique:1
        	created: Sep 11 12:02:46 2014  lastused: Sep 11 12:02:46 2014
        	lifetime: 9223372036854775807(s) validtime: 0(s)
        	spid=4 seq=1 pid=32577
        	refcnt=1
        192.168.2.0/24[any] 192.168.3.1[any] any
        	out ipsec
        	esp/tunnel/xx.yy.zz.132-aaa.bbb.ccc.137/unique:1
        	created: Sep 11 12:02:46 2014  lastused: Sep 11 12:02:46 2014
        	lifetime: 9223372036854775807(s) validtime: 0(s)
        	spid=3 seq=0 pid=32577
        	refcnt=1
        

        And the condensed ipsec.log.  This log is from boot, set up shrewsoft link, 5 failed pings from the client, and tear down of the connection.  I have the corresponding logs on the client side as well.

        Sep 11 12:02:46 pfsense charon: 12[NET] received packet: from aaa.bbb.ccc.137[500] to xx.yy.zz.132[500] (484 bytes)
        Sep 11 12:02:46 pfsense charon: 12[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V ]
        Sep 11 12:02:46 pfsense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
        Sep 11 12:02:46 pfsense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
        Sep 11 12:02:46 pfsense charon: 12[ENC] received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
        Sep 11 12:02:46 pfsense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
        Sep 11 12:02:46 pfsense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
        Sep 11 12:02:46 pfsense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
        Sep 11 12:02:46 pfsense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
        Sep 11 12:02:46 pfsense charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
        Sep 11 12:02:46 pfsense charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
        Sep 11 12:02:46 pfsense charon: 12[IKE] <1> received FRAGMENTATION vendor ID
        Sep 11 12:02:46 pfsense charon: 12[IKE] received FRAGMENTATION vendor ID
        Sep 11 12:02:46 pfsense charon: 12[ENC] received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
        Sep 11 12:02:46 pfsense charon: 12[ENC] received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
        Sep 11 12:02:46 pfsense charon: 12[ENC] received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
        Sep 11 12:02:46 pfsense charon: 12[IKE] <1> received Cisco Unity vendor ID
        Sep 11 12:02:46 pfsense charon: 12[IKE] received Cisco Unity vendor ID
        Sep 11 12:02:46 pfsense charon: 12[IKE] <1> aaa.bbb.ccc.137 is initiating a Aggressive Mode IKE_SA
        Sep 11 12:02:46 pfsense charon: 12[IKE] aaa.bbb.ccc.137 is initiating a Aggressive Mode IKE_SA
        Sep 11 12:02:46 pfsense charon: 12[CFG] looking for pre-shared key peer configs matching xx.yy.zz.132...aaa.bbb.ccc.137[vpnusers@home.com]
        Sep 11 12:02:46 pfsense charon: 12[CFG] selected peer config "con1"
        Sep 11 12:02:46 pfsense charon: 12[ENC] generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
        Sep 11 12:02:46 pfsense charon: 12[NET] sending packet: from xx.yy.zz.132[500] to aaa.bbb.ccc.137[500] (492 bytes)
        Sep 11 12:02:46 pfsense charon: 12[NET] received packet: from aaa.bbb.ccc.137[4500] to xx.yy.zz.132[4500] (140 bytes)
        Sep 11 12:02:46 pfsense charon: 12[ENC] parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
        Sep 11 12:02:46 pfsense charon: 12[IKE] <con1|1>IKE_SA con1[1] established between xx.yy.zz.132[vpnusers@home.com]...aaa.bbb.ccc.137[vpnusers@home.com]
        Sep 11 12:02:46 pfsense charon: 12[IKE] IKE_SA con1[1] established between xx.yy.zz.132[vpnusers@home.com]...aaa.bbb.ccc.137[vpnusers@home.com]
        Sep 11 12:02:46 pfsense charon: 12[IKE] <con1|1>scheduling reauthentication in 85824s
        Sep 11 12:02:46 pfsense charon: 12[IKE] scheduling reauthentication in 85824s
        Sep 11 12:02:46 pfsense charon: 12[IKE] <con1|1>maximum IKE_SA lifetime 86364s
        Sep 11 12:02:46 pfsense charon: 12[IKE] maximum IKE_SA lifetime 86364s
        Sep 11 12:02:46 pfsense charon: 12[IKE] <con1|1>local host is behind NAT, sending keep alives
        Sep 11 12:02:46 pfsense charon: 12[IKE] local host is behind NAT, sending keep alives
        Sep 11 12:02:46 pfsense charon: 12[IKE] <con1|1>remote host is behind NAT
        Sep 11 12:02:46 pfsense charon: 12[IKE] remote host is behind NAT
        Sep 11 12:02:46 pfsense charon: 14[NET] received packet: from aaa.bbb.ccc.137[4500] to xx.yy.zz.132[4500] (92 bytes)
        Sep 11 12:02:46 pfsense charon: 14[ENC] parsed INFORMATIONAL_V1 request 588915076 [ HASH N(INITIAL_CONTACT) ]
        Sep 11 12:02:46 pfsense charon: 14[NET] received packet: from aaa.bbb.ccc.137[4500] to xx.yy.zz.132[4500] (156 bytes)
        Sep 11 12:02:46 pfsense charon: 14[ENC] parsed TRANSACTION request 3720127689 [ HASH CPRQ(ADDR EXP MASK U_BANNER U_NATTPORT VER U_FWTYPE) ]
        Sep 11 12:02:46 pfsense charon: 14[IKE] <con1|1>peer requested virtual IP %any
        Sep 11 12:02:46 pfsense charon: 14[IKE] peer requested virtual IP %any
        Sep 11 12:02:46 pfsense charon: 14[CFG] assigning new lease to 'vpnusers@home.com'
        Sep 11 12:02:46 pfsense charon: 14[IKE] <con1|1>assigning virtual IP 192.168.3.1 to peer 'vpnusers@home.com'
        Sep 11 12:02:46 pfsense charon: 14[IKE] assigning virtual IP 192.168.3.1 to peer 'vpnusers@home.com'
        Sep 11 12:02:46 pfsense charon: 14[ENC] generating TRANSACTION response 3720127689 [ HASH CPRP(ADDR SUBNET DNS U_SPLITINC U_BANNER) ]
        Sep 11 12:02:46 pfsense charon: 14[NET] sending packet: from xx.yy.zz.132[4500] to aaa.bbb.ccc.137[4500] (156 bytes)
        Sep 11 12:02:46 pfsense charon: 14[NET] received packet: from aaa.bbb.ccc.137[4500] to xx.yy.zz.132[4500] (172 bytes)
        Sep 11 12:02:46 pfsense charon: 14[ENC] parsed QUICK_MODE request 3113463846 [ HASH SA No ID ID ]
        Sep 11 12:02:46 pfsense charon: 14[IKE] <con1|1>received 28800s lifetime, configured 3600s
        Sep 11 12:02:46 pfsense charon: 14[IKE] received 28800s lifetime, configured 3600s
        Sep 11 12:02:46 pfsense charon: 14[ENC] generating QUICK_MODE response 3113463846 [ HASH SA No ID ID ]
        Sep 11 12:02:46 pfsense charon: 14[NET] sending packet: from xx.yy.zz.132[4500] to aaa.bbb.ccc.137[4500] (188 bytes)
        Sep 11 12:02:46 pfsense charon: 14[NET] received packet: from aaa.bbb.ccc.137[4500] to xx.yy.zz.132[4500] (76 bytes)
        Sep 11 12:02:46 pfsense charon: 14[ENC] parsed QUICK_MODE request 3113463846 [ HASH ]
        Sep 11 12:02:46 pfsense charon: 14[IKE] <con1|1>CHILD_SA con1{1} established with SPIs cf94aa8f_i 5dc15d3c_o and TS 192.168.2.0/24|/0 === 192.168.3.1/32|/0 
        Sep 11 12:02:46 pfsense charon: 14[IKE] CHILD_SA con1{1} established with SPIs cf94aa8f_i 5dc15d3c_o and TS 192.168.2.0/24|/0 === 192.168.3.1/32|/0 
        Sep 11 12:03:10 pfsense charon: 14[IKE] <con1|1>sending keep alive to aaa.bbb.ccc.137[4500]
        Sep 11 12:03:10 pfsense charon: 14[IKE] sending keep alive to aaa.bbb.ccc.137[4500]
        Sep 11 12:03:30 pfsense charon: 14[IKE] <con1|1>sending keep alive to aaa.bbb.ccc.137[4500]
        Sep 11 12:03:30 pfsense charon: 14[IKE] sending keep alive to aaa.bbb.ccc.137[4500]
        Sep 11 12:03:50 pfsense charon: 14[IKE] <con1|1>sending keep alive to aaa.bbb.ccc.137[4500]
        Sep 11 12:07:10 pfsense charon: 14[IKE] sending keep alive to aaa.bbb.ccc.137[4500]
        Sep 11 12:07:30 pfsense charon: 14[IKE] <con1|1>sending keep alive to aaa.bbb.ccc.137[4500]
        Sep 11 12:07:30 pfsense charon: 14[IKE] sending keep alive to aaa.bbb.ccc.137[4500]
        Sep 11 12:07:50 pfsense charon: 14[IKE] <con1|1>sending keep alive to aaa.bbb.ccc.137[4500]
        Sep 11 12:07:50 pfsense charon: 14[IKE] sending keep alive to aaa.bbb.ccc.137[4500]
        Sep 11 12:07:50 pfsense charon: 14[NET] received packet: from aaa.bbb.ccc.137[4500] to xx.yy.zz.132[4500] (92 bytes)
        Sep 11 12:07:50 pfsense charon: 14[ENC] parsed INFORMATIONAL_V1 request 4150358938 [ HASH D ]
        Sep 11 12:07:50 pfsense charon: 14[IKE] <con1|1>received DELETE for ESP CHILD_SA with SPI 5dc15d3c
        Sep 11 12:07:50 pfsense charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI 5dc15d3c
        Sep 11 12:07:50 pfsense charon: 14[IKE] <con1|1>closing CHILD_SA con1{1} with SPIs cf94aa8f_i (0 bytes) 5dc15d3c_o (0 bytes) and TS 192.168.2.0/24|/0 === 192.168.3.1/32|/0 
        Sep 11 12:07:50 pfsense charon: 14[IKE] closing CHILD_SA con1{1} with SPIs cf94aa8f_i (0 bytes) 5dc15d3c_o (0 bytes) and TS 192.168.2.0/24|/0 === 192.168.3.1/32|/0 
        Sep 11 12:07:50 pfsense charon: 08[NET] received packet: from aaa.bbb.ccc.137[4500] to xx.yy.zz.132[4500] (92 bytes)
        Sep 11 12:07:50 pfsense charon: 08[ENC] parsed INFORMATIONAL_V1 request 2594436540 [ HASH D ]
        Sep 11 12:07:50 pfsense charon: 08[IKE] <con1|1>received DELETE for IKE_SA con1[1]
        Sep 11 12:07:50 pfsense charon: 08[IKE] received DELETE for IKE_SA con1[1]
        Sep 11 12:07:50 pfsense charon: 08[IKE] <con1|1>deleting IKE_SA con1[1] between xx.yy.zz.132[vpnusers@home.com]...aaa.bbb.ccc.137[vpnusers@home.com]
        Sep 11 12:07:50 pfsense charon: 08[IKE] deleting IKE_SA con1[1] between xx.yy.zz.132[vpnusers@home.com]...aaa.bbb.ccc.137[vpnusers@home.com]
        Sep 11 12:07:50 pfsense charon: 08[CFG] lease 192.168.3.1 by 'vpnusers@home.com' went offline</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1> 
        
        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          I have tested this all day today and it works correctly.

          Are you sourcing your ping correctly?

          1 Reply Last reply Reply Quote 0
          • C
            charliem
            last edited by

            @ermal:

            Are you sourcing your ping correctly?

            I believe so; the routing table on the client is correct.  It's failed with two different client machines on two different external networks.

            Hmm, unrelated, but I just tried to refresh diap_ipsec.php after bringing up the tunnel, and noticed it hanging.  php-fpm is cpu-bound at 100%, and I see this in the logs:

            Sep 11 17:31:54 pfsense charon: 02[IKE] assigning virtual IP 192.168.3.1 to peer 'vpnusers@home.com'
            Sep 11 17:31:54 pfsense charon: 02[ENC] generating TRANSACTION response 1975182865 [ HASH CPRP(ADDR SUBNET DNS U_SPLITINC U_BANNER) ]
            Sep 11 17:31:54 pfsense charon: 02[NET] sending packet: from xx.yy.zz.132[4500] to aaa.bbb.ccc.137[4500] (156 bytes)
            Sep 11 17:32:00 pfsense charon: 02[DMN] thread 2 received 10
            Sep 11 17:32:00 pfsense charon: 02[LIB]  dumping 2 stack frame addresses:
            Sep 11 17:32:00 pfsense charon: 02[LIB]   /lib/libthr.so.3 @ 0x801340000 (_swapcontext+0x15b) [0x80134e4ab]
            Sep 11 17:32:00 pfsense charon: 02[LIB]     ->
            Sep 11 17:32:00 pfsense charon: 02[LIB]   /lib/libthr.so.3 @ 0x801340000 (sigaction+0x343) [0x80134e093]
            Sep 11 17:32:00 pfsense charon: 02[LIB]     ->
            Sep 11 17:32:00 pfsense charon: 02[DMN] killing ourself, received critical signal
            Sep 11 17:32:07 pfsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, FreeBSD 10.1-PRERELEASE, amd64)
            
            

            This hasn't happened before.

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              Which snapshot are you on?

              Please update to the latest one.
              That was due to makeing the status page include necessary information.

              1 Reply Last reply Reply Quote 0
              • C
                charliem
                last edited by

                This was "Built On: Thu Sep 11 09:25:40 CDT 2014"

                I will wait for the next snapshot with your latest changes to appear, and re-test, thanks.

                1 Reply Last reply Reply Quote 0
                • C
                  charliem
                  last edited by

                  On version "built on Thu Sep 11 19:41:05 CDT 2014"

                  Good news is I can't reproduce the hang in php-fpm.

                  Bad news is now no SAD or SPD entries are created, but a lease does show up in the pool.  Still no traffic though.

                  Further bad news is that setting any loglevels to '-1' is not possible any more.  This triggers corresponding entries in syslog:

                  Sep 12 07:59:35 pfsense php-fpm[27936]: /vpn_ipsec_settings.php: The command '/usr/local/sbin/ipsec stroke loglevel tls -1' returned exit code '255', the output was 'stroke: invalid option -- 1 stroke [OPTIONS] command [ARGUMENTS]  Options:   -h, --help             print this information.   -d, --daemon=NAME      name of the daemon. Commands:   Add a connection:     stroke add NAME MY_ID OTHER_ID MY_ADDR OTHER_ADDR\            MY_NET OTHER_NET     where: ID is any IKEv2 ID            ADDR is a IPv4 address            NET is a IPv4 subnet in CIDR notation   Delete a connection:     stroke delete NAME     where: NAME is a connection name added with "stroke add"   Initiate a connection:     stroke up NAME     where: NAME is a connection name added with "stroke add"   Initiate a connection without blocking:     stroke up-nb NAME     where: NAME is a connection name added with "stroke add"   Terminate a connection:     stroke down NAME     where: NAME is a connection name added with "stroke add"   Terminate a connecti
                  
                  

                  And it fails interactively as well.  Note the usage text still shows it as a valid command:

                  [2.2-ALPHA][root@pfsense.localdomain]/var/log(17): /usr/local/sbin/ipsec stroke loglevel imc -1
                  stroke: invalid option -- 1
                  
                  < lots of usage info deleted here >
                  
                  Error: invalid option
                  [2.2-ALPHA][root@pfsense.localdomain]/var/log(18):
                  
                  
                  1 Reply Last reply Reply Quote 0
                  • E
                    eri--
                    last edited by

                    Can you share your configs?

                    I will check the loglevel thing.
                    Though it will have been there even before but it was not noticed!

                    1 Reply Last reply Reply Quote 0
                    • C
                      charliem
                      last edited by

                      @ermal:

                      Can you share your configs?

                      Sure, thanks for looking!  First ipsec.conf, then strongswan.conf and last ipsec listall output (with tunnel up, client appears OK and gets the login banner).

                      [2.2-ALPHA][root@pfsense.localdomain]/var/etc/ipsec(37): cat ipsec.conf
                      # This file is automatically generated. Do not edit
                      config setup
                              uniqueids = yes
                              charondebug="dmn = 1,mgr = 0,ike = 0,chd = 0,job = 0,cfg = 0,knl = 0,net = 1,enc = 0,app = 0,esp = 1,lib = 1"
                      
                      conn con1
                              aggressive = yes
                              fragmentation = yes
                              keyexchange = ikev1
                              reauth = yes
                              rekey = yes
                              reqid = 1
                              installpolicy = yes
                              type = tunnel
                              dpdaction = none
                              auto = add
                              left = xx.yy.zz.132
                              right = %any
                              leftid = vpnusers@home.com
                              ikelifetime = 86400s
                              lifetime = 3600s
                              rightsourceip = 192.168.3.0/24
                              rightsubnet = 192.168.3.0/24
                              leftsubnet = 192.168.2.0/24
                              ike = aes256-sha256-modp1024!
                              esp = aes256-md5,aes256-sha1,aes256-sha256,blowfish256-md5,blowfish256-sha1,blowfish256-sha256,blowfish192-md5,blowfish192-sha1,blowfish192-sha256,blowfish128-md5,blowfish128-sha1,blowfish128-sha256,3des-md5,3des-sha1,3des-sha256!
                              leftauth = psk
                              rightauth = psk
                      
                      
                      [2.2-ALPHA][root@pfsense.localdomain]/var/etc/ipsec(38): cat strongswan.conf
                      
                      #Automatically generated please do not modify
                      starter {
                          load_warning = no
                      }
                      
                      charon {
                      
                              # number of worker threads in charon
                              threads = 16
                              ikesa_table_size = 32
                              ikesa_table_segments = 4
                              init_limit_half_open = 1000;
                      
                              # XXX: There is not much choice here really users win their security!
                              i_dont_care_about_security_and_use_aggressive_mode_psk=yes
                      
                              # And two loggers using syslog. The subsections define the facility to log
                              # to, currently one of: daemon, auth.
                              syslog {
                      
                                      identifier = charon
                                      # default level to the LOG_DAEMON facility
                                      daemon {
                                      }
                                      # very minimalistic IKE auditing logs to LOG_AUTHPRIV
                                      auth {
                                          default = -1
                                          ike = 1
                                          ike_name = yes
                                      }
                              }
                              cisco_unity = yes
                              plugins {
                                      attr {
                                      subnet = 192.168.3.0/24
                                      dns = 8.8.8.8
                                      split-include = 192.168.2.0/24
                                      28672 = Welcome to Test .. Authorized use only!
                                      }
                              xauth-generic {
                                      script = /etc/inc/ipsec.auth-user.php
                                      authcfg = Local Database
                              }
                              }
                      }
                      
                      
                      [2.2-ALPHA][root@pfsense.localdomain]/var/etc/ipsec(41): ipsec statusall
                      Status of IKE charon daemon (weakSwan 5.2.0, FreeBSD 10.1-PRERELEASE, amd64):
                        uptime: 11 hours, since Sep 11 22:56:08 2014
                        worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 11
                        loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
                      Virtual IP pools (size/online/offline):
                        192.168.3.0/24: 254/1/0
                      Listening IP addresses:
                        192.168.2.128
                        xx.yy.zz.132
                        192.168.100.5
                      Connections:
                              con1:  xx.yy.zz.132...%any  IKEv1 Aggressive
                              con1:   local:  [vpnusers@home.com] uses pre-shared key authentication
                              con1:   remote: uses pre-shared key authentication
                              con1:   child:  192.168.2.0/24|/0 === 192.168.3.0/24|/0 TUNNEL
                      Security Associations (1 up, 0 connecting):
                              con1[5]: ESTABLISHED 24 seconds ago, xx.yy.zz.132[vpnusers@home.com]...aaa.bbb.ccc.137[vpnusers@home.com]
                              con1[5]: IKEv1 SPIs: 0076e8adb5b55a1e_i 4fe2ea1d13eec388_r*, pre-shared key reauthentication in 23 hours
                              con1[5]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
                      [2.2-ALPHA][root@pfsense.localdomain]/var/etc/ipsec(42): setkey -D
                      No SAD entries.
                      [2.2-ALPHA][root@pfsense.localdomain]/var/etc/ipsec(43): setkey -PD
                      No SPD entries.
                      
                      
                      1 Reply Last reply Reply Quote 0
                      • E
                        eri--
                        last edited by

                        You should have some warnings on your ipsec log.
                        Why the policies have not been created!

                        1 Reply Last reply Reply Quote 0
                        • C
                          charliem
                          last edited by

                          No obvious errors in the log that I can see, they look just like what I posted yesterday.

                          1 Reply Last reply Reply Quote 0
                          • E
                            eri--
                            last edited by

                            Well try using a different subnet for the rightsourceip rather than peer ip address.

                            1 Reply Last reply Reply Quote 0
                            • C
                              charliem
                              last edited by

                              @ermal:

                              Well try using a different subnet for the rightsourceip rather than peer ip address.

                              SAD and SPD entries can be created if I comment out 'rightsubnet=192.168.3.0/24' from ipsec.conf (not sure that's possible with the current webgui code).  But I still cannot pass any traffic through the tunnel.

                              I will start from scratch and take a close look over the weekend, thanks.

                              1 Reply Last reply Reply Quote 0
                              • C
                                charliem
                                last edited by

                                This strongswan bug https://wiki.strongswan.org/issues/586 was properly rejected because it was not a strongswan issue, but rather a FreeBSD 10.0 issue.

                                Symptoms seem to match what I'm seeing … Was or is this a valid bug?  I can't immediately find a similar patchset in FreeBSD sources, but I can't believe a bug like this would still be around.

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hege
                                  last edited by

                                  FYI:

                                  i have the same issue.
                                  https://forum.pfsense.org/index.php?topic=81657.msg446613#msg446613

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    eri--
                                    last edited by

                                    @charliem:

                                    This strongswan bug https://wiki.strongswan.org/issues/586 was properly rejected because it was not a strongswan issue, but rather a FreeBSD 10.0 issue.

                                    Symptoms seem to match what I'm seeing … Was or is this a valid bug?  I can't immediately find a similar patchset in FreeBSD sources, but I can't believe a bug like this would still be around.

                                    The fix is already present in FreeBSD 10 afaik.
                                    So that patch is already merged!

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.