IPsec + Virtual IP issues in 2.2 Dec 1st build

webstaff

Doing a test with a client with 2 sites.

Site 1:

BT infinity -> PPPoE -> PFsense (1 dyn ip from PPPoE 81. + 5 static as VIP 217.)

Site 2:

BT ADSL -> PPPoE -> PFSense (1 static from PPPoE)

IPSec from WAN (pppoe) to wan (pppoe) works fine but if you try to use a VIP address it fails.

Issue is that using a VIP on Site one causes socket write errors and con2 routing errors, after manually creating IPSec firewall rules these change into the log below.

Dec 9 11:54:32 ipsec_starter[30880]: charon stopped after 200 ms
Dec 9 11:54:32 ipsec_starter[30880]: ipsec starter stopped
Dec 9 11:54:46 ipsec_starter[14280]: Starting strongSwan 5.2.1 IPsec [starter]…
Dec 9 11:54:46 ipsec_starter[14280]: no netkey IPsec stack detected
Dec 9 11:54:46 ipsec_starter[14280]: no KLIPS IPsec stack detected
Dec 9 11:54:46 ipsec_starter[14280]: no known IPsec stack detected, ignoring!
Dec 9 11:54:46 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, FreeBSD 10.1-RELEASE, amd64)
Dec 9 11:54:46 charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Dec 9 11:54:46 charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Dec 9 11:54:46 charon: 00[CFG] ipseckey plugin is disabled
Dec 9 11:54:46 charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Dec 9 11:54:46 charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Dec 9 11:54:46 charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Dec 9 11:54:46 charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Dec 9 11:54:46 charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
Dec 9 11:54:46 charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Dec 9 11:54:46 charon: 00[CFG] loaded IKE secret for x.x.x.x
Dec 9 11:54:46 charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
Dec 9 11:54:46 charon: 00[CFG] loaded 0 RADIUS server configurations
Dec 9 11:54:46 charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
Dec 9 11:54:46 charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
Dec 9 11:54:46 charon: 00[JOB] spawning 16 worker threads
Dec 9 11:54:46 ipsec_starter[14800]: charon (14974) started after 40 ms
Dec 9 11:54:46 charon: 16[CFG] received stroke: add connection 'con2'
Dec 9 11:54:46 charon: 16[CFG] added configuration 'con2'
Dec 9 11:54:46 charon: 08[CFG] received stroke: route 'con2'
Dec 9 11:54:46 ipsec_starter[14800]: 'con2' routed
Dec 9 11:54:46 ipsec_starter[14800]:
Dec 9 11:54:53 charon: 14[CFG] received stroke: terminate 'con2'
Dec 9 11:54:53 charon: 14[CFG] no IKE_SA named 'con2' found
Dec 9 11:54:53 charon: 16[CFG] received stroke: initiate 'con2'
Dec 9 11:54:53 charon: 14[IKE] <con2|1>initiating Main Mode IKE_SA con2[1] to 217.34.198.145
Dec 9 11:54:53 charon: 14[IKE] initiating Main Mode IKE_SA con2[1] to x.x.x.x
Dec 9 11:54:53 charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
Dec 9 11:54:53 charon: 14[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (200 bytes)
Dec 9 11:54:57 charon: 14[IKE] <con2|1>sending retransmit 1 of request message ID 0, seq 1
Dec 9 11:54:57 charon: 14[IKE] sending retransmit 1 of request message ID 0, seq 1
Dec 9 11:54:57 charon: 14[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (200 bytes)
Dec 9 11:55:04 charon: 14[IKE] <con2|1>sending retransmit 2 of request message ID 0, seq 1
Dec 9 11:55:04 charon: 14[IKE] sending retransmit 2 of request message ID 0, seq 1
Dec 9 11:55:04 charon: 14[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (200 bytes)
Dec 9 11:55:17 charon: 14[IKE] <con2|1>sending retransmit 3 of request message ID 0, seq 1
Dec 9 11:55:17 charon: 14[IKE] sending retransmit 3 of request message ID 0, seq 1
Dec 9 11:55:17 charon: 14[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (200 bytes)
Dec 9 11:55:40 charon: 14[IKE] <con2|1>sending retransmit 4 of request message ID 0, seq 1
Dec 9 11:55:40 charon: 14[IKE] sending retransmit 4 of request message ID 0, seq 1
Dec 9 11:55:40 charon: 14[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (200 bytes)

Which makes me think that the IPSec interface is just not coming up on the VIP address.

Natting the first of the static addresses back to the LAN interface and tweaking the phase 1 proposal for the new details does work but what are the implications of such a messy setup?

did I miss something?

Regards

Dave

P.S.

2.2 seems to work great with the Gigabyte J1900N-D3V FYI!</con2|1></con2|1></con2|1></con2|1></con2|1>

jimp

Looks like a fix was put in for that already. Updating to a new snapshot should fix it.

webstaff

Thanks for the heads up, I'll get it updated today and report back!

Thanks for all the great work!

Regards

Dave