PfSense 2.2 <-> pfSense 2.2 IPsec tunnel (RESOLVED)

Riccardo90

Hello,
Under Phase1 configuration, on both pfsense, fill the field My identifier with your public IP addresses and change the negotiation mode from aggressive to main.

This shold permit to your pfsense to work. personally, i think that this version 2.2 is very very bad.. i just rolled back my pfsense to 2.1.5

Riccardo

sammybernard

I was having the same problems too … I changed the Identifier to my dyndns FQDN and so far the tunnel has been stable for 12 hours ... I can't force it to my IP address since I have DHCP. I agree IPSec has been causing us a lot of problems in this version. Hopefully they are all teething issues and can be expected with a move to a new backend....but still frustrating none the less.

Riccardo90

Do you mean that you don't have a static public IP but is dynamic?.. in this case it should works also with the FQDN of DDNS.

Riccardo

cmb

Where they were working before, they should work the same after the upgrade. What settings specifically do you have configured? What about it doesn't work? PM me if you can get me access.

ratch3t

Settings for the tunnels are as follows…

eri--

If you do not use the Gateway group does it work?

ratch3t

Tried changing it to the CARP IP and just the WANPRI interface…  Still no go.

ratch3t

Local side is looping this in the log:

Jan 29 13:34:34 charon: 14[NET] 192: EC 42 7B 1F .B{.
Jan 29 13:34:34 charon: 14[NET] 176: 00 00 00 14 90 CB 80 91 3E BB 69 6E 08 63 81 B5 ….....>.in.c..
Jan 29 13:34:34 charon: 14[NET] 160: 4A 13 1C 81 07 03 58 45 5C 57 28 F2 0E 95 45 2F J…..XE\W(...E/
Jan 29 13:34:34 charon: 14[NET] 144: 25 E7 DE 7F 00 D6 C2 D3 80 00 00 00 0D 00 00 14 %…............
Jan 29 13:34:34 charon: 14[NET] 128: 74 CC 01 00 0D 00 00 18 40 48 B7 D5 6E BC E8 85 t…....@H..n...
Jan 29 13:34:34 charon: 14[NET] 112: 0D 00 00 14 12 F5 F2 8C 45 71 68 A9 70 2D 9F E2 ….....Eqh.p-..
Jan 29 13:34:34 charon: 14[NET] 96: AF CA D7 13 68 A1 F1 C9 6B 86 96 FC 77 57 01 00 ….h...k...wW..
Jan 29 13:34:34 charon: 14[NET] 80: 0D 00 00 0C 09 00 26 89 DF D6 B7 12 0D 00 00 14 …...&.........
Jan 29 13:34:34 charon: 14[NET] 64: 80 04 00 02 80 03 00 01 80 0B 00 01 80 0C 70 80 …...........p.
Jan 29 13:34:34 charon: 14[NET] 48: 00 00 00 20 01 01 00 00 80 01 00 05 80 02 00 01 … ............
Jan 29 13:34:34 charon: 14[NET] 32: 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 …........(....
Jan 29 13:34:34 charon: 14[NET] 16: 01 10 02 00 00 00 00 00 00 00 00 C4 0D 00 00 34 …............4
Jan 29 13:34:34 charon: 14[NET] 0: 5A 26 6C 38 44 63 66 42 00 00 00 00 00 00 00 00 Z&l8DcfB….....
Jan 29 13:34:34 charon: 14[NET] received packet => 196 bytes @ 0x7ffffe1ee590
Jan 29 13:34:34 charon: 14[NET] 192: EC 42 7B 1F .B{.
Jan 29 13:34:34 charon: 14[NET] 176: 00 00 00 14 90 CB 80 91 3E BB 69 6E 08 63 81 B5 ….....>.in.c..
Jan 29 13:34:34 charon: 14[NET] 160: 4A 13 1C 81 07 03 58 45 5C 57 28 F2 0E 95 45 2F J…..XE\W(...E/
Jan 29 13:34:34 charon: 14[NET] 144: 25 E7 DE 7F 00 D6 C2 D3 80 00 00 00 0D 00 00 14 %…............
Jan 29 13:34:34 charon: 14[NET] 128: 74 CC 01 00 0D 00 00 18 40 48 B7 D5 6E BC E8 85 t…....@H..n...
Jan 29 13:34:34 charon: 14[NET] 112: 0D 00 00 14 12 F5 F2 8C 45 71 68 A9 70 2D 9F E2 ….....Eqh.p-..
Jan 29 13:34:34 charon: 14[NET] 96: AF CA D7 13 68 A1 F1 C9 6B 86 96 FC 77 57 01 00 ….h...k...wW..
Jan 29 13:34:34 charon: 14[NET] 80: 0D 00 00 0C 09 00 26 89 DF D6 B7 12 0D 00 00 14 …...&.........
Jan 29 13:34:34 charon: 14[NET] 64: 80 04 00 02 80 03 00 01 80 0B 00 01 80 0C 70 80 …...........p.
Jan 29 13:34:34 charon: 14[NET] 48: 00 00 00 20 01 01 00 00 80 01 00 05 80 02 00 01 … ............
Jan 29 13:34:34 charon: 14[NET] 32: 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 …........(....
Jan 29 13:34:34 charon: 14[NET] 16: 01 10 02 00 00 00 00 00 00 00 00 C4 0D 00 00 34 …............4
Jan 29 13:34:34 charon: 14[NET] 0: 5A 26 6C 38 44 63 66 42 00 00 00 00 00 00 00 00 Z&l8DcfB….....
Jan 29 13:34:34 charon: 14[NET] received packet => 196 bytes @ 0x7ffffe1ee590
Jan 29 13:34:25 charon: 14[NET] waiting for data on sockets
Jan 29 13:34:25 charon: 14[NET] waiting for data on sockets
Jan 29 13:34:25 charon: 14[NET] received packet from –----[500] to –----[500] on ignored interface
Jan 29 13:34:25 charon: 14[NET] received packet from –----[500] to –----[500] on ignored interface
Jan 29 13:34:25 charon: 14[NET] received packet: from –----[500] to –---[500]
Jan 29 13:34:25 charon: 14[NET] received packet: from –----[500] to –---[500]

REMOTE SIDE is showing this:
Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_PROPOSAL
Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_PROPOSAL
Jan 29 13:37:01 charon: 09[KNL] SADB_X_EXT_POLICY
Jan 29 13:37:01 charon: 09[KNL] SADB_X_EXT_POLICY
Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_ADDRESS_DST
Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_ADDRESS_DST
Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_ADDRESS_SRC
Jan 29 13:37:01 charon: 09[KNL] SADB_EXT_ADDRESS_SRC
Jan 29 13:37:01 charon: 09[KNL] received an SADB_ACQUIRE
Jan 29 13:37:01 charon: 09[KNL] received an SADB_ACQUIRE
Jan 29 13:37:01 charon: 06[JOB] watcher going to select()
Jan 29 13:37:01 charon: 06[JOB] watcher going to select()
Jan 29 13:37:01 charon: 06[JOB] watching 22 for reading
Jan 29 13:37:01 charon: 06[JOB] watching 22 for reading
Jan 29 13:37:01 charon: 06[JOB] watching 17 for reading
Jan 29 13:37:01 charon: 06[JOB] watching 17 for reading
Jan 29 13:37:01 charon: 06[JOB] watching 10 for reading
Jan 29 13:37:01 charon: 06[JOB] watching 10 for reading
Jan 29 13:37:01 charon: 06[JOB] watched FD 12 ready to read
Jan 29 13:37:01 charon: 06[JOB] watched FD 12 ready to read
Jan 29 13:36:33 charon: 09[MGR] check-in of IKE_SA successful.
Jan 29 13:36:33 charon: 09[MGR] <con1000|3381>check-in of IKE_SA successful.
Jan 29 13:36:33 charon: 03[JOB] next event in 41s 989ms, waiting
Jan 29 13:36:33 charon: 03[JOB] next event in 41s 989ms, waiting
Jan 29 13:36:33 charon: 08[NET] sending packet: from –----[500] to –----[500]
Jan 29 13:36:33 charon: 08[NET] sending packet: from –----[500] to –----[500]
Jan 29 13:36:33 charon: 09[MGR] checkin IKE_SA con1000[3381]
Jan 29 13:36:33 charon: 09[MGR] <con1000|3381>checkin IKE_SA con1000[3381]
Jan 29 13:36:33 charon: 09[NET] sending packet: from –-----[500] to –-----[500] (196 bytes)
Jan 29 13:36:33 charon: 09[NET] <con1000|3381>sending packet: from –----[500] to –---[500] (196 bytes)
Jan 29 13:36:33 charon: 09[IKE] sending retransmit 4 of request message ID 0, seq 1
Jan 29 13:36:33 charon: 09[IKE] <con1000|3381>sending retransmit 4 of request message ID 0, seq 1
Jan 29 13:36:33 charon: 09[MGR] IKE_SA con1000[3381] successfully checked out
Jan 29 13:36:33 charon: 09[MGR] IKE_SA con1000[3381] successfully checked out
Jan 29 13:36:33 charon: 09[MGR] checkout IKE_SA
Jan 29 13:36:33 charon: 09[MGR] checkout IKE_SA
Jan 29 13:36:33 charon: 03[JOB] no events, waiting
Jan 29 13:36:33 charon: 03[JOB] no events, waiting
Jan 29 13:36:33 charon: 03[JOB] got event, queuing job for execution
Jan 29 13:36:33 charon: 03[JOB] got event, queuing job for execution
Jan 29 13:36:29 charon: 06[JOB] watcher going to select()
Jan 29 13:36:29 charon: 06[JOB] watcher going to select()
Jan 29 13:36:29 charon: 06[JOB] watching 22 for reading
Jan 29 13:36:29 charon: 06[JOB] watching 22 for reading
Jan 29 13:36:29 charon: 06[JOB] watching 17 for reading
Jan 29 13:36:29 charon: 06[JOB] watching 17 for reading
Jan 29 13:36:29 charon: 06[JOB] watching 12 for reading
Jan 29 13:36:29 charon: 06[JOB] watching 12 for reading
Jan 29 13:36:29 charon: 06[JOB] watching 10 for reading
Jan 29 13:36:29 charon: 06[JOB] watching 10 for reading
Jan 29 13:36:29 charon: 09[CFG] ignoring acquire, connection attempt pending
Jan 29 13:36:29 charon: 09[CFG] ignoring acquire, connection attempt pending
Jan 29 13:36:29 charon: 06[JOB] watcher got notification, rebuilding
Jan 29 13:36:29 charon: 06[JOB] watcher got notification, rebuilding
Jan 29 13:36:29 charon: 02[KNL] creating acquire job for policy –----/32|/0 === -------/32|/0 with reqid {1}
Jan 29 13:36:29 charon: 02[KNL] creating acquire job for policy –----/32|/0 === -------/32|/0 with reqid {1}</con1000|3381></con1000|3381></con1000|3381></con1000|3381>

eri--

an 29 13:34:25   charon: 14[NET] received packet from ------[500] to ------[500] on ignored interface
Jan 29 13:34:25   charon: 14[NET] received packet from ------[500] to ------[500] on ignored interface
Jan 29 13:34:25   charon: 14[NET] received packet: from ------[500] to -----[500]
Jan 29 13:34:25   charon: 14[NET] received packet: from ------[500] to -----[500]

I think you have a routing issue of sorts not related to pfSense.

cmb

This one just ended up being mismatched IPs in the P1. It appears it was compounded by some circumstance in which if you make significant changes to the IPsec config, strongswan wants a full stop/start to properly apply that. I'm looking into that issue separately.

Thale

@cmb:

It appears it was compounded by some circumstance in which if you make significant changes to the IPsec config, strongswan wants a full stop/start to properly apply that. I'm looking into that issue separately.

Would "Restart Service" work, or does a "full stop/start" refer to an actual stop followed by a start?

cmb

@Thale:

Would "Restart Service" work, or does a "full stop/start" refer to an actual stop followed by a start?

Stop it, then start it. A restart in some cases apparently doesn't apply all the config file changes that were made in some circumstance(s) I haven't fully quantified yet.