IPSec Down after Upgrade to 2.3

cmb

There are two separate issues here with the same symptom. The starting twice problem is fixed by what I posted earlier in the thread. The issue with openbgpd causing that same PF_KEY error doesn't have a known cause or solution yet. I'm attempting to replicate that one.

shthead

cmb, if you would like access to my pfSense server that has the OpenBGPD issue again let me know and I will message you the details.

vsxi-13

I'm not running OpenBGPD.  I'll review, but I'm pretty sure I applied that patch successfully utilizing the patch package utility…

Edit:  It's definitely installed.  I navigated out to the file in question to check for the additions that were added and they're there.

I haven't done a full reboot, would that have any chance of affecting the application of the fix?

cmb

@vsxi-13:

I'm not running OpenBGPD.  I'll review, but I'm pretty sure I applied that patch successfully utilizing the patch package utility…

Edit:  It's definitely installed.  I navigated out to the file in question to check for the additions that were added and they're there.

I haven't done a full reboot, would that have any chance of affecting the application of the fix?

You have to either manually kill off the duplicate instances of strongswan (ipsec and charon processes), or reboot after applying that. That just prevents the problem circumstance from happening again.

vsxi-13

@cmb:

@vsxi-13:

I'm not running OpenBGPD.  I'll review, but I'm pretty sure I applied that patch successfully utilizing the patch package utility…

Edit:  It's definitely installed.  I navigated out to the file in question to check for the additions that were added and they're there.

I haven't done a full reboot, would that have any chance of affecting the application of the fix?

You have to either manually kill off the duplicate instances of strongswan (ipsec and charon processes), or reboot after applying that. That just prevents the problem circumstance from happening again.

I'm going to keep an eye on it.  I rebooted today, however I also just rebuilt my pfSense and am running it virtually now in VMWare with essentially the same configuration.

vsxi-13

@vsxi-13:

@cmb:

@vsxi-13:

I'm not running OpenBGPD.  I'll review, but I'm pretty sure I applied that patch successfully utilizing the patch package utility…

Edit:  It's definitely installed.  I navigated out to the file in question to check for the additions that were added and they're there.

I haven't done a full reboot, would that have any chance of affecting the application of the fix?

You have to either manually kill off the duplicate instances of strongswan (ipsec and charon processes), or reboot after applying that. That just prevents the problem circumstance from happening again.

I'm going to keep an eye on it.  I rebooted today, however I also just rebuilt my pfSense and am running it virtually now in VMWare with essentially the same configuration.

This would have been a great weekend to test this, however my Macbook has decided that it doesn't want to run IKEv2 anymore…

Apr 22 07:34:01 mba nesessionmanager[427]: NESMIKEv2VPNSession[xxxx.dyndns-web.com:4B453608-183B-4727-B69F-DB98737FCCD7]: Received a start command from SystemUIServer[239]
Apr 22 07:34:01 mba nesessionmanager[427]: NESMIKEv2VPNSession[xxxx.dyndns-web.com:4B453608-183B-4727-B69F-DB98737FCCD7]: status changed to connecting
Apr 22 07:34:01 mba nesessionmanager[427]: Failed to find the VPN app for plugin type com.apple.neplugin.IKEv2
Apr 22 07:34:01 mba neagent[926]: IKEv2 Plugin: ikev2_dns_callback: Error -65554
Apr 22 07:34:02 mba kernel[0]: ipsec_ctl_connect: creating interface ipsec0
Apr 22 07:34:02 mba configd[51]: network changed
Apr 22 07:34:04 mba neagent[926]: MSCHAPv2 Error = 691, Retry = 1, Version = 0
Apr 22 07:34:04 mba neagent[926]: Failed to process IKE Auth (EAP) packet
Apr 22 07:34:04 mba neagent[926]: BUG in libdispatch client: kevent[EVFILT_READ] delete: "Bad file descriptor" - 0x9
Apr 22 07:34:04 mba nesessionmanager[427]: NESMIKEv2VPNSession[xxxx.dyndns-web.com:4B453608-183B-4727-B69F-DB98737FCCD7]: status changed to disconnecting
Apr 22 07:34:04 mba kernel[0]: SIOCPROTODETACH_IN6: ipsec0 error=6
Apr 22 07:34:04 mba nesessionmanager[427]: NESMIKEv2VPNSession[xxxx.dyndns-web.com:4B453608-183B-4727-B69F-DB98737FCCD7]: status changed to disconnected, last stop reason $
Apr 22 07:34:04 mba configd[51]: network changed
Apr 22 07:34:04 mba symptomsd[422]: nw_interface_get_agents SIOCGIFAGENTIDS failed for interface "ipsec0" (index 8, type other): [6] Device not configured

Of course there a good amount of posts showing this as a problem on google, but no real resolutions…  My personal and work iPhone connect without a hitch, so it's definitely not pfSense side :(

zdunn

I am in the same boat.  I have two pfSense boxes in an HA pair running 2.3, with BGP and an IPSec VPN.  I'm happy to help test whatever patch etc as needed.

Arendtsen

Can now confirm that after removing openbgpd I havn't have had any IPSEC tunnels inactive.

choudharyprabhat

Hi All ,

I am a newbie in pfsense , i have recently updated on pfsense 2.3 (AMD 64) ,all the things were working like a charm including IPSEC tunnels before installing OpenBgpd, as per our requirement i have installed OpenBGPD both IPsec and OpenBgpd worked for some hours ….....then all the IPSEC tunnels gone down , In Gui configuration tunnels still showing in established state but no traffic passing , for fixing the issue i have to restart the firewall , then it again starts working for some hours .

I have tried these below steps also but all goes in vain  :'(

killall -9 charon
killall -9 starter
ipsec stop
ipsec start

ipsec start states as :-

Starting strongSwan 5.4.0 IPsec [starter]…
charon is already running (/var/run/charon.pid exists) -- skipping daemon start
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
starter is already running (/var/run/starter.charon.pid exists) -- no fork done

Please suggest anybody i am using pfsense in production environment  :'(

I was wondering if a downgrade to previous version can fix this issue , is any version is workable with both IPSEC and OPENBGPD.
Please if anyone have any idea on this .

fattylewis

@choudharyprabhat:

Hi All ,

I am a newbie in pfsense , i have recently updated on pfsense 2.3 (AMD 64) ,all the things were working like a charm including IPSEC tunnels before installing OpenBgpd, as per our requirement i have installed OpenBGPD both IPsec and OpenBgpd worked for some hours ….....then all the IPSEC tunnels gone down , In Gui configuration tunnels still showing in established state but no traffic passing , for fixing the issue i have to restart the firewall , then it again starts working for some hours .

I have tried these below steps also but all goes in vain  :'(

killall -9 charon
killall -9 starter
ipsec stop
ipsec start

ipsec start states as :-

Starting strongSwan 5.4.0 IPsec [starter]…
charon is already running (/var/run/charon.pid exists) -- skipping daemon start
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
starter is already running (/var/run/starter.charon.pid exists) -- no fork done

Please suggest anybody i am using pfsense in production environment  :'(

I was wondering if a downgrade to previous version can fix this issue , is any version is workable with both IPSEC and OPENBGPD.
Please if anyone have any idea on this .

Dude, you shouldnt have updated a prod system to 2.3 without testing!

Anyway, yes i can confirm 2.2.6 works perfectly with IPSEC and openbgpd. Im using it myself on a prod network.

There is an open bug report for this issue: https://redmine.pfsense.org/issues/6223

choudharyprabhat

Thanks fattylewis , i have downgraded my pfsense box to 2.2.6 , now everything is working fine.  :) ;D

there is one more thing to notice :- when i had edited /boot/loder.config.local >>>> net.inet.raw.maxdgram="131072"
net.inet.raw.recvspace="131072" .

Pfsense worked like charm with ipsec and bgp even on pfsense 2.3. :)

for me that trick worked.

Thanks CMB and fattylewis for your replies….you guys rocksssss..  ;)

fattylewis

@choudharyprabhat:

Thanks fattylewis , i have downgraded my pfsense box to 2.2.6 , now everything is working fine.  :) ;D

there is one more thing to notice :- when i had edited /boot/loder.config.local >>>> net.inet.raw.maxdgram="131072"
net.inet.raw.recvspace="131072" .

Pfsense worked like charm with ipsec and bgp even on pfsense 2.3. :)

for me that trick worked.

Thanks CMB and fattylewis for your replies….you guys rocksssss..  ;)

Oh, nice find. Ill see about knocking up another network on 2.3 and adding your change and seeing what happens.

timw

We've also had this issue on 2.3, and as we required BGP for our network, we've downgraded back to 2.2.6

Looking forward to a confirmed fix (need to wait until after hours again to try the upgrade again)

studioelement

I'm having the same problem with OpenBGP and IPSec.

Restarted the following services:
-OpenBGP
-IPSec

No luck.  Only rebooting worked.

Then tried restarting:
-OpenBGP
-IPSec
-OpenVPN

Tunnel came back up.

Not sure if that helps some of the developers with troubleshooting.

I have stopped the OpenVPN service for now and will see if the issue returns.

UPDATE:  Still having the issue even after disabling OpenVPN

obrienmd

Same issue, pair of SG-8860s with CARP failover, dual IPSec tunnels to a Verizon Private Network with OpenBGPd required for their routing. Exact same errors, even changing both tunables:

net.inet.raw.maxdgram="131072"
net.inet.raw.recvspace="131072"

May extend the time, but definitely doesn't solve. Really don't want to go back to 2.2.6 :)

cmb

@obrienmd:

Same issue, pair of SG-8860s with CARP failover, dual IPSec tunnels to a Verizon Private Network with OpenBGPd required for their routing. Exact same errors, even changing both tunables:

net.inet.raw.maxdgram="131072"
net.inet.raw.recvspace="131072"

It's not just those two. Add:

net.raw.recvspace=65535
net.raw.sendspace=65535

jnorell

FWIW, still seeing this problem here.  Yesterday I updated to 2.3.1 and also set these:

@cmb:

net.inet.raw.maxdgram="131072"
net.inet.raw.recvspace="131072"
net.raw.recvspace=65535
net.raw.sendspace=65535

I just bumped those up higher hoping it will help, but at least for us neither the 2.3.1 update nor those specific values fixed it.  Does it matter if they're set at System > Advanced > System Tunables rather than in loader.config.local?

jnorell

We've now been up for over a week with these settings (set in System > Advanced > System Tunables):

net.inet.raw.maxdgram 131072
net.inet.raw.recvspace 1048576
net.raw.recvspace 1048576
net.raw.sendspace 1048576

Edit:  up over 2 weeks now, still no problem

augustinermonch

Hi I'm new here and have a problem with my PFSense and the IPsec connection .

The environment :
Location A pfsense 2.3.1_1
Location B pfsense 2.3.1_1

Connected via IPSec " SitetoSite "

I tried all the tips from this thread. Unfortunately without success.

Like
changeing net.inet.raw.maxdgram  131072 
net.inet.raw.recvspace  1048576 
net.raw.recvspace  1048576 
net.raw.sendspace  1048576

The problem is when I try to access Site B about RMTC works without problems .
However, if I want to print a print job from B to site A drops the connection and restarts.

Does somebody has any idea ?

I'm a bit desperate .

Thank you very much

I Forget to say that it works perfect before i updatet my pfsense …

augustinermonch

Hi it´s me again, i tryed to use OPENVPN instead of IPSEC
I have the same Problem and my PFSENSE reboot new after 2 min.

Does anyone know this situation ?