1.2-RC4 IPSec Tunnel problem
-
Hi all,
I finally ready to put pfsense to the test, and what I'm trying to accomplish is setting up a site to site IPSec VPN tunnel between two office locations. I'm using the latest snapshot (1.2-RC4) of the pfsense image, and I'm able to setup the tunnel following the tutorial "configuring IPsec-tunnels with 2 pfSense-systems between static IP and dynamic IP". I use this tutorial as my guide because I have Static IP at one end and Dynamic at the other end. After the tunnel was setup, I started to ping an ip address of a computer in Static location from Dynamic location. I saw the IPSec tunnel got established a connection under IPSec Status, however, when I check the IPSec connection log I see all kind of errors
Static site error log:
racoon: [Unknown Gateway/Dynamic]INFO:ISAKMP-SA deleted 62.251.x.x[500]-24.17.x.x[500]
racoon: [Unknown Gateway/Dynamic]INFO:ISAKMP-SA expired 62.251.x.x[500]-24.17.x.x[500]
racoon: INFO: received Vendor ID: DPD
racoon: INFO: begin Aggressive mode.The list goes on…....
Dynamic site error log:
racoon: INFO: unsupported PF_KEY message REGISTER
racoon: INFO: fe80::...%fxp0[500] used as isakmp port (fd=24)
racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=23)
racoon: INFO: fe80::…%xl0[500] used as isakmp port (fd=22)
racoon: [Self]: INFO: 192.168.100.99[500] used as isakmp port (fd=21)
racoon: INFO: fe80::…%fxp1[500] used as isakmp port (fd=20The list goes on…....
At the console of the pfsense box where it says "Enter an option:", I got this error "WARNING: pseudo random number generator used for IPSec processing"
As I search the forum looking for the answer for this problem, I've read some of the previous posts mentioned about this problem however there is no solution to this problem yet.
I wonder that I did something wrong or there is still a bug in the latest snapshot. Thanks
-
This is an update to my previous post.
As I mentioned in my previous post that I couldn't ping hosts on the opposite sites, I started to add any to any rule under the IPSec tab on both sides of my pfsense box and I could ping hosts on the opposite site now. However, I still got those error logs below
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=223333855(0xd4fcddf)
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=101796693(0x6114b55)
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]
Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=76670812(0x491e75c)
Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=258166286(0xf634e0e)
Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 63.252.x.x[500]-24.17.x.x[500] spi:57bbe8e812127d61:4ffe248e9b35525e
Jan 29 18:20:41 racoon: INFO: received Vendor ID: DPD
Jan 29 18:20:41 racoon: INFO: begin Aggressive mode.
Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 63.252.x.x[500]<=>24.17.x.x[500]
Jan 29 18:07:39 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
Jan 29 18:07:38 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=27709746(0x1a6d132)
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=156434038(0x952fe76)
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=258166286(0xf634e0e)
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=76670812(0x491e75c)
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]
Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=156434038(0x952fe76)
Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=27709746(0x1a6d132)
Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252..x.x[0]<=>24.17.x.x[0]
Jan 29 17:45:58 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
Jan 29 17:45:58 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=93807457(0x5976361)
Jan 29 17:45:58 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=194346263(0xb957d17)
Jan 29 17:45:58 racoon: INFO: received Vendor ID: DPD
Jan 29 17:45:58 racoon: INFO: begin Aggressive mode.
Jan 29 17:45:58 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 63.252.x.x[500]<=>24.17.x.x[500]
Jan 29 17:32:55 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 63.252.x.x[500]-24.17.x.x[500] spi:35655904c9dd2b82:fe13b72433648a8c
Jan 29 17:32:54 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 63.252.x.x[500]-24.17.x.x[500] spi:35655904c9dd2b82:fe13b72433648a8c
Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=194346263(0xb957d17)
Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=93807457(0x5976361)
Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=251122055(0xef7d187)
Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=146921658(0x8c1d8ba)
Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]
Jan 29 17:11:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
Jan 29 17:11:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
Jan 29 17:11:16 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=146921658(0x8c1d8ba)
Jan 29 17:11:16 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=251122055(0xef7d187)
Jan 29 17:11:15 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
Jan 29 17:11:15 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]Please let me know if there is a fix for this yet, or can some one let me know that you setup IPSec tunnel with the lastest snapshot successfully. Thanks
-
with 1.2rc4 ipsec runs fine and stable, also with two static endpoints XOR and one dynamic and one static. Please doublecheck your config.
-
Hi heiko and thank you very much for replying to my post. It's great to hear that you got your IPSec tunnel up and running.
Can you please describe a little about how you config your IPSec tunnel? I follow the tutorial "configuring IPsec-tunnels with 2 pfSense-systems between static IP and dynamic IP", but there is something I didnt' do right I guess.
By looking at the error log, can you tell what were that errors all about? Thanks once again.
-
Please post the screenshots of your webgui-tunnel
-
heiko, I've decided to tear down the box and rebuilt it, and if I run into this problem again I will post a screenshots for you. Thank you very much
-
Ok, you have my attention
-
I had similar problem with 1.2r3. It was odd I only had a problem after the upgrade. I ended up rebuilding after I save my configuration and printed it out so i could rebuild. That is not a option now. My configuration is too complex now.
i only upgrade when I run into a werid issue. I have one issue now which I can't access the admin tool from https, from the wan side. I have production to be concerned with and it cost too much to have it down.
RC
-
Hi fastcon68,
The weirdest part is even I'm having those error logs, my IPSec tunnel is still up and running and I can transmit data back and forth between my sites.
-
I will check my log files to see if I am getting the same errors. I post in a few mintes. I am waiting for the site to come up.
RC -
Hi fastcon68,
The weirdest part is even I'm having those error logs, my IPSec tunnel is still up and running and I can transmit data back and forth between my sites.
Fine
-
Hi heiko,
Is it really fine? does it effect the IPSec tunnel performance at all with those error logs?
-
Hi heiko,
Is it really fine? does it effect the IPSec tunnel performance at all with those error logs?
I think you have the tunnel up and running! Which error logs do you mean?
-
heiko,
I think you have the tunnel up and running! Which error logs do you mean?
The error logs below and those in my previous posts.
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=223333855(0xd4fcddf)
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=101796693(0x6114b55)
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]
Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=76670812(0x491e75c)
Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=258166286(0xf634e0e)
Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 63.252.x.x[500]-24.17.x.x[500] spi:57bbe8e812127d61:4ffe248e9b35525e
Jan 29 18:20:41 racoon: INFO: received Vendor ID: DPD
Jan 29 18:20:41 racoon: INFO: begin Aggressive mode.
Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 63.252.x.x[500]<=>24.17.x.x[500]
Jan 29 18:07:39 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
Jan 29 18:07:38 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=27709746(0x1a6d132)
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=156434038(0x952fe76)
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=258166286(0xf634e0e)
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=76670812(0x491e75c)
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0] -
The error messages about policy's not already existing is not a error.
This is normal. This does not affect the operation the tunnel.
Kind regards,
Seth
-
Thanks for letting me know that Seth.