StrongSwan problem with IPSEC

pdrass

I have to reboot one firewall that has 4 IPSEC tunnels to it.  It gets buggy and no matter what I do I can't seem to get it to reconnect.

Here's my log:

Jan 17 09:58:57 charon 07[IKE] <con1|825>IKE_SA con1[825] state change: CONNECTING => DESTROYING
Jan 17 09:58:57 charon 07[CFG] <con1|825>configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 17 09:58:57 charon 07[IKE] <con1|825>received NO_PROPOSAL_CHOSEN notify error
Jan 17 09:58:57 charon 07[ENC] <con1|825>parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 17 09:58:57 charon 07[NET] <con1|825>received packet: from 47.50.x.x[500] to 24.247.x.x[500] (36 bytes)
Jan 17 09:58:57 charon 11[NET] <con1|825>sending packet: from 24.247.x.x[500] to 47.50.x.x[500] (466 bytes)
Jan 17 09:58:57 charon 11[ENC] <con1|825>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 09:58:57 charon 11[CFG] <con1|825>sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
Jan 17 09:58:57 charon 11[CFG] <con1|825>configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 17 09:58:57 charon 11[IKE] <con1|825>IKE_SA con1[825] state change: CREATED => CONNECTING
Jan 17 09:58:57 charon 11[IKE] <con1|825>initiating IKE_SA con1[825] to 47.50.x.x
Jan 17 09:58:57 charon 11[IKE] <con1|825>activating IKE_AUTH_LIFETIME task
Jan 17 09:58:57 charon 11[IKE] <con1|825>activating CHILD_CREATE task
Jan 17 09:58:57 charon 11[IKE] <con1|825>activating IKE_CONFIG task
Jan 17 09:58:57 charon 11[IKE] <con1|825>activating IKE_CERT_POST task
Jan 17 09:58:57 charon 11[IKE] <con1|825>activating IKE_AUTH task
Jan 17 09:58:57 charon 11[IKE] <con1|825>activating IKE_CERT_PRE task
Jan 17 09:58:57 charon 11[IKE] <con1|825>activating IKE_NATD task
Jan 17 09:58:57 charon 11[IKE] <con1|825>activating IKE_INIT task
Jan 17 09:58:57 charon 11[IKE] <con1|825>activating IKE_VENDOR task
Jan 17 09:58:57 charon 11[IKE] <con1|825>activating new tasks
Jan 17 09:58:57 charon 11[IKE] <con1|825>queueing CHILD_CREATE task
Jan 17 09:58:57 charon 11[IKE] <con1|825>queueing IKE_AUTH_LIFETIME task
Jan 17 09:58:57 charon 11[IKE] <con1|825>queueing IKE_CONFIG task
Jan 17 09:58:57 charon 11[IKE] <con1|825>queueing IKE_CERT_POST task
Jan 17 09:58:57 charon 11[IKE] <con1|825>queueing IKE_AUTH task
Jan 17 09:58:57 charon 11[IKE] <con1|825>queueing IKE_CERT_PRE task
Jan 17 09:58:57 charon 11[IKE] <con1|825>queueing IKE_NATD task
Jan 17 09:58:57 charon 11[IKE] <con1|825>queueing IKE_INIT task
Jan 17 09:58:57 charon 11[IKE] <con1|825>queueing IKE_VENDOR task
Jan 17 09:58:57 charon 07[KNL] creating acquire job for policy 24.247.x.x/32|/0 === 47.50.x.x/32|/0 with reqid {20}
Jan 17 09:57:34 charon 07[IKE] <con1|824>IKE_SA con1[824] state change: CONNECTING => DESTROYING
Jan 17 09:57:34 charon 07[CFG] <con1|824>configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

I've looked around a bit and this also seems to be a StrongSwan issue which the PFSense uses:

https://wiki.strongswan.org/issues/442

I even try changing cyphers, etc like this…same result:

Jan 17 10:21:07 charon 13[IKE] <con1|5>IKE_SA con1[5] state change: CONNECTING => DESTROYING
Jan 17 10:21:07 charon 13[CFG] <con1|5>configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024
Jan 17 10:21:07 charon 13[IKE] <con1|5>received NO_PROPOSAL_CHOSEN notify error
Jan 17 10:21:07 charon 13[ENC] <con1|5>parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 17 10:21:07 charon 13[NET] <con1|5>received packet: from 47.50.x.x[500] to 24.247.x.x[500] (36 bytes)
Jan 17 10:21:07 charon 13[NET] <con1|5>sending packet: from 24.247.x.x[500] to 47.50.x.x[500] (330 bytes)
Jan 17 10:21:07 charon 13[ENC] <con1|5>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 10:21:07 charon 13[CFG] <con1|5>sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
Jan 17 10:21:07 charon 13[CFG] <con1|5>configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024
Jan 17 10:21:07 charon 13[IKE] <con1|5>IKE_SA con1[5] state change: CREATED => CONNECTING
Jan 17 10:21:07 charon 13[IKE] <con1|5>initiating IKE_SA con1[5] to 47.50.x.x
Jan 17 10:21:07 charon 13[IKE] <con1|5>activating IKE_AUTH_LIFETIME task
Jan 17 10:21:07 charon 13[IKE] <con1|5>activating CHILD_CREATE task
Jan 17 10:21:07 charon 13[IKE] <con1|5>activating IKE_CONFIG task
Jan 17 10:21:07 charon 13[IKE] <con1|5>activating IKE_CERT_POST task
Jan 17 10:21:07 charon 13[IKE] <con1|5>activating IKE_AUTH task
Jan 17 10:21:07 charon 13[IKE] <con1|5>activating IKE_CERT_PRE task
Jan 17 10:21:07 charon 13[IKE] <con1|5>activating IKE_NATD task
Jan 17 10:21:07 charon 13[IKE] <con1|5>activating IKE_INIT task
Jan 17 10:21:07 charon 13[IKE] <con1|5>activating IKE_VENDOR task
Jan 17 10:21:07 charon 13[IKE] <con1|5>activating new tasks
Jan 17 10:21:07 charon 13[IKE] <con1|5>queueing CHILD_CREATE task
Jan 17 10:21:07 charon 13[IKE] <con1|5>queueing IKE_AUTH_LIFETIME task
Jan 17 10:21:07 charon 13[IKE] <con1|5>queueing IKE_CONFIG task
Jan 17 10:21:07 charon 13[IKE] <con1|5>queueing IKE_CERT_POST task
Jan 17 10:21:07 charon 13[IKE] <con1|5>queueing IKE_AUTH task
Jan 17 10:21:07 charon 13[IKE] <con1|5>queueing IKE_CERT_PRE task
Jan 17 10:21:07 charon 13[IKE] <con1|5>queueing IKE_NATD task
Jan 17 10:21:07 charon 13[IKE] <con1|5>queueing IKE_INIT task
Jan 17 10:21:07 charon 13[IKE] <con1|5>queueing IKE_VENDOR task
Jan 17 10:21:07 charon 14[KNL] creating acquire job for policy 24.247.x.x/32|/0 === 47.50.x.x/32|/0 with reqid {4}

So…at the moment the ONLY way to get the IPSEC VPN tunnel back up is to reboot the firewall at 47.50.x.x which totally sucks because it takes down 3 other sites.  I had this problem with a different site last week > reboot the 47.50.x.x firewall > tunnels come back up.  Today, it's a different site AND NOTHING HAS CHANGED!

Any advice besides a back rev to 2.3?  I'm seriously considering wiping the infrastructure and going back to 2.3 which was stable as hell.  It's only after I upgraded to this 2.4.x version that things have gotten ridiculously unstable.

Thanks!

================

** Update **

I needed to actually reboot BOTH the firewalls.  So it doesn't seem to be a symptom of just one firewall!

Thoughts?</con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|5></con1|824></con1|824></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825></con1|825>

pdrass

Today it flaked out AGAIN and I had to reboot the 24.247.x.x firewall.  The Internet works, 0% latency, everything looks great BUT the IPSEC tunnel crashes and won't come up UNTIL something is rebooted.  I can restart IPSEC services until I'm blue in the face and I've got nothing UNTIL the dumb thing is rebooted.

Good thing I didn't have to reboot the other router because that's the one with multiple sites connected to it.  The 24.247.x.x is the remote site.

Anyone else experiencing these issues?  We didn't have these issues on the 2.3.x versions of PFSense!  These are PFSense boxes from PFSense too, the rack mounts.