Racoon service stops unexpectedly



  • I've been having a problem with pfSense 1.2 since I first installed it, whereby the racoon service suddenly stops, and all VPNs go down. This happens intermittently and the only correlation I can find is a message that appears in the logs just before it quits, marked with XXX below (the subsequent manual restart of the service is marked with ***)

    Aug 14 15:44:05 racoon: INFO: Resize address pool from 0 to 255
        Aug 14 15:44:05 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
        Aug 14 15:44:05 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    *** Aug 14 15:44:05 racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
    XXX Aug 14 15:39:14 racoon: ERROR: parse error is nothing, but yyerrorcount is 2.
        Aug 14 15:39:00 racoon: ERROR: failed to pre-process packet.
        Aug 14 15:39:00 racoon: ERROR: failed to get sainfo.
        Aug 14 15:39:00 racoon: ERROR: failed to get sainfo.
        Aug 14 15:39:00 racoon: [Easington]: INFO: respond new phase 2 negotiation: 195.97.███.██[0]<=>86.140.██.██[0]
        Aug 14 15:38:57 racoon: ERROR: failed to pre-process packet.
        Aug 14 15:38:57 racoon: ERROR: failed to get sainfo.
        Aug 14 15:38:57 racoon: ERROR: failed to get sainfo.
        Aug 14 15:38:57 racoon: [Texas]: INFO: respond new phase 2 negotiation: 195.97.███.██[0]<=>216.85.███.███[0]
        Aug 14 15:38:53 racoon: [DataCentre]: ERROR: 195.188.███.██ give up to get IPsec-SA due to time up to wait.

    Any ideas what might be causing this, and how I can fix?



  • It's still doing it, and I still have no idea why. Also, individual VPN tunnels to a Siemens 5830 and a Cisco ASA 5505 go down occasionally, and have to have their SAD entries manually removed to start them up again, or restart racoon.

    Honestly, this has to be the flakiest, most unreliable IPSec implementation I've ever encountered. Calling the 1.2 release stable is just wrong when this component of it has so many issues. The rest of the pfSense is fine but this unfortunately really lets it down hard. I'm starting to look for a replacement.



  • Sounds like differing lifetimes and one or the other side not honouring those times.



  • Heh, and what says the other logs from the other endpoints?

    regards
    heiko


Locked