Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec not working with the last snapshot!

    1.2.1-RC Snapshot Feedback and Problems-RETIRED
    5
    27
    11.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      heiko
      last edited by

      IPSEC isn´t working with the last snaphsot

      Could not deterimine VPN endpoint for Lotte
      Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for averdiek
      Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for amvan
      Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for seeman

      …....

      1 Reply Last reply Reply Quote 0
      • A
        ask
        last edited by

        Whoops. I wonder if it's related to the fix made to CARP support in http://forum.pfsense.org/index.php/topic,10905.0.html

        • ask (holding off on upgrading to a newer snapshot)
        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          I will try the "very" last snaphsot and then we will see ;)

          1 Reply Last reply Reply Quote 0
          • A
            ask
            last edited by

            @heiko:

            I will try the "very" last snaphsot and then we will see ;)

            It's working for me with "Sun Aug 17 23:20:33 EDT 2008".

            1 Reply Last reply Reply Quote 0
            • H
              heiko
              last edited by

              This snapshot isn´t working
              http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz

              hm, perhaps "aggressive mode /FQDN problem" with mobile endpoint on the other side…

              Regards heiko

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                You will want to test a snapshot form the 18th.

                1 Reply Last reply Reply Quote 0
                • H
                  heiko
                  last edited by

                  Thanks Scott,
                  but under this link http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ i cannot find a newer snapshot as from the 17th.
                  Regards
                  Heiko

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Oops, too many 0's in our sleep statement on the builder box.  It's now building.

                    1 Reply Last reply Reply Quote 0
                    • A
                      ask
                      last edited by

                      @sullrich:

                      You will want to test a snapshot form the 18th.

                      What did you fix since the Sun Aug 17 23:20:33 EDT 2008 snapshot?

                      Our IPsec connections stopped working today - getting lots of "racoon: ERROR: not acceptable Aggressive mode" errors.  And if we set it to main mode in both ends we get "racoon: [{other-end}]: NOTIFY: the packet is retransmitted by {other-ip}[500]."

                      • ask
                      1 Reply Last reply Reply Quote 0
                      • A
                        ask
                        last edited by

                        Gah - it just broke again here after running for about 5 hours on Tue Aug 19 23:27:49 EDT 2008.

                        Aug 20 01:09:21 gw-a racoon: INFO: phase2 sa deleted $gw-$remote
                        Aug 20 01:09:23 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
                        Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
                        Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
                        Aug 20 01:09:23 gw-a racoon: ERROR: failed to pre-process packet.
                        Aug 20 01:09:43 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
                        Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
                        Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
                        Aug 20 01:09:43 gw-a racoon: ERROR: failed to pre-process packet.

                        Restarting racoon got it going again.  This was working flawlessly (other than not working on the CARP interface) for about a week on the Aug 12 snapshot – and for years with our NanoBSD systems (with the same remote configuration as now).

                        1 Reply Last reply Reply Quote 0
                        • H
                          heiko
                          last edited by

                          Now i have the newest snapshot but racoon didn´t work…

                          1.2.1-RC1
                          built on Tue Aug 19 23:37:31 EDT 2008

                          php: : Could not deterimine VPN endpoint for Lotte
                          Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for averdiek
                          Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for amvan
                          Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann os
                          Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann bi
                          Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for nova
                          Aug 20 10:14:09 php: : Could not deterimine

                          and this on the ipsec tab:

                          Aug 20 10:14:26 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
                          Aug 20 10:14:26 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=13)
                          Aug 20 10:14:26 racoon: INFO: Resize address pool from 0 to 255
                          Aug 20 10:14:26 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
                          Aug 20 10:14:26 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
                          Aug 20 10:14:26 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
                          Aug 20 10:14:22 racoon: INFO: racoon shutdown
                          Aug 20 10:14:21 racoon: INFO: caught signal 15
                          Aug 20 10:14:21 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                          Aug 20 10:14:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                          Aug 20 10:14:21 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                          Aug 20 10:14:11 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                          Aug 20 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                          Aug 20 10:14:11 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                          Aug 20 10:14:10 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                          Aug 20 10:14:10 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                          Aug 20 10:14:10 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                          Aug 20 10:14:09 racoon: INFO: unsupported PF_KEY message REGISTER
                          Aug 20 10:14:09 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                          Aug 20 10:14:09 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                          Aug 20 10:14:09 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                          Aug 20 10:14:09 racoon: INFO: Resize address pool from 0 to 255
                          Aug 20 10:14:09 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
                          Aug 20 10:14:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
                          Aug 20 10:14:09 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)

                          all of these tunnels are on the "agressive mode" to other 1.2 ipsec endpoints as a "mobile ipsec client".

                          With 1.2 all works great as it should. I have nothing changed in the configuration…..

                          Regards
                          heiko

                          1 Reply Last reply Reply Quote 0
                          • P
                            PacDemon
                            last edited by

                            I have the same Problem. I switch back to pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz, same problem.
                            But before i upgrade it works under this version pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz.

                            PD

                            1 Reply Last reply Reply Quote 0
                            • H
                              heiko
                              last edited by

                              I have had contact with a developer from pfsense and he will take a look into the code…..

                              1 Reply Last reply Reply Quote 0
                              • P
                                PacDemon
                                last edited by

                                Oh I hope they can fix it fast. I have in the moment one office offline :(

                                PD

                                1 Reply Last reply Reply Quote 0
                                • H
                                  heiko
                                  last edited by

                                  Probably this week a fix is available…..

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    PacDemon
                                    last edited by

                                    Oh, I hope it really. In the moment it is no new snapshot :(

                                    Rgds,
                                    PD

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      heiko
                                      last edited by

                                      Heh, 1.21 is beta, not a release…. if you can make a downgrade to 1.2 release, make it...

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        PacDemon
                                        last edited by

                                        Yea, i know.
                                        Do you know that is possible to downgrade to 1.2 over the Firmaware update or I have to install new over a Image?

                                        PD

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          heiko
                                          last edited by

                                          I have not tested a downgrade. At the moment i haven´t new informations about the ipsec fix…...

                                          First, i would make a  downgrade to 1.2, if it fails you must install from a fresh 1.2 image.... :-\

                                          Regards
                                          heiko

                                          If i have new informations, i post it as soon as possible...

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            PacDemon
                                            last edited by

                                            Oh oh, the Hardware is 600 km form here. Hmm, i think i test it first on a another hardware if it is possible to downgrade from 1.2.1 to 1.2 back.

                                            I let you know this.

                                            PD

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.