Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ipsec not working with the last snapshot!

    1.2.1-RC Snapshot Feedback and Problems-RETIRED
    5
    27
    10722
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      heiko last edited by

      IPSEC isn´t working with the last snaphsot

      Could not deterimine VPN endpoint for Lotte
      Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for averdiek
      Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for amvan
      Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for seeman

      …....

      1 Reply Last reply Reply Quote 0
      • A
        ask last edited by

        Whoops. I wonder if it's related to the fix made to CARP support in http://forum.pfsense.org/index.php/topic,10905.0.html

        • ask (holding off on upgrading to a newer snapshot)
        1 Reply Last reply Reply Quote 0
        • H
          heiko last edited by

          I will try the "very" last snaphsot and then we will see ;)

          1 Reply Last reply Reply Quote 0
          • A
            ask last edited by

            @heiko:

            I will try the "very" last snaphsot and then we will see ;)

            It's working for me with "Sun Aug 17 23:20:33 EDT 2008".

            1 Reply Last reply Reply Quote 0
            • H
              heiko last edited by

              This snapshot isn´t working
              http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz

              hm, perhaps "aggressive mode /FQDN problem" with mobile endpoint on the other side…

              Regards heiko

              1 Reply Last reply Reply Quote 0
              • S
                sullrich last edited by

                You will want to test a snapshot form the 18th.

                1 Reply Last reply Reply Quote 0
                • H
                  heiko last edited by

                  Thanks Scott,
                  but under this link http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ i cannot find a newer snapshot as from the 17th.
                  Regards
                  Heiko

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich last edited by

                    Oops, too many 0's in our sleep statement on the builder box.  It's now building.

                    1 Reply Last reply Reply Quote 0
                    • A
                      ask last edited by

                      @sullrich:

                      You will want to test a snapshot form the 18th.

                      What did you fix since the Sun Aug 17 23:20:33 EDT 2008 snapshot?

                      Our IPsec connections stopped working today - getting lots of "racoon: ERROR: not acceptable Aggressive mode" errors.  And if we set it to main mode in both ends we get "racoon: [{other-end}]: NOTIFY: the packet is retransmitted by {other-ip}[500]."

                      • ask
                      1 Reply Last reply Reply Quote 0
                      • A
                        ask last edited by

                        Gah - it just broke again here after running for about 5 hours on Tue Aug 19 23:27:49 EDT 2008.

                        Aug 20 01:09:21 gw-a racoon: INFO: phase2 sa deleted $gw-$remote
                        Aug 20 01:09:23 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
                        Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
                        Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
                        Aug 20 01:09:23 gw-a racoon: ERROR: failed to pre-process packet.
                        Aug 20 01:09:43 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
                        Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
                        Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
                        Aug 20 01:09:43 gw-a racoon: ERROR: failed to pre-process packet.

                        Restarting racoon got it going again.  This was working flawlessly (other than not working on the CARP interface) for about a week on the Aug 12 snapshot – and for years with our NanoBSD systems (with the same remote configuration as now).

                        1 Reply Last reply Reply Quote 0
                        • H
                          heiko last edited by

                          Now i have the newest snapshot but racoon didn´t work…

                          1.2.1-RC1
                          built on Tue Aug 19 23:37:31 EDT 2008

                          php: : Could not deterimine VPN endpoint for Lotte
                          Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for averdiek
                          Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for amvan
                          Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann os
                          Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann bi
                          Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for nova
                          Aug 20 10:14:09 php: : Could not deterimine

                          and this on the ipsec tab:

                          Aug 20 10:14:26 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
                          Aug 20 10:14:26 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=13)
                          Aug 20 10:14:26 racoon: INFO: Resize address pool from 0 to 255
                          Aug 20 10:14:26 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
                          Aug 20 10:14:26 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
                          Aug 20 10:14:26 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
                          Aug 20 10:14:22 racoon: INFO: racoon shutdown
                          Aug 20 10:14:21 racoon: INFO: caught signal 15
                          Aug 20 10:14:21 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                          Aug 20 10:14:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                          Aug 20 10:14:21 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                          Aug 20 10:14:11 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                          Aug 20 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                          Aug 20 10:14:11 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                          Aug 20 10:14:10 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                          Aug 20 10:14:10 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                          Aug 20 10:14:10 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                          Aug 20 10:14:09 racoon: INFO: unsupported PF_KEY message REGISTER
                          Aug 20 10:14:09 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
                          Aug 20 10:14:09 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
                          Aug 20 10:14:09 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
                          Aug 20 10:14:09 racoon: INFO: Resize address pool from 0 to 255
                          Aug 20 10:14:09 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
                          Aug 20 10:14:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
                          Aug 20 10:14:09 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)

                          all of these tunnels are on the "agressive mode" to other 1.2 ipsec endpoints as a "mobile ipsec client".

                          With 1.2 all works great as it should. I have nothing changed in the configuration…..

                          Regards
                          heiko

                          1 Reply Last reply Reply Quote 0
                          • P
                            PacDemon last edited by

                            I have the same Problem. I switch back to pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz, same problem.
                            But before i upgrade it works under this version pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz.

                            PD

                            1 Reply Last reply Reply Quote 0
                            • H
                              heiko last edited by

                              I have had contact with a developer from pfsense and he will take a look into the code…..

                              1 Reply Last reply Reply Quote 0
                              • P
                                PacDemon last edited by

                                Oh I hope they can fix it fast. I have in the moment one office offline :(

                                PD

                                1 Reply Last reply Reply Quote 0
                                • H
                                  heiko last edited by

                                  Probably this week a fix is available…..

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    PacDemon last edited by

                                    Oh, I hope it really. In the moment it is no new snapshot :(

                                    Rgds,
                                    PD

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      heiko last edited by

                                      Heh, 1.21 is beta, not a release…. if you can make a downgrade to 1.2 release, make it...

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        PacDemon last edited by

                                        Yea, i know.
                                        Do you know that is possible to downgrade to 1.2 over the Firmaware update or I have to install new over a Image?

                                        PD

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          heiko last edited by

                                          I have not tested a downgrade. At the moment i haven´t new informations about the ipsec fix…...

                                          First, i would make a  downgrade to 1.2, if it fails you must install from a fresh 1.2 image.... :-\

                                          Regards
                                          heiko

                                          If i have new informations, i post it as soon as possible...

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            PacDemon last edited by

                                            Oh oh, the Hardware is 600 km form here. Hmm, i think i test it first on a another hardware if it is possible to downgrade from 1.2.1 to 1.2 back.

                                            I let you know this.

                                            PD

                                            1 Reply Last reply Reply Quote 0
                                            • H
                                              heiko last edited by

                                              please wait, i will test it also…

                                              Results: I have made a downgrade to 1.2 and the ipsec and all the other things runs as it should, but after the downgrade you must delete the SPD´s and then click save on the ipsec tunnel tab.... that´s it.

                                              Regards
                                              heiko

                                              1 Reply Last reply Reply Quote 0
                                              • P
                                                PacDemon last edited by

                                                Ohoh,
                                                be not work, it killed the complete box. No I sent out a new one out to our office.

                                                Hope they fix it in the 1.2.1 version.

                                                Greats,
                                                PD

                                                1 Reply Last reply Reply Quote 0
                                                • H
                                                  heiko last edited by

                                                  oh, very angrily….

                                                  1 Reply Last reply Reply Quote 0
                                                  • D
                                                    databeestje last edited by

                                                    I have just committed a fix into CVS which should fix this for PPPoE or PPtP WAN connections.

                                                    Please test!

                                                    I also need confirmation that DHCP, Static IPs and CARP interfaces still work!

                                                    1 Reply Last reply Reply Quote 0
                                                    • H
                                                      heiko last edited by

                                                      I will test it! Thanks Seth.

                                                      Regards
                                                      Heiko

                                                      1 Reply Last reply Reply Quote 0
                                                      • D
                                                        databeestje last edited by

                                                        Any result? Does the silence mean it works now?

                                                        1 Reply Last reply Reply Quote 0
                                                        • H
                                                          heiko last edited by

                                                          Sorry Seth, dynamic side to static side with "enabled mobile option" works now!! :D

                                                          This is strange, i think:
                                                          racoon: INFO: received broken Microsoft ID: FRAGMENTATION….

                                                          but this is pfsense to pfsense, any ideas?

                                                          Next week i will test "carp"!

                                                          Regards
                                                          heiko

                                                          1 Reply Last reply Reply Quote 0
                                                          • First post
                                                            Last post