Ipsec not working with the last snapshot!



  • IPSEC isn´t working with the last snaphsot

    Could not deterimine VPN endpoint for Lotte
    Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for averdiek
    Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for amvan
    Aug 18 17:01:59 php: : Could not deterimine VPN endpoint for seeman

    …....



  • Whoops. I wonder if it's related to the fix made to CARP support in http://forum.pfsense.org/index.php/topic,10905.0.html

    • ask (holding off on upgrading to a newer snapshot)


  • I will try the "very" last snaphsot and then we will see ;)



  • @heiko:

    I will try the "very" last snaphsot and then we will see ;)

    It's working for me with "Sun Aug 17 23:20:33 EDT 2008".



  • This snapshot isn´t working
    http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz

    hm, perhaps "aggressive mode /FQDN problem" with mobile endpoint on the other side…

    Regards heiko



  • You will want to test a snapshot form the 18th.



  • Thanks Scott,
    but under this link http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ i cannot find a newer snapshot as from the 17th.
    Regards
    Heiko



  • Oops, too many 0's in our sleep statement on the builder box.  It's now building.



  • @sullrich:

    You will want to test a snapshot form the 18th.

    What did you fix since the Sun Aug 17 23:20:33 EDT 2008 snapshot?

    Our IPsec connections stopped working today - getting lots of "racoon: ERROR: not acceptable Aggressive mode" errors.  And if we set it to main mode in both ends we get "racoon: [{other-end}]: NOTIFY: the packet is retransmitted by {other-ip}[500]."

    • ask


  • Gah - it just broke again here after running for about 5 hours on Tue Aug 19 23:27:49 EDT 2008.

    Aug 20 01:09:21 gw-a racoon: INFO: phase2 sa deleted $gw-$remote
    Aug 20 01:09:23 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
    Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
    Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
    Aug 20 01:09:23 gw-a racoon: ERROR: failed to pre-process packet.
    Aug 20 01:09:43 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
    Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
    Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
    Aug 20 01:09:43 gw-a racoon: ERROR: failed to pre-process packet.

    Restarting racoon got it going again.  This was working flawlessly (other than not working on the CARP interface) for about a week on the Aug 12 snapshot – and for years with our NanoBSD systems (with the same remote configuration as now).



  • Now i have the newest snapshot but racoon didn´t work…

    1.2.1-RC1
    built on Tue Aug 19 23:37:31 EDT 2008

    php: : Could not deterimine VPN endpoint for Lotte
    Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for averdiek
    Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for amvan
    Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann os
    Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann bi
    Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for nova
    Aug 20 10:14:09 php: : Could not deterimine

    and this on the ipsec tab:

    Aug 20 10:14:26 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Aug 20 10:14:26 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=13)
    Aug 20 10:14:26 racoon: INFO: Resize address pool from 0 to 255
    Aug 20 10:14:26 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Aug 20 10:14:26 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Aug 20 10:14:26 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
    Aug 20 10:14:22 racoon: INFO: racoon shutdown
    Aug 20 10:14:21 racoon: INFO: caught signal 15
    Aug 20 10:14:21 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
    Aug 20 10:14:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    Aug 20 10:14:21 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
    Aug 20 10:14:11 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
    Aug 20 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    Aug 20 10:14:11 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
    Aug 20 10:14:10 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
    Aug 20 10:14:10 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    Aug 20 10:14:10 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
    Aug 20 10:14:09 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 20 10:14:09 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
    Aug 20 10:14:09 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    Aug 20 10:14:09 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
    Aug 20 10:14:09 racoon: INFO: Resize address pool from 0 to 255
    Aug 20 10:14:09 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Aug 20 10:14:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Aug 20 10:14:09 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)

    all of these tunnels are on the "agressive mode" to other 1.2 ipsec endpoints as a "mobile ipsec client".

    With 1.2 all works great as it should. I have nothing changed in the configuration…..

    Regards
    heiko



  • I have the same Problem. I switch back to pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz, same problem.
    But before i upgrade it works under this version pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz.

    PD



  • I have had contact with a developer from pfsense and he will take a look into the code…..



  • Oh I hope they can fix it fast. I have in the moment one office offline :(

    PD



  • Probably this week a fix is available…..



  • Oh, I hope it really. In the moment it is no new snapshot :(

    Rgds,
    PD



  • Heh, 1.21 is beta, not a release…. if you can make a downgrade to 1.2 release, make it...



  • Yea, i know.
    Do you know that is possible to downgrade to 1.2 over the Firmaware update or I have to install new over a Image?

    PD



  • I have not tested a downgrade. At the moment i haven´t new informations about the ipsec fix…...

    First, i would make a  downgrade to 1.2, if it fails you must install from a fresh 1.2 image.... :-\

    Regards
    heiko

    If i have new informations, i post it as soon as possible...



  • Oh oh, the Hardware is 600 km form here. Hmm, i think i test it first on a another hardware if it is possible to downgrade from 1.2.1 to 1.2 back.

    I let you know this.

    PD



  • please wait, i will test it also…

    Results: I have made a downgrade to 1.2 and the ipsec and all the other things runs as it should, but after the downgrade you must delete the SPD´s and then click save on the ipsec tunnel tab.... that´s it.

    Regards
    heiko



  • Ohoh,
    be not work, it killed the complete box. No I sent out a new one out to our office.

    Hope they fix it in the 1.2.1 version.

    Greats,
    PD



  • oh, very angrily….



  • I have just committed a fix into CVS which should fix this for PPPoE or PPtP WAN connections.

    Please test!

    I also need confirmation that DHCP, Static IPs and CARP interfaces still work!



  • I will test it! Thanks Seth.

    Regards
    Heiko



  • Any result? Does the silence mean it works now?



  • Sorry Seth, dynamic side to static side with "enabled mobile option" works now!! :D

    This is strange, i think:
    racoon: INFO: received broken Microsoft ID: FRAGMENTATION….

    but this is pfsense to pfsense, any ideas?

    Next week i will test "carp"!

    Regards
    heiko


Locked