Ipsec not working with the last snapshot!
-
Oops, too many 0's in our sleep statement on the builder box. It's now building.
-
You will want to test a snapshot form the 18th.
What did you fix since the Sun Aug 17 23:20:33 EDT 2008 snapshot?
Our IPsec connections stopped working today - getting lots of "racoon: ERROR: not acceptable Aggressive mode" errors. And if we set it to main mode in both ends we get "racoon: [{other-end}]: NOTIFY: the packet is retransmitted by {other-ip}[500]."
- ask
-
Gah - it just broke again here after running for about 5 hours on Tue Aug 19 23:27:49 EDT 2008.
Aug 20 01:09:21 gw-a racoon: INFO: phase2 sa deleted $gw-$remote
Aug 20 01:09:23 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
Aug 20 01:09:23 gw-a racoon: ERROR: failed to get sainfo.
Aug 20 01:09:23 gw-a racoon: ERROR: failed to pre-process packet.
Aug 20 01:09:43 gw-a racoon: INFO: respond new phase 2 negotiation: $gw[0]<=>$remote[0]
Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
Aug 20 01:09:43 gw-a racoon: ERROR: failed to get sainfo.
Aug 20 01:09:43 gw-a racoon: ERROR: failed to pre-process packet.Restarting racoon got it going again. This was working flawlessly (other than not working on the CARP interface) for about a week on the Aug 12 snapshot – and for years with our NanoBSD systems (with the same remote configuration as now).
-
Now i have the newest snapshot but racoon didn´t work…
1.2.1-RC1
built on Tue Aug 19 23:37:31 EDT 2008php: : Could not deterimine VPN endpoint for Lotte
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for averdiek
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for amvan
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann os
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for seemann bi
Aug 20 10:14:09 php: : Could not deterimine VPN endpoint for nova
Aug 20 10:14:09 php: : Could not deterimineand this on the ipsec tab:
Aug 20 10:14:26 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Aug 20 10:14:26 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=13)
Aug 20 10:14:26 racoon: INFO: Resize address pool from 0 to 255
Aug 20 10:14:26 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 20 10:14:26 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Aug 20 10:14:26 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
Aug 20 10:14:22 racoon: INFO: racoon shutdown
Aug 20 10:14:21 racoon: INFO: caught signal 15
Aug 20 10:14:21 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:21 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:11 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:11 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:11 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:10 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:10 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:10 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:09 racoon: INFO: unsupported PF_KEY message REGISTER
Aug 20 10:14:09 racoon: [Self]: INFO: 192.168.6.1[500] used as isakmp port (fd=14)
Aug 20 10:14:09 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Aug 20 10:14:09 racoon: [Self]: INFO: 89.166.159.92[500] used as isakmp port (fd=12)
Aug 20 10:14:09 racoon: INFO: Resize address pool from 0 to 255
Aug 20 10:14:09 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Aug 20 10:14:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
Aug 20 10:14:09 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)all of these tunnels are on the "agressive mode" to other 1.2 ipsec endpoints as a "mobile ipsec client".
With 1.2 all works great as it should. I have nothing changed in the configuration…..
Regards
heiko -
I have the same Problem. I switch back to pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz, same problem.
But before i upgrade it works under this version pfSense-Full-Update-1.2.1-RC1-20080817-2330.tgz.PD
-
I have had contact with a developer from pfsense and he will take a look into the code…..
-
Oh I hope they can fix it fast. I have in the moment one office offline :(
PD
-
Probably this week a fix is available…..
-
Oh, I hope it really. In the moment it is no new snapshot :(
Rgds,
PD -
Heh, 1.21 is beta, not a release…. if you can make a downgrade to 1.2 release, make it...
-
Yea, i know.
Do you know that is possible to downgrade to 1.2 over the Firmaware update or I have to install new over a Image?PD
-
I have not tested a downgrade. At the moment i haven´t new informations about the ipsec fix…...
First, i would make a downgrade to 1.2, if it fails you must install from a fresh 1.2 image.... :-\
Regards
heikoIf i have new informations, i post it as soon as possible...
-
Oh oh, the Hardware is 600 km form here. Hmm, i think i test it first on a another hardware if it is possible to downgrade from 1.2.1 to 1.2 back.
I let you know this.
PD
-
please wait, i will test it also…
Results: I have made a downgrade to 1.2 and the ipsec and all the other things runs as it should, but after the downgrade you must delete the SPD´s and then click save on the ipsec tunnel tab.... that´s it.
Regards
heiko -
Ohoh,
be not work, it killed the complete box. No I sent out a new one out to our office.Hope they fix it in the 1.2.1 version.
Greats,
PD -
oh, very angrily….
-
I have just committed a fix into CVS which should fix this for PPPoE or PPtP WAN connections.
Please test!
I also need confirmation that DHCP, Static IPs and CARP interfaces still work!
-
I will test it! Thanks Seth.
Regards
Heiko -
Any result? Does the silence mean it works now?
-
Sorry Seth, dynamic side to static side with "enabled mobile option" works now!! :D
This is strange, i think:
racoon: INFO: received broken Microsoft ID: FRAGMENTATION….but this is pfsense to pfsense, any ideas?
Next week i will test "carp"!
Regards
heiko