Ipsec tunnel disconnecting (auth using certificates)



  • setup:

    site A:
    pfsense 1.2 (IP: 1.2.3.4)

    site B:
    pfsense 1.2 embedded (IP: 4.3.2.1)

    configured ipsec site-to-site vpn:

    phase1:
    negotiation: main
    identifier: my ip address
    encryption: blowfish
    hash: sha1
    dh: 5
    lifetime: 28800
    auth: rsa signature

    phase2:
    proto: esp
    encryption: blowfish
    hash: sha1
    pfs: 5
    lifetime: 28800

    keep alive: ping remote site pfsense LAN ip

    keys/certificates generetated using openssl, self signed certificates - not using CA

    site A:
    CN:IP:1.2.3.4, subjectAltName: IP:1.2.3.4

    site B:
    CN:IP:4.3.2.1, subjectAltName: IP:4.3.2.1

    problem:
    ipsec tunnel is initializing without any problems, but from time-to-time connection drops, and sometimes tunnel is not rebuilt immediately.

    racoon logs following:

    Aug 26 11:34:00 racoon: ERROR: failed to pre-process packet.
    Aug 26 11:34:00 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=234735476(0xdfdc774)
    Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=195926494(0xsite_Bd99de)
    Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 11:33:40 racoon: ERROR: failed to pre-process packet.
    Aug 26 11:33:40 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 11:33:40 racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=18)
    Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:b479%rl0[500] used as isakmp port (fd=17)
    Aug 26 11:33:40 racoon: [Self]: INFO: 1.2.3.4[500] used as isakmp port (fd=16)
    Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:4ee6%rl1[500] used as isakmp port (fd=15)
    Aug 26 11:33:40 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Aug 26 11:33:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)
    Aug 26 11:33:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
    Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
    Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!
    Aug 26 11:33:40 racoon: [site_A - site_B]: INFO: initiate new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 11:33:40 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 26 11:33:40 racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=18)
    Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:b479%rl0[500] used as isakmp port (fd=17)
    Aug 26 11:33:40 racoon: [Self]: INFO: 1.2.3.4[500] used as isakmp port (fd=16)
    Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:4ee6%rl1[500] used as isakmp port (fd=15)
    Aug 26 11:33:40 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Aug 26 11:33:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)
    Aug 26 11:33:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
    Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
    Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!
    Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=104841005(0x63fbf2d)
    Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=222983762(0xd4a7652)
    Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 11:33:38 racoon: INFO: purged IPsec-SA proto_id=ESP spi=187506500.
    Aug 26 10:20:45 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=187506500(0xb2d1f44)
    Aug 26 10:20:45 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=180901394(0xac85612)
    Aug 26 10:20:44 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 10:20:43 racoon: [site_A - site_B]: INFO: ISAKMP-SA established 1.2.3.4[500]-4.3.2.1[500] spi:12d04b17e0e1be9f:4af024site_Bf6711765
    Aug 26 10:20:42 racoon: INFO: received Vendor ID: DPD
    Aug 26 10:20:42 racoon: INFO: begin Identity Protection mode.
    Aug 26 10:20:42 racoon: [site_A - site_B]: INFO: respond new phase 1 negotiation: 1.2.3.4[500]<=>4.3.2.1[500]
    Aug 26 10:20:39 racoon: [site_A - site_B]: INFO: IPsec-SA expired: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=234344760(0xdf7d138)
    Aug 26 10:20:39 racoon: [site_A - site_B]: INFO: IPsec-SA expired: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=253847886(0xf21694e)

    what does the following mean:

    racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
    Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!

    any input is apreciated. thanks.


Log in to reply