Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ipsec tunnel disconnecting (auth using certificates)

    IPsec
    1
    1
    1861
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wagebox last edited by

      setup:

      site A:
      pfsense 1.2 (IP: 1.2.3.4)

      site B:
      pfsense 1.2 embedded (IP: 4.3.2.1)

      configured ipsec site-to-site vpn:

      phase1:
      negotiation: main
      identifier: my ip address
      encryption: blowfish
      hash: sha1
      dh: 5
      lifetime: 28800
      auth: rsa signature

      phase2:
      proto: esp
      encryption: blowfish
      hash: sha1
      pfs: 5
      lifetime: 28800

      keep alive: ping remote site pfsense LAN ip

      keys/certificates generetated using openssl, self signed certificates - not using CA

      site A:
      CN:IP:1.2.3.4, subjectAltName: IP:1.2.3.4

      site B:
      CN:IP:4.3.2.1, subjectAltName: IP:4.3.2.1

      problem:
      ipsec tunnel is initializing without any problems, but from time-to-time connection drops, and sometimes tunnel is not rebuilt immediately.

      racoon logs following:

      Aug 26 11:34:00 racoon: ERROR: failed to pre-process packet.
      Aug 26 11:34:00 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
      Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=234735476(0xdfdc774)
      Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=195926494(0xsite_Bd99de)
      Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
      Aug 26 11:33:40 racoon: ERROR: failed to pre-process packet.
      Aug 26 11:33:40 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
      Aug 26 11:33:40 racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=18)
      Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:b479%rl0[500] used as isakmp port (fd=17)
      Aug 26 11:33:40 racoon: [Self]: INFO: 1.2.3.4[500] used as isakmp port (fd=16)
      Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:4ee6%rl1[500] used as isakmp port (fd=15)
      Aug 26 11:33:40 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
      Aug 26 11:33:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)
      Aug 26 11:33:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
      Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
      Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!
      Aug 26 11:33:40 racoon: [site_A - site_B]: INFO: initiate new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
      Aug 26 11:33:40 racoon: INFO: unsupported PF_KEY message REGISTER
      Aug 26 11:33:40 racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=18)
      Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:b479%rl0[500] used as isakmp port (fd=17)
      Aug 26 11:33:40 racoon: [Self]: INFO: 1.2.3.4[500] used as isakmp port (fd=16)
      Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:4ee6%rl1[500] used as isakmp port (fd=15)
      Aug 26 11:33:40 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
      Aug 26 11:33:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)
      Aug 26 11:33:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
      Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
      Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!
      Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=104841005(0x63fbf2d)
      Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=222983762(0xd4a7652)
      Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
      Aug 26 11:33:38 racoon: INFO: purged IPsec-SA proto_id=ESP spi=187506500.
      Aug 26 10:20:45 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=187506500(0xb2d1f44)
      Aug 26 10:20:45 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=180901394(0xac85612)
      Aug 26 10:20:44 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
      Aug 26 10:20:43 racoon: [site_A - site_B]: INFO: ISAKMP-SA established 1.2.3.4[500]-4.3.2.1[500] spi:12d04b17e0e1be9f:4af024site_Bf6711765
      Aug 26 10:20:42 racoon: INFO: received Vendor ID: DPD
      Aug 26 10:20:42 racoon: INFO: begin Identity Protection mode.
      Aug 26 10:20:42 racoon: [site_A - site_B]: INFO: respond new phase 1 negotiation: 1.2.3.4[500]<=>4.3.2.1[500]
      Aug 26 10:20:39 racoon: [site_A - site_B]: INFO: IPsec-SA expired: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=234344760(0xdf7d138)
      Aug 26 10:20:39 racoon: [site_A - site_B]: INFO: IPsec-SA expired: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=253847886(0xf21694e)

      what does the following mean:

      racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
      Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!

      any input is apreciated. thanks.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post