4. Ipsec tunnel disconnecting (auth using certificates)

Ipsec tunnel disconnecting (auth using certificates)

  • W

    setup:

    site A:
    pfsense 1.2 (IP: 1.2.3.4)

    site B:
    pfsense 1.2 embedded (IP: 4.3.2.1)

    configured ipsec site-to-site vpn:

    phase1:
    negotiation: main
    identifier: my ip address
    encryption: blowfish
    hash: sha1
    dh: 5
    lifetime: 28800
    auth: rsa signature

    phase2:
    proto: esp
    encryption: blowfish
    hash: sha1
    pfs: 5
    lifetime: 28800

    keep alive: ping remote site pfsense LAN ip

    keys/certificates generetated using openssl, self signed certificates - not using CA

    site A:
    CN:IP:1.2.3.4, subjectAltName: IP:1.2.3.4

    site B:
    CN:IP:4.3.2.1, subjectAltName: IP:4.3.2.1

    problem:
    ipsec tunnel is initializing without any problems, but from time-to-time connection drops, and sometimes tunnel is not rebuilt immediately.

    racoon logs following:

    Aug 26 11:34:00 racoon: ERROR: failed to pre-process packet.
    Aug 26 11:34:00 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=234735476(0xdfdc774)
    Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=195926494(0xsite_Bd99de)
    Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 11:33:40 racoon: ERROR: failed to pre-process packet.
    Aug 26 11:33:40 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 11:33:40 racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=18)
    Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:b479%rl0[500] used as isakmp port (fd=17)
    Aug 26 11:33:40 racoon: [Self]: INFO: 1.2.3.4[500] used as isakmp port (fd=16)
    Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:4ee6%rl1[500] used as isakmp port (fd=15)
    Aug 26 11:33:40 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Aug 26 11:33:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)
    Aug 26 11:33:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
    Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
    Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!
    Aug 26 11:33:40 racoon: [site_A - site_B]: INFO: initiate new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 11:33:40 racoon: INFO: unsupported PF_KEY message REGISTER
    Aug 26 11:33:40 racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=18)
    Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:b479%rl0[500] used as isakmp port (fd=17)
    Aug 26 11:33:40 racoon: [Self]: INFO: 1.2.3.4[500] used as isakmp port (fd=16)
    Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:4ee6%rl1[500] used as isakmp port (fd=15)
    Aug 26 11:33:40 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
    Aug 26 11:33:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)
    Aug 26 11:33:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
    Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
    Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!
    Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=104841005(0x63fbf2d)
    Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=222983762(0xd4a7652)
    Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 11:33:38 racoon: INFO: purged IPsec-SA proto_id=ESP spi=187506500.
    Aug 26 10:20:45 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=187506500(0xb2d1f44)
    Aug 26 10:20:45 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=180901394(0xac85612)
    Aug 26 10:20:44 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
    Aug 26 10:20:43 racoon: [site_A - site_B]: INFO: ISAKMP-SA established 1.2.3.4[500]-4.3.2.1[500] spi:12d04b17e0e1be9f:4af024site_Bf6711765
    Aug 26 10:20:42 racoon: INFO: received Vendor ID: DPD
    Aug 26 10:20:42 racoon: INFO: begin Identity Protection mode.
    Aug 26 10:20:42 racoon: [site_A - site_B]: INFO: respond new phase 1 negotiation: 1.2.3.4[500]<=>4.3.2.1[500]
    Aug 26 10:20:39 racoon: [site_A - site_B]: INFO: IPsec-SA expired: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=234344760(0xdf7d138)
    Aug 26 10:20:39 racoon: [site_A - site_B]: INFO: IPsec-SA expired: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=253847886(0xf21694e)

    what does the following mean:

    racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
    Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!

    any input is apreciated. thanks.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy