Ipsec tunnel disconnecting (auth using certificates)
-
setup:
site A:
pfsense 1.2 (IP: 1.2.3.4)site B:
pfsense 1.2 embedded (IP: 4.3.2.1)configured ipsec site-to-site vpn:
phase1:
negotiation: main
identifier: my ip address
encryption: blowfish
hash: sha1
dh: 5
lifetime: 28800
auth: rsa signaturephase2:
proto: esp
encryption: blowfish
hash: sha1
pfs: 5
lifetime: 28800keep alive: ping remote site pfsense LAN ip
keys/certificates generetated using openssl, self signed certificates - not using CA
site A:
CN:IP:1.2.3.4, subjectAltName: IP:1.2.3.4site B:
CN:IP:4.3.2.1, subjectAltName: IP:4.3.2.1problem:
ipsec tunnel is initializing without any problems, but from time-to-time connection drops, and sometimes tunnel is not rebuilt immediately.racoon logs following:
Aug 26 11:34:00 racoon: ERROR: failed to pre-process packet.
Aug 26 11:34:00 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=234735476(0xdfdc774)
Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=195926494(0xsite_Bd99de)
Aug 26 11:33:43 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
Aug 26 11:33:40 racoon: ERROR: failed to pre-process packet.
Aug 26 11:33:40 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
Aug 26 11:33:40 racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=18)
Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:b479%rl0[500] used as isakmp port (fd=17)
Aug 26 11:33:40 racoon: [Self]: INFO: 1.2.3.4[500] used as isakmp port (fd=16)
Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:4ee6%rl1[500] used as isakmp port (fd=15)
Aug 26 11:33:40 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Aug 26 11:33:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)
Aug 26 11:33:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!
Aug 26 11:33:40 racoon: [site_A - site_B]: INFO: initiate new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
Aug 26 11:33:40 racoon: INFO: unsupported PF_KEY message REGISTER
Aug 26 11:33:40 racoon: [Self]: INFO: 192.168.0.1[500] used as isakmp port (fd=18)
Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:b479%rl0[500] used as isakmp port (fd=17)
Aug 26 11:33:40 racoon: [Self]: INFO: 1.2.3.4[500] used as isakmp port (fd=16)
Aug 26 11:33:40 racoon: INFO: fe80::211:3bff:fe0e:4ee6%rl1[500] used as isakmp port (fd=15)
Aug 26 11:33:40 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Aug 26 11:33:40 racoon: INFO: ::1[500] used as isakmp port (fd=13)
Aug 26 11:33:40 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!
Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=104841005(0x63fbf2d)
Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=222983762(0xd4a7652)
Aug 26 11:33:38 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
Aug 26 11:33:38 racoon: INFO: purged IPsec-SA proto_id=ESP spi=187506500.
Aug 26 10:20:45 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=187506500(0xb2d1f44)
Aug 26 10:20:45 racoon: [site_A - site_B]: INFO: IPsec-SA established: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=180901394(0xac85612)
Aug 26 10:20:44 racoon: [site_A - site_B]: INFO: respond new phase 2 negotiation: 1.2.3.4[0]<=>4.3.2.1[0]
Aug 26 10:20:43 racoon: [site_A - site_B]: INFO: ISAKMP-SA established 1.2.3.4[500]-4.3.2.1[500] spi:12d04b17e0e1be9f:4af024site_Bf6711765
Aug 26 10:20:42 racoon: INFO: received Vendor ID: DPD
Aug 26 10:20:42 racoon: INFO: begin Identity Protection mode.
Aug 26 10:20:42 racoon: [site_A - site_B]: INFO: respond new phase 1 negotiation: 1.2.3.4[500]<=>4.3.2.1[500]
Aug 26 10:20:39 racoon: [site_A - site_B]: INFO: IPsec-SA expired: ESP/Tunnel 4.3.2.1[0]->1.2.3.4[0] spi=234344760(0xdf7d138)
Aug 26 10:20:39 racoon: [site_A - site_B]: INFO: IPsec-SA expired: ESP/Tunnel 1.2.3.4[0]->4.3.2.1[0] spi=253847886(0xf21694e)what does the following mean:
racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" Please use 'peers_certfile x509 "peer1-signed.pem";' instead
Aug 26 11:33:40 racoon: WARNING: /var/etc/racoon.conf:9: ""peer1-signed.pem" This directive without certtype will be removed!any input is apreciated. thanks.