IPSEC Permission? issue…



  • I have two pfSense FW's setup to connect to each other. and one is getting the following error:

    Jul 12 19:18:16	charon		04[NET] error writing to socket: Permission denied
    Jul 12 19:18:16	charon		13[NET] <con1000|1> sending packet: from 72.x.x.x[500] to 24.x.x.x[500] (180 bytes)
    Jul 12 19:18:16	charon		13[IKE] <con1000|1> sending retransmit 1 of request message ID 0, seq 1
    Jul 12 19:18:12	charon		04[NET] error writing to socket: Permission denied
    Jul 12 19:18:12	charon		15[NET] <con1000|1> sending packet: from 72.x.x.x[500] to 24.x.x.x[500] (180 bytes)
    Jul 12 19:18:12	charon		15[ENC] <con1000|1> generating ID_PROT request 0 [ SA V V V V V ]
    Jul 12 19:18:12	charon		15[IKE] <con1000|1> initiating Main Mode IKE_SA con1000[1] to 24.x.x.x</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1>
    

    Both are new installs of "2.3.4-RELEASE (amd64)"

    P1 and P2 are setup the same.

    I [think] the FW rules are setup correctly. (I have other VPNs to Sonicwalls working on one of the pfSense units.

    I've searched for this error "error writing to socket: Permission denied" and could not find any threads.

    ANy help is appreciated!!



  • Did you ever find a solution to this problem?  I have the exact same issue that I have been trying to resolve for some time.  I've altered the tunnel configurations in multiple ways with no change in the result.  This problem is with a new firewall.  The old firewall has IPSEC connections to multiple PFSense boxes with no problems.  The new connection is set up exactly the same, but always results in the socket writing permission error.  I have no problems using Open VPN for the connection, just with IPSEC.



  • exactly same problem for me. Any solution ?



  • Hello Guys,

    anyone solved this problem?

    Apr 10 19:15:47 charon 04[NET] error writing to socket: Permission denied
    Apr 10 19:15:47 charon 08[NET] <con2000|2>sending packet: from 1.2.3.4[500] to 4.3.2.1 [500] (464 bytes)
    Apr 10 19:15:47 charon 08[IKE] <con2000|2>retransmit 2 of request with message ID 0

    The tunnel is working fine for days and dies suddenly without changing something.
    Please help :-)

    Kind regards</con2000|2></con2000|2>



  • Push. No Idea? Its really anoying to have a suddenly crashing tunnel :-(


  • Netgate

    Anyone who is having this problem running snort with blocking?

    Probably the endpoint getting blocked for some reason.



  • Good Morning,

    thanks for your answer. Actually i am using Snort. I will check the block list next time. Thank you for this idea.

    Kind regards



  • @derelict Perfect! Thanks! Snort was blocking the VPN Gateway. I whitelisted SID 122:23. It was triggered everytime i was playing Age of Empires II HD.



  • Hello,

    I do have this problem to right now, tunnel has work perfect for months and I havent do any changes.
    I did tried to update to the newest pfsense without success. Tunnel just died after a few hours.
    It always came back up after I reboot firewall. No luck with restart ipsec service.

    I have this in my log.
    Nov 4 08:07:29 charon 04[NET] error writing to socket: Permission denied

    Kind regards


  • Netgate

    Again, look to see if the endpoint is being blocked by snort.



  • I still have problem with one of my tunnels.
    I have 3 tunnels total and only one is failing with error writing socket. I tried to remake the tunnel on both side and it was the same thing. It work for 2h and then tunnel crash. (site 3)

    One of the 2 tunnels that is working is between 2 pfsense boxen like this one that is failing and the other one is unifi.
    on my unifi box the tunnel to site 3 its still working.


  • Netgate

    Are. You. Running. Snort/Suricata?

    Did. You. Check. Snort/Suricata?



  • @derelict Hi thanks for answer. No I do not run anything that isnt in standard configuration for pfsense. I only installed it and configure my 2 network card and then 3 ipsec tunnels.


  • Netgate

    Well, permission denied there is IPsec being forced out of that interface to or from an address that is denied by policy. So I would have a good look at all of your firewall rules for that source or destination. If you have changed from permission denied to some other problem, you need to make that more clear and probably start a new thread. In fact, since you are talking about a completely new problem (since you are not running IDS/IPS) I'd just start a new thread with details specific to your problem.



  • @derelict but I havent changed anything with my policy and if I reboot my firewall all 3 tunnels come up with without any problem. And then my third tunnel suddenly die. All my 3 tunnels go out on same interface (WAN).


  • Netgate

    Start your own thread.