IPsec site-to-site vpn been working for months, now dead



  • Hello guys!

    I've been troubleshooting my site-to-site ipsec vpn for several hours now. I've had this vpn up and running for several of months and now all of a sudden, it just refuses to pass any traffic through the tunnels. It's pfsense on both ends.

    The only thing that has changed was that a few days ago I moved the DHCP server from the fw to another machine. Don't think it has anything to do with anything though.

    IPSEC logs say. On my local server:

    Jan 5 13:32:22 racoon: [VPN tunnel to Keiv]: INFO: IPsec-SA established: ESP/Tunnel 82.99.xx.xxx[0]->195.137.xxx.xx[0] spi=13779038(0xd2405e)
    Jan 5 13:32:22 racoon: [VPN tunnel to Keiv]: INFO: IPsec-SA established: ESP/Tunnel 195.137.xxx.xx[0]->82.99.xx.xxx[0] spi=127545448(0x79a3068)
    Jan 5 13:32:22 racoon: [VPN tunnel to Keiv]: INFO: respond new phase 2 negotiation: 82.99.xx.xxx[0]<=>195.137.xxx.xx[0]
    Jan 5 13:32:21 racoon: INFO: purging spi=6695884.
    Jan 5 13:32:21 racoon: INFO: purging spi=93283993.
    Jan 5 13:32:21 racoon: INFO: purging spi=170545371.
    Jan 5 13:32:21 racoon: INFO: purging spi=118527171.
    Jan 5 13:32:21 racoon: [VPN tunnel to Keiv]: INFO: ISAKMP-SA established 82.99.xx.xxx[500]-195.137.xxx.xx[500] spi:868c6604530711d7:4fdf183f84b90d02
    Jan 5 13:32:21 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Jan 5 13:32:21 racoon: INFO: received Vendor ID: DPD
    Jan 5 13:32:21 racoon: INFO: begin Aggressive mode.
    Jan 5 13:32:21 racoon: [VPN tunnel to Keiv]: INFO: respond new phase 1 negotiation: 82.99.xx.xxx[500]<=>195.137.xxx.xx[500]

    On the Remote server:

    Jan 5 14:32:22 racoon: [VPN tunnel to Malmoe]: INFO: IPsec-SA established: ESP/Tunnel 195.137.xxx.xx[0]->82.99.xx.xxx[0] spi=127545448(0x79a3068)
    Jan 5 14:32:22 racoon: [VPN tunnel to Malmoe]: INFO: IPsec-SA established: ESP/Tunnel 82.99.xx.xxx[0]->195.137.xxx.xx[0] spi=13779038(0xd2405e)
    Jan 5 14:32:22 racoon: [VPN tunnel to Malmoe]: INFO: initiate new phase 2 negotiation: 195.137.xxx.xx[500]<=>82.99.xx.xxx[500]
    Jan 5 14:32:21 racoon: [VPN tunnel to Malmoe]: INFO: ISAKMP-SA established 195.137.xxx.xx[500]-82.99.xx.xxx[500] spi:868c6604530711d7:4fdf183f84b90d02
    Jan 5 14:32:21 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Jan 5 14:32:21 racoon: INFO: received Vendor ID: DPD
    Jan 5 14:32:21 racoon: INFO: begin Aggressive mode.
    Jan 5 14:32:21 racoon: [VPN tunnel to Malmoe]: INFO: initiate new phase 1 negotiation: 195.137.xxx.xx[500]<=>82.99.xx.xxx[500]
    Jan 5 14:32:21 racoon: [VPN tunnel to Malmoe]: INFO: IPsec-SA request for 82.99.xx.xxx queued due to no phase1 found.
    Jan 5 14:32:21 racoon: ERROR: such policy already exists. anyway replace it: 10.0.2.0/24[0] 10.0.1.0/24[0] proto=any dir=out
    Jan 5 14:32:21 racoon: ERROR: such policy already exists. anyway replace it: 10.0.2.1/32[0] 10.0.2.0/24[0] proto=any dir=out
    Jan 5 14:32:21 racoon: ERROR: such policy already exists. anyway replace it: 10.0.1.0/24[0] 10.0.2.0/24[0] proto=any dir=in
    Jan 5 14:32:21 racoon: ERROR: such policy already exists. anyway replace it: 10.0.2.0/24[0] 10.0.2.1/32[0] proto=any dir=in
    Jan 5 14:32:21 racoon: [Self]: INFO: 10.0.2.1[500] used as isakmp port (fd=19)
    Jan 5 14:32:21 racoon: INFO: fe80::202:2aff:fee1:4a07%rl0[500] used as isakmp port (fd=18)
    Jan 5 14:32:21 racoon: [Self]: INFO: 195.137.xxx.xx[500] used as isakmp port (fd=17)
    Jan 5 14:32:21 racoon: INFO: fe80::2e0:4cff:fe39:3a39%rl1[500] used as isakmp port (fd=16)
    Jan 5 14:32:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Jan 5 14:32:21 racoon: INFO: ::1[500] used as isakmp port (fd=14)
    Jan 5 14:32:21 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
    Jan 5 14:32:21 racoon: INFO: unsupported PF_KEY message REGISTER
    Jan 5 14:32:21 racoon: [Self]: INFO: 10.0.2.1[500] used as isakmp port (fd=19)
    Jan 5 14:32:21 racoon: INFO: fe80::202:2aff:fee1:4a07%rl0[500] used as isakmp port (fd=18)
    Jan 5 14:32:21 racoon: [Self]: INFO: 195.137.xxx.xx[500] used as isakmp port (fd=17)
    Jan 5 14:32:21 racoon: INFO: fe80::2e0:4cff:fe39:3a39%rl1[500] used as isakmp port (fd=16)
    Jan 5 14:32:21 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Jan 5 14:32:21 racoon: INFO: ::1[500] used as isakmp port (fd=14)
    Jan 5 14:32:21 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13)
    Jan 5 14:32:21 racoon: INFO: Resize address pool from 0 to 255
    Jan 5 14:32:21 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Jan 5 14:32:21 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    Jan 5 14:32:21 racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)

    My network rules for ipsec is * on everthing on both ends.

    Any ideas?? Please?!



  • 1.2 or 1.2.1?

    Please click the "save" Button again on the ipsec-page.
    If this doesn´t help you can also delete all SPD´s on one side.

    Why are you using the aggressive mode?



  • Thanks for answering Heiko,

    I did try removing the SPDs atleast 10 times during the hours I troubleshooted. Then all of a sudden, when I gave up messing with it waiting for an answer here it just started to work again. I had a ping going and all of a sudden it started to reply. Very strange and it feels very insecure.

    I'm using 1.2.



  • I have not problems with 1.2 except the mobile option/aggressive mode. But also this should be fixed in 1.21 relase. Please try the 1.21 version and if you can change the aggressive mode to the main mode.

    Regards
    Heiko



  • Great, I'll do that. Thanks Heiko…


Locked