IPsec Problems w/ FQDN



  • I just upgraded to 1.2.3 and it seemed to have broken my IPsec tunnel to a Linksys endpoint.  That remote router has a dynamic IP, whereas the local router has a static.  I used to have to change the IP on the pfsense router to allow the tunnel to work.  I have NAT-T disabled on both sides.

    Some config details:

    P1:
    Mode aggressive
    3DES
    SHA1
    Group: 2
    Lifetime: 28800
    Auth: PSK

    P2:
    Proto: ESP
    3DES
    SHA1
    Group: 2
    Timeout: 3600

    Here is the log on the PFSense side:

    Feb 22 03:42:25 racoon: INFO: –-----------[500] used for NAT-T
    Feb 22 03:42:25 racoon: [Self]: INFO: –---------
    Feb 22 03:42:36 racoon: [To David's House]: INFO: phase2 sa deleted –------------------ - --------------
    Feb 22 03:42:35 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Feb 22 03:42:35 racoon: [To David's House]: INFO: phase2 sa expired –---------------- - -----------------
    Feb 22 03:42:25 racoon: INFO: --------------[500] used for NAT-T
    Feb 22 03:42:25 racoon: [Self]: INFO: –--[500] used as isakmp port (fd=15)
    Feb 22 03:42:25 racoon: INFO: 192.168.3.1[500] used for NAT-T
    Feb 22 03:42:25 racoon: [Self]: INFO: 192.168.3.1[500] used as isakmp port (fd=14)
    Feb 22 03:42:25 racoon: INFO: 127.0.0.1[500] used for NAT-T
    Feb 22 03:42:25 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    Feb 22 03:42:16 racoon: INFO: –-------------[500] used for NAT-T
    Feb 22 03:42:16 racoon: [Self]: INFO: –-----------[500] used as isakmp port (fd=16)
    Feb 22 03:42:16 racoon: INFO: –--------[500] used for NAT-T
    Feb 22 03:42:16 racoon: [Self]: INFO: –------------[500] used as isakmp port (fd=15)
    Feb 22 03:42:16 racoon: INFO: 192.168.3.1[500] used for NAT-T
    Feb 22 03:42:16 racoon: [Self]: INFO: 192.168.3.1[500] used as isakmp port (fd=14)
    Feb 22 03:42:16 racoon: INFO: 127.0.0.1[500] used for NAT-T
    Feb 22 03:42:16 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    Feb 22 03:42:13 racoon: INFO: begin Aggressive mode.
    Feb 22 03:42:13 racoon: [To David's House]: INFO: initiate new phase 1 negotiation: –-------------[500]<=>–--------------[500]
    Feb 22 03:42:13 racoon: [To David's House]: INFO: IPsec-SA request for –------------ queued due to no phase1 found.

    Thank you for any help in advance!



  • That's all it's logging?  Doesn't show a failure. Might get more useful info by running racoon in the foreground via a SSH session. From a command prompt, run:

    killall racoon
    racoon -f /var/etc/racoon.conf -F

    then try to connect from the other end and see what that logs to your SSH session.



  • Thanks for the quick reply!  Here is the output when I run racoon from the forground:

    
    2009-02-22 04:52:48: WARNING: /var/etc/racoon.conf:3: "0660" admin port support not compiled in
    2009-02-22 04:52:48: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
    2009-02-22 04:52:48: INFO: 127.0.0.1[500] used for NAT-T
    2009-02-22 04:52:48: INFO: ---------[500] used as isakmp port (fd=7)
    2009-02-22 04:52:48: INFO: ---------[500] used for NAT-T
    2009-02-22 04:52:48: INFO: ---------[500] used as isakmp port (fd=8)
    2009-02-22 04:52:48: INFO: ---------[500] used for NAT-T
    2009-02-22 04:52:48: INFO: ---------[500] used as isakmp port (fd=9)
    2009-02-22 04:52:48: INFO: ---------[500] used for NAT-T
    2009-02-22 04:52:59: INFO: IPsec-SA request for ------------ queued due to no phase1 found.
    2009-02-22 04:52:59: INFO: initiate new phase 1 negotiation: -------------[500]<=>-------------[500]
    2009-02-22 04:52:59: INFO: begin Aggressive mode.
    2009-02-22 04:53:21: INFO: phase2 sa expired ------------ - ------------
    2009-02-22 04:53:21: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    2009-02-22 04:53:22: INFO: phase2 sa deleted -------- - ----------
    2009-02-22 04:53:43: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    2009-02-22 04:53:49: ERROR: phase1 negotiation failed due to time up. 2ed288d9c6e2ab01:0000000000000000
    2009-02-22 04:53:52: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP --------------[500]->------------[500]
    2009-02-22 04:53:52: INFO: delete phase 2 handler.
    2009-02-22 04:54:05: INFO: IPsec-SA request for ------------- queued due to no phase1 found.
    
    

    Thanks Again!



  • Doesn't really show anything useful, what's the other end logging?


Log in to reply