IPsec VPN tunnel to a Fritzbox after update to 2.4.4-p1
-
@kuschi said in IPsec VPN tunnel to a Fritzbox after update to 2.4.4-p1:
Dec 18 00:01:48 charon 09[JOB] <con3000|445> DPD check timed out, enforcing DPD action
They stop responding to DPD checks for whatever reason. The logs on the other side would need to be checked to see why.
It could just be intermittent connectivity.
But, regardless, based on the other logs, it will be down until they initiate.
-
Here is the log file from the other side: Fritzbox. Sorry part of it is in German.
17.12.18 23:59:02 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
17.12.18 23:58:50 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 12 SA loss
17.12.18 23:01:46 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
17.12.18 23:01:44 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection
17.12.18 22:46:40 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
17.12.18 22:46:39 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection -
@kuschi said in IPsec VPN tunnel to a Fritzbox after update to 2.4.4-p1:
17.12.18 23:59:02 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
17.12.18 23:58:50 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 12 SA loss
17.12.18 23:01:46 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
17.12.18 23:01:44 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection
17.12.18 22:46:40 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
17.12.18 22:46:39 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection17.12.18 23:59:02 VPN connection to VPN MCKUSCH [(IP pfsense)] IKE SA: DH14 / AES-256 / SHA1 IPsec SA: ESP-AES-256 / SHA1 / LT-3600 was successfully established.
17.12.18 23:58:50 VPN connection to VPN MCKUSCH has been disconnected. Cause: 12 SA loss
17.12.18 23:01:46 VPN connection to VPN MCKUSCH [(IP pfsense)] IKE SA: DH14 / AES-256 / SHA1 IPsec SA: ESP-AES-256 / SHA1 / LT-3600 was successfully established.
17.12.18 23:01:44 VPN connection to VPN MCKUSCH has been disconnected. Cause: 9 dead peer detection
17.12.18 22:46:40 VPN connection to VPN MCKUSCH [(IP pfsense)] IKE SA: DH14 / AES-256 / SHA1 IPsec SA: ESP-AES-256 / SHA1 / LT-3600 was successfully established.
17.12.18 22:46:39 VPN connection to VPN MCKUSCH has been disconnected. Cause: 9 dead peer detectionDoesn't tell us much.
Need the logs from there saying why it is ignoring these:
Dec 17 23:36:47 charon: 09[NET] <con1000|593> sending packet: from 192.12.13.1[500] to 82.110.36.24[500] (176 bytes)
Dec 17 23:36:47 charon: 09[IKE] <con1000|593> sending retransmit 5 of request message ID 0, seq 1
Dec 17 23:36:05 charon: 10[NET] <con1000|593> sending packet: from 192.12.13.1[500] to 82.110.36.24[500] (176 bytes)
Dec 17 23:36:05 charon: 10[IKE] <con1000|593> sending retransmit 4 of request message ID 0, seq 1
Dec 17 23:35:42 charon: 10[NET] <con1000|593> sending packet: from 192.12.13.1[500] to 82.110.36.24[500] (176 bytes)
Dec 17 23:35:42 charon: 10[IKE] <con1000|593> sending retransmit 3 of request message ID 0, seq 1 -
@derelict If someone could tell me where will I find more detailed logs from the Fritzbox....
-
I had some time to dig into the Fritzbox and found some additional log files:
BEGIN SECTION vpn VPN
VPN avmike
-rw-r--r-- 1 root root 16551 Dec 27 07:32 /var/tmp/ike.log
-rw-r--r-- 1 root root 20579 Dec 27 06:22 /var/tmp/ike.old
2018-12-27 05:28:24 avmike:wolke_neighbour_renew_sa 1 SAs
2018-12-27 05:28:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC c7b118c56587c471 RC 00000000 0000 SA flags=
2018-12-27 05:28:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 SA flags=
2018-12-27 05:28:25 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
2018-12-27 05:28:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
2018-12-27 05:28:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
2018-12-27 05:28:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 KEY flags=
2018-12-27 05:28:25 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
2018-12-27 05:28:25 avmike:VPN MCKUSCH: Phase 2 waiting
2018-12-27 05:28:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 KEY flags=
2018-12-27 05:28:25 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:187
2018-12-27 05:28:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 IDENTIFICATION flags=e
2018-12-27 05:28:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 IDENTIFICATION flags=e
2018-12-27 05:28:25 avmike:VPN MCKUSCH: Phase 1 ready
2018-12-27 05:28:25 avmike:VPN MCKUSCH: current=(IP pfsense) new=(IP pfsense)
2018-12-27 05:28:25 avmike:VPN MCKUSCH: start waiting connections
2018-12-27 05:28:25 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
2018-12-27 05:28:26 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC c7b118c56587c471 RC d66c8871d64ba1bd b79b46b HASH flags=e
2018-12-27 05:28:26 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC c7b118c56587c471 RC d66c8871d64ba1bd b79b46b HASH flags=e
2018-12-27 05:28:26 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC c7b118c56587c471 RC d66c8871d64ba1bd b79b46b HASH flags=e
2018-12-27 05:28:26 avmike:VPN MCKUSCH: Phase 2 ready
2018-12-27 05:28:26 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: 4750E80D LT: 3600 I/O: IN
2018-12-27 05:28:26 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C8CD6F95 LT: 3600 I/O: OUT
2018-12-27 05:28:26 avmike:< cb_sa_created(name=VPN MCKUSCH,id=186,...,flags=0x00002101)
2018-12-27 05:28:26 avmike:VPN MCKUSCH: start waiting connections
2018-12-27 05:28:26 avmike:VPN MCKUSCH: NO waiting connections
2018-12-27 05:28:36 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1520852e HASH flags=e
2018-12-27 05:28:36 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1520852e HASH flags=e
2018-12-27 05:28:46 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd d8578e17 HASH flags=e
2018-12-27 05:28:56 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 2310d460 HASH flags=e
2018-12-27 05:29:06 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1ca9e35a HASH flags=e
2018-12-27 05:29:16 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1fcb9fb2 HASH flags=e
2018-12-27 05:29:26 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 4a845476 HASH flags=e
2018-12-27 05:34:24 avmike:VPN MCKUSCH: del phase 1 SA 186
2018-12-27 05:34:25 avmike:< delete_sa(appl=dsld,cname=VPN MCKUSCH,id=185,what=7,reason=Lifetime expired)
2018-12-27 05:34:25 avmike:FreeIPsecSA: spi=FB204F02 protocol=3 iotype=1
2018-12-27 05:34:25 avmike:FreeIPsecSA: spi=C9852197 protocol=3 iotype=2
2018-12-27 06:22:25 avmike:wolke_neighbour_renew_sa 1 SAs
2018-12-27 06:22:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC 6872414bef8f5559 RC 00000000 0000 SA flags=
2018-12-27 06:22:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC 6872414bef8f5559 RC 6511773149bee334 0000 SA flags=
2018-12-27 06:22:25 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
2018-12-27 06:22:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
2018-12-27 06:22:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
2018-12-27 06:22:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 6872414bef8f5559 RC 6511773149bee334 0000 KEY flags=
2018-12-27 06:22:26 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC 6872414bef8f5559 RC 6511773149bee334 0000 KEY flags=
2018-12-27 06:22:26 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:188
2018-12-27 06:22:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 0000 IDENTIFICATION flags=e
2018-12-27 06:22:26 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
2018-12-27 06:22:26 avmike:VPN MCKUSCH: Phase 2 waiting
2018-12-27 06:22:26 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 6872414bef8f5559 RC 6511773149bee334 0000 IDENTIFICATION flags=e
2018-12-27 06:22:26 avmike:VPN MCKUSCH: Phase 1 ready
2018-12-27 06:22:26 avmike:VPN MCKUSCH: current=(IP pfsense) new=(IP pfsense)
2018-12-27 06:22:26 avmike:VPN MCKUSCH: start waiting connections
2018-12-27 06:22:26 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
2018-12-27 06:22:26 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC 6872414bef8f5559 RC 6511773149bee334 9a91fdf1 HASH flags=e
2018-12-27 06:22:26 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC 6872414bef8f5559 RC 6511773149bee334 9a91fdf1 HASH flags=e
2018-12-27 06:22:27 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC 6872414bef8f5559 RC 6511773149bee334 9a91fdf1 HASH flags=e
2018-12-27 06:22:27 avmike:VPN MCKUSCH: Phase 2 ready
2018-12-27 06:22:27 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: 86D44AE1 LT: 3600 I/O: IN
2018-12-27 06:22:27 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C2365320 LT: 3600 I/O: OUT
2018-12-27 06:22:27 avmike:< cb_sa_created(name=VPN MCKUSCH,id=187,...,flags=0x00002101)
2018-12-27 06:22:27 avmike:VPN MCKUSCH: start waiting connections
2018-12-27 06:22:27 avmike:VPN MCKUSCH: NO waiting connections
2018-12-27 06:22:37 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 a8fa1dd1 HASH flags=e
2018-12-27 06:22:37 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 a8fa1dd1 HASH flags=e
2018-12-27 06:22:47 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2b5f8cc7 HASH flags=e
2018-12-27 06:22:57 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2549e835 HASH flags=e
2018-12-27 06:23:07 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 751f7fab HASH flags=e
2018-12-27 06:23:17 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2c07e412 HASH flags=e
2018-12-27 06:23:27 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 279a5e57 HASH flags=e
2018-12-27 06:28:25 avmike:VPN MCKUSCH: del phase 1 SA 187
2018-12-27 06:28:26 avmike:< delete_sa(appl=dsld,cname=VPN MCKUSCH,id=186,what=7,reason=Lifetime expired)
2018-12-27 06:28:26 avmike:FreeIPsecSA: spi=4750E80D protocol=3 iotype=1
2018-12-27 06:28:26 avmike:FreeIPsecSA: spi=C8CD6F95 protocol=3 iotype=2
2018-12-27 06:55:18 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2c1e5ef7 HASH flags=e
2018-12-27 07:16:26 avmike:wolke_neighbour_renew_sa 1 SAs
2018-12-27 07:16:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC 928c71fe2ff76662 RC 00000000 0000 SA flags=
2018-12-27 07:16:26 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 SA flags=
2018-12-27 07:16:26 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
2018-12-27 07:16:26 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
2018-12-27 07:16:26 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
2018-12-27 07:16:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 KEY flags=
2018-12-27 07:16:27 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
2018-12-27 07:16:27 avmike:VPN MCKUSCH: Phase 2 waiting
2018-12-27 07:16:28 avmike:>r> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 KEY flags=
2018-12-27 07:16:28 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 KEY flags=
2018-12-27 07:16:29 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:189
2018-12-27 07:16:29 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 IDENTIFICATION flags=e
2018-12-27 07:16:29 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 IDENTIFICATION flags=e
2018-12-27 07:16:29 avmike:VPN MCKUSCH: Phase 1 ready
2018-12-27 07:16:29 avmike:VPN MCKUSCH: current=(IP pfsense) new=(IP pfsense)
2018-12-27 07:16:29 avmike:VPN MCKUSCH: start waiting connections
2018-12-27 07:16:29 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
2018-12-27 07:16:29 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2bf7fa9 HASH flags=e
2018-12-27 07:16:29 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2bf7fa9 HASH flags=e
2018-12-27 07:16:29 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2bf7fa9 HASH flags=e
2018-12-27 07:16:29 avmike:VPN MCKUSCH: Phase 2 ready
2018-12-27 07:16:29 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: CBD62308 LT: 3600 I/O: IN
2018-12-27 07:16:29 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C05403E4 LT: 3600 I/O: OUT
2018-12-27 07:16:29 avmike:< cb_sa_created(name=VPN MCKUSCH,id=188,...,flags=0x00002101)
2018-12-27 07:16:29 avmike:VPN MCKUSCH: start waiting connections
2018-12-27 07:16:29 avmike:VPN MCKUSCH: NO waiting connections
2018-12-27 07:16:40 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2b4fccd5 HASH flags=e
2018-12-27 07:16:40 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2b4fccd5 HASH flags=e
2018-12-27 07:16:50 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 f64d9069 HASH flags=e
2018-12-27 07:17:00 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 9a87db77 HASH flags=e
2018-12-27 07:17:10 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 69880609 HASH flags=e
2018-12-27 07:17:20 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 51824bd9 HASH flags=e
2018-12-27 07:17:30 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 bf9c6d0f HASH flags=e
2018-12-27 07:17:48 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 7a749f0 HASH flags=e
2018-12-27 07:17:58 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 65e2e2ed HASH flags=e
2018-12-27 07:18:08 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 bf211ecc HASH flags=e
2018-12-27 07:18:18 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 96681b4f HASH flags=e
2018-12-27 07:18:28 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 f62169fb HASH flags=e
2018-12-27 07:22:26 avmike:VPN MCKUSCH: del phase 1 SA 188
2018-12-27 07:22:27 avmike:< delete_sa(appl=dsld,cname=VPN MCKUSCH,id=187,what=7,reason=Lifetime expired)
2018-12-27 07:22:27 avmike:FreeIPsecSA: spi=86D44AE1 protocol=3 iotype=1
2018-12-27 07:22:27 avmike:FreeIPsecSA: spi=C2365320 protocol=3 iotype=2
2018-12-27 07:22:50 avmike:< cb_sa_deleted(name=VPN MCKUSCH,id=188,what=3)
2018-12-27 07:22:50 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 5812faab HASH flags=e
2018-12-27 07:22:50 avmike:FreeIPsecSA: spi=CBD62308 protocol=3 iotype=1
2018-12-27 07:22:50 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 498d3042 HASH flags=e
2018-12-27 07:22:50 avmike:FreeIPsecSA: spi=C05403E4 protocol=3 iotype=2
2018-12-27 07:22:50 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 b0282d8d HASH flags=e
2018-12-27 07:22:50 avmike:VPN MCKUSCH: del phase 1 SA 189
2018-12-27 07:22:55 avmike:< add(appl=dsld,cname=VPN MCKUSCH,localip=(IP Fritzbox), remoteip=255.255.255.255, p1ss=dh14/aes/sha, p2ss=esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs p1mode=2 keepalive_ip=0.0.0.0 flags=0x40001 tunnel no_xauth no_cfgmode no_nat_t no_certsrv_server_auth)
2018-12-27 07:22:55 avmike:new neighbour VPN MCKUSCH:
2018-12-27 07:22:55 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
2018-12-27 07:22:55 avmike:VPN MCKUSCH: Phase 1 starting
2018-12-27 07:22:55 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC 83b4f0f722b753b4 RC 00000000 0000 SA flags=
2018-12-27 07:22:55 avmike:VPN MCKUSCH: Warning: source changed from 0.0.0.0:500 to (IP pfsense):500
2018-12-27 07:22:55 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 SA flags=
2018-12-27 07:22:55 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
2018-12-27 07:22:55 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
2018-12-27 07:22:55 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
2018-12-27 07:22:55 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 KEY flags=
2018-12-27 07:22:56 avmike:VPN MCKUSCH: Warning: source changed from 0.0.0.0:500 to (IP pfsense):500
2018-12-27 07:22:56 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 KEY flags=
2018-12-27 07:22:56 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:1
2018-12-27 07:22:56 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 108 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 IDENTIFICATION flags=e
2018-12-27 07:22:56 avmike:VPN MCKUSCH: Warning: source changed from 0.0.0.0:500 to (IP pfsense):500
2018-12-27 07:22:56 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 IDENTIFICATION flags=e
2018-12-27 07:22:56 avmike:VPN MCKUSCH: Phase 1 ready
2018-12-27 07:22:56 avmike:VPN MCKUSCH: current=0.0.0.0 new=(IP pfsense)
2018-12-27 07:22:56 avmike:VPN MCKUSCH: no valid sa, reseting initialcontactdone flag
2018-12-27 07:22:56 avmike:VPN MCKUSCH: sending initial contact message
2018-12-27 07:22:56 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 940ec48 HASH flags=e
2018-12-27 07:22:56 avmike:VPN MCKUSCH: start waiting connections
2018-12-27 07:22:56 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
2018-12-27 07:22:56 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC 83b4f0f722b753b4 RC 84484486b407c0a8 bb9dcb6a HASH flags=e
2018-12-27 07:22:56 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC 83b4f0f722b753b4 RC 84484486b407c0a8 bb9dcb6a HASH flags=e
2018-12-27 07:22:56 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC 83b4f0f722b753b4 RC 84484486b407c0a8 bb9dcb6a HASH flags=e
2018-12-27 07:22:56 avmike:VPN MCKUSCH: Phase 2 ready
2018-12-27 07:22:56 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: 59C898BB LT: 3600 I/O: IN
2018-12-27 07:22:56 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C9FC517F LT: 3600 I/O: OUT
2018-12-27 07:22:56 avmike:< cb_sa_created(name=VPN MCKUSCH,id=1,...,flags=0x00002101)
2018-12-27 07:22:56 avmike:VPN MCKUSCH: start waiting connections
2018-12-27 07:22:56 avmike:VPN MCKUSCH: NO waiting connections
2018-12-27 07:23:07 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 cd4fbd83 HASH flags=e
2018-12-27 07:23:07 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 cd4fbd83 HASH flags=e
2018-12-27 07:25:40 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 e17cc7d6 HASH flags=e
2018-12-27 07:25:50 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 e6b964ba HASH flags=e
2018-12-27 07:26:00 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 4d99e03e HASH flags=e
2018-12-27 07:26:16 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 40692e24 HASH flags=e
2018-12-27 07:26:26 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 5a1176a4 HASH flags=e
2018-12-27 07:26:40 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 e4d053b9 HASH flags=e
2018-12-27 07:26:50 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 fc62b165 HASH flags=e
2018-12-27 07:27:00 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 5767b485 HASH flags=e
2018-12-27 07:27:10 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 15a82a23 HASH flags=e
2018-12-27 07:27:20 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 200be361 HASH flags=e -
I had another opportunity to test the connections from the side of the Fritzbox and from the side of the pfsense box:
- pfsense box shows connection inactive, Fritzbox shows connection active: traffic direction from Fritzbox to pfsense works, e.g. ping / trace route. pfsense box changes status to connection active
- pfsense box shows connection inactive, Fritzbox shows connection active: traffic direction from pfsense box to Fritzbox does not work. Traffic times out, ping/ trace route shows no result
-
Any news from anybody regarding this issue? I still have troubles with dropping connections.
Thanks,
Martin -
@kuschi Still no solution? I am on 2.4.5 and the problem persists.
-
@defender110 Still no solution. I am on 2.4.5 too and I, too, still have the same problem. The Fritzbox connects successful but pfSense shows the connection as "inactive" after a while. The clients on the Fritzbox side, however, can still reach their targets on pfSense's side but not the other way round.
-
@kuschi Thank You! Well...then the Fritz!Box will have to go and be replaced by a pfSense box. Just have to figure out how to make the Fritz do the phone duties behind the pfSense.
-
I got it stable only with Aggressive Mode, Tunel endpoint is a 6490.
Otherwise my Tunnel crash after some time and dont com up again.
I hope AVM react on the feature request to upgrade the vpn features. -
How did you get it stable in Aggressive Mode? Could you please share your config? Thanks!
-
Phase 1:
IKEv1
IPv4
PSK
Aggressiv
Distinguished name
Distinguished name
PSK Generate by pfSense
AES 256 SHA512 DH2
DPD onPhase 2:
IPv4
NAT None
ESP
AES 236
SHA1
PFS Key Group 2
Lifetime 3600However, a new Netgate has been ordered and replace the Fritz shortly.