IPSEC Service not starting after initial install



  • On a fresh install of pfsense 2.4.4-RELEASE-p3 I built a site-to-site VPN. After applying the config in Status-System Logs-IPSec it shows:

    Sep 6 16:16:24	charon		00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
    Sep 6 16:16:24	charon		00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
    Sep 6 16:16:24	charon		00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
    Sep 6 16:16:24	charon		00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Sep 6 16:16:24	charon		00[CFG] loaded IKE secret for %any PUBLICIP
    Sep 6 16:16:24	charon		00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
    Sep 6 16:16:24	charon		00[CFG] loaded 0 RADIUS server configurations
    Sep 6 16:16:24	charon		00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters
    Sep 6 16:16:24	charon		00[JOB] spawning 16 worker threads
    Sep 6 16:16:24	ipsec_starter	23301	charon (23489) started after 80 ms
    Sep 6 16:16:24	charon		16[CFG] received stroke: add connection 'bypasslan'
    Sep 6 16:16:24	charon		16[CFG] conn bypasslan
    Sep 6 16:16:24	charon		16[CFG] left=%any
    Sep 6 16:16:24	charon		16[CFG] leftsubnet=10.73.254.0/24
    Sep 6 16:16:24	charon		16[CFG] right=%any
    Sep 6 16:16:24	charon		16[CFG] rightsubnet=10.73.254.0/24
    Sep 6 16:16:24	charon		16[CFG] dpddelay=30
    Sep 6 16:16:24	charon		16[CFG] dpdtimeout=150
    Sep 6 16:16:24	charon		16[CFG] sha256_96=no
    Sep 6 16:16:24	charon		16[CFG] mediation=no
    Sep 6 16:16:24	charon		16[CFG] added configuration 'bypasslan'
    Sep 6 16:16:24	charon		13[CFG] received stroke: route 'bypasslan'
    Sep 6 16:16:24	ipsec_starter	23301	'bypasslan' shunt PASS policy installed
    Sep 6 16:16:24	charon		16[CFG] received stroke: add connection 'con1000'
    Sep 6 16:16:24	charon		16[CFG] conn con1000
    Sep 6 16:16:24	charon		16[CFG] left=PUBLICIP
    Sep 6 16:16:24	charon		16[CFG] leftsubnet=10.73.254.0/24
    Sep 6 16:16:24	charon		16[CFG] leftauth=psk
    Sep 6 16:16:24	charon		16[CFG] leftid=PUBLICIP
    Sep 6 16:16:24	charon		16[CFG] right=PUBLICIP
    Sep 6 16:16:24	charon		16[CFG] rightsubnet=10.6.1.1/24
    Sep 6 16:16:24	charon		16[CFG] rightauth=psk
    Sep 6 16:16:24	charon		16[CFG] rightid=PUBLICIP
    Sep 6 16:16:24	charon		16[CFG] ike=aes128-sha1-modp2048!
    Sep 6 16:16:24	charon		16[CFG] esp=aes128-sha1-modp2048,aes128-sha256-modp2048,aes128gcm128-sha1-modp2048,aes128gcm128-sha256-modp2048!
    Sep 6 16:16:24	charon		16[CFG] dpddelay=10
    Sep 6 16:16:24	charon		16[CFG] dpdtimeout=60
    Sep 6 16:16:24	charon		16[CFG] dpdaction=3
    Sep 6 16:16:24	charon		16[CFG] sha256_96=no
    Sep 6 16:16:24	charon		16[CFG] mediation=no
    Sep 6 16:16:24	charon		16[CFG] keyexchange=ikev2
    Sep 6 16:16:24	charon		16[CFG] added configuration 'con1000'
    Sep 6 16:16:24	charon		12[CFG] received stroke: route 'con1000'
    Sep 6 16:16:24	charon		12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ
    Sep 6 16:16:24	charon		12[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED
    Sep 6 16:16:24	ipsec_starter	23301	'con1000' routed
    Sep 6 16:16:28	charon		00[DMN] signal of type SIGINT received. Shutting down
    Sep 6 16:16:28	charon		00[CHD] CHILD_SA con1000{1} state change: ROUTED => DESTROYING
    Sep 6 16:16:28	ipsec_starter	23301	charon stopped after 200 ms
    Sep 6 16:16:28	ipsec_starter	23301	ipsec starter stopped
    

    It seems as if the service hasn't started since the initial configuration. I've made and applied changes to the IPSec P1 and P2 and added new tunnels, but it has not restarted even after a complete restart. The remote side tries to send packets to pfsense but it doesn't seem to get a reply.

    giving up after 5 retransmits
    peer not responding, trying again (278/0)
    initiating IKE_SA House-USG[3] to PUBLICIP
    generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    sending packet: from PUBLICIP[500] to PUBLICIP[500] (462 bytes)
    

    I added a firewall rule for UDP 500 and there were hits, so the other side is sending packets.



  • charon 00[DMN] signal of type SIGINT received. Shutting down

    increase daemon verbosity
    VPN / IPsec / Advanced Settings

    and report back if there is something more specific

    if you are using ikev1 try with ikev2



  • Increased the verbosity but there are no new logs. It hasn't generated new logs since initial install. The service is not running.



  • of course, increse verbosity and restart the service.
    charon crashed so the service is dead



  • I ran playback restartipsec but there do not seem to be any new logs.



  • can't you do it from the gui ?

    Immagine.jpg



  • isn't listed
    Screen Shot 2019-09-07 at 8.52.35 AM.png



  • what do you have here ?enabled or disabled?

    Immagine.jpg



  • ugh I'm not smart ☺


Log in to reply