Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Service not starting after initial install

    Scheduled Pinned Locked Moved IPsec
    9 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      macaddict89
      last edited by

      On a fresh install of pfsense 2.4.4-RELEASE-p3 I built a site-to-site VPN. After applying the config in Status-System Logs-IPSec it shows:

      Sep 6 16:16:24	charon		00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
      Sep 6 16:16:24	charon		00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
      Sep 6 16:16:24	charon		00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
      Sep 6 16:16:24	charon		00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
      Sep 6 16:16:24	charon		00[CFG] loaded IKE secret for %any PUBLICIP
      Sep 6 16:16:24	charon		00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
      Sep 6 16:16:24	charon		00[CFG] loaded 0 RADIUS server configurations
      Sep 6 16:16:24	charon		00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters
      Sep 6 16:16:24	charon		00[JOB] spawning 16 worker threads
      Sep 6 16:16:24	ipsec_starter	23301	charon (23489) started after 80 ms
      Sep 6 16:16:24	charon		16[CFG] received stroke: add connection 'bypasslan'
      Sep 6 16:16:24	charon		16[CFG] conn bypasslan
      Sep 6 16:16:24	charon		16[CFG] left=%any
      Sep 6 16:16:24	charon		16[CFG] leftsubnet=10.73.254.0/24
      Sep 6 16:16:24	charon		16[CFG] right=%any
      Sep 6 16:16:24	charon		16[CFG] rightsubnet=10.73.254.0/24
      Sep 6 16:16:24	charon		16[CFG] dpddelay=30
      Sep 6 16:16:24	charon		16[CFG] dpdtimeout=150
      Sep 6 16:16:24	charon		16[CFG] sha256_96=no
      Sep 6 16:16:24	charon		16[CFG] mediation=no
      Sep 6 16:16:24	charon		16[CFG] added configuration 'bypasslan'
      Sep 6 16:16:24	charon		13[CFG] received stroke: route 'bypasslan'
      Sep 6 16:16:24	ipsec_starter	23301	'bypasslan' shunt PASS policy installed
      Sep 6 16:16:24	charon		16[CFG] received stroke: add connection 'con1000'
      Sep 6 16:16:24	charon		16[CFG] conn con1000
      Sep 6 16:16:24	charon		16[CFG] left=PUBLICIP
      Sep 6 16:16:24	charon		16[CFG] leftsubnet=10.73.254.0/24
      Sep 6 16:16:24	charon		16[CFG] leftauth=psk
      Sep 6 16:16:24	charon		16[CFG] leftid=PUBLICIP
      Sep 6 16:16:24	charon		16[CFG] right=PUBLICIP
      Sep 6 16:16:24	charon		16[CFG] rightsubnet=10.6.1.1/24
      Sep 6 16:16:24	charon		16[CFG] rightauth=psk
      Sep 6 16:16:24	charon		16[CFG] rightid=PUBLICIP
      Sep 6 16:16:24	charon		16[CFG] ike=aes128-sha1-modp2048!
      Sep 6 16:16:24	charon		16[CFG] esp=aes128-sha1-modp2048,aes128-sha256-modp2048,aes128gcm128-sha1-modp2048,aes128gcm128-sha256-modp2048!
      Sep 6 16:16:24	charon		16[CFG] dpddelay=10
      Sep 6 16:16:24	charon		16[CFG] dpdtimeout=60
      Sep 6 16:16:24	charon		16[CFG] dpdaction=3
      Sep 6 16:16:24	charon		16[CFG] sha256_96=no
      Sep 6 16:16:24	charon		16[CFG] mediation=no
      Sep 6 16:16:24	charon		16[CFG] keyexchange=ikev2
      Sep 6 16:16:24	charon		16[CFG] added configuration 'con1000'
      Sep 6 16:16:24	charon		12[CFG] received stroke: route 'con1000'
      Sep 6 16:16:24	charon		12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ
      Sep 6 16:16:24	charon		12[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED
      Sep 6 16:16:24	ipsec_starter	23301	'con1000' routed
      Sep 6 16:16:28	charon		00[DMN] signal of type SIGINT received. Shutting down
      Sep 6 16:16:28	charon		00[CHD] CHILD_SA con1000{1} state change: ROUTED => DESTROYING
      Sep 6 16:16:28	ipsec_starter	23301	charon stopped after 200 ms
      Sep 6 16:16:28	ipsec_starter	23301	ipsec starter stopped
      

      It seems as if the service hasn't started since the initial configuration. I've made and applied changes to the IPSec P1 and P2 and added new tunnels, but it has not restarted even after a complete restart. The remote side tries to send packets to pfsense but it doesn't seem to get a reply.

      giving up after 5 retransmits
      peer not responding, trying again (278/0)
      initiating IKE_SA House-USG[3] to PUBLICIP
      generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      sending packet: from PUBLICIP[500] to PUBLICIP[500] (462 bytes)
      

      I added a firewall rule for UDP 500 and there were hits, so the other side is sending packets.

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        charon 00[DMN] signal of type SIGINT received. Shutting down

        increase daemon verbosity
        VPN / IPsec / Advanced Settings

        and report back if there is something more specific

        if you are using ikev1 try with ikev2

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • M
          macaddict89
          last edited by

          Increased the verbosity but there are no new logs. It hasn't generated new logs since initial install. The service is not running.

          kiokomanK 1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8 @macaddict89
            last edited by kiokoman

            of course, increse verbosity and restart the service.
            charon crashed so the service is dead

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 0
            • M
              macaddict89
              last edited by

              I ran playback restartipsec but there do not seem to be any new logs.

              1 Reply Last reply Reply Quote 0
              • kiokomanK
                kiokoman LAYER 8
                last edited by

                can't you do it from the gui ?

                Immagine.jpg

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 0
                • M
                  macaddict89
                  last edited by

                  isn't listed
                  Screen Shot 2019-09-07 at 8.52.35 AM.png

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by

                    what do you have here ?enabled or disabled?

                    Immagine.jpg

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    1 Reply Last reply Reply Quote 0
                    • M
                      macaddict89
                      last edited by

                      ugh I'm not smart ☺

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.