IPSEC Service not starting after initial install

macaddict89

On a fresh install of pfsense 2.4.4-RELEASE-p3 I built a site-to-site VPN. After applying the config in Status-System Logs-IPSec it shows:

Sep 6 16:16:24	charon		00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Sep 6 16:16:24	charon		00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Sep 6 16:16:24	charon		00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Sep 6 16:16:24	charon		00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Sep 6 16:16:24	charon		00[CFG] loaded IKE secret for %any PUBLICIP
Sep 6 16:16:24	charon		00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
Sep 6 16:16:24	charon		00[CFG] loaded 0 RADIUS server configurations
Sep 6 16:16:24	charon		00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters
Sep 6 16:16:24	charon		00[JOB] spawning 16 worker threads
Sep 6 16:16:24	ipsec_starter	23301	charon (23489) started after 80 ms
Sep 6 16:16:24	charon		16[CFG] received stroke: add connection 'bypasslan'
Sep 6 16:16:24	charon		16[CFG] conn bypasslan
Sep 6 16:16:24	charon		16[CFG] left=%any
Sep 6 16:16:24	charon		16[CFG] leftsubnet=10.73.254.0/24
Sep 6 16:16:24	charon		16[CFG] right=%any
Sep 6 16:16:24	charon		16[CFG] rightsubnet=10.73.254.0/24
Sep 6 16:16:24	charon		16[CFG] dpddelay=30
Sep 6 16:16:24	charon		16[CFG] dpdtimeout=150
Sep 6 16:16:24	charon		16[CFG] sha256_96=no
Sep 6 16:16:24	charon		16[CFG] mediation=no
Sep 6 16:16:24	charon		16[CFG] added configuration 'bypasslan'
Sep 6 16:16:24	charon		13[CFG] received stroke: route 'bypasslan'
Sep 6 16:16:24	ipsec_starter	23301	'bypasslan' shunt PASS policy installed
Sep 6 16:16:24	charon		16[CFG] received stroke: add connection 'con1000'
Sep 6 16:16:24	charon		16[CFG] conn con1000
Sep 6 16:16:24	charon		16[CFG] left=PUBLICIP
Sep 6 16:16:24	charon		16[CFG] leftsubnet=10.73.254.0/24
Sep 6 16:16:24	charon		16[CFG] leftauth=psk
Sep 6 16:16:24	charon		16[CFG] leftid=PUBLICIP
Sep 6 16:16:24	charon		16[CFG] right=PUBLICIP
Sep 6 16:16:24	charon		16[CFG] rightsubnet=10.6.1.1/24
Sep 6 16:16:24	charon		16[CFG] rightauth=psk
Sep 6 16:16:24	charon		16[CFG] rightid=PUBLICIP
Sep 6 16:16:24	charon		16[CFG] ike=aes128-sha1-modp2048!
Sep 6 16:16:24	charon		16[CFG] esp=aes128-sha1-modp2048,aes128-sha256-modp2048,aes128gcm128-sha1-modp2048,aes128gcm128-sha256-modp2048!
Sep 6 16:16:24	charon		16[CFG] dpddelay=10
Sep 6 16:16:24	charon		16[CFG] dpdtimeout=60
Sep 6 16:16:24	charon		16[CFG] dpdaction=3
Sep 6 16:16:24	charon		16[CFG] sha256_96=no
Sep 6 16:16:24	charon		16[CFG] mediation=no
Sep 6 16:16:24	charon		16[CFG] keyexchange=ikev2
Sep 6 16:16:24	charon		16[CFG] added configuration 'con1000'
Sep 6 16:16:24	charon		12[CFG] received stroke: route 'con1000'
Sep 6 16:16:24	charon		12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ
Sep 6 16:16:24	charon		12[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED
Sep 6 16:16:24	ipsec_starter	23301	'con1000' routed
Sep 6 16:16:28	charon		00[DMN] signal of type SIGINT received. Shutting down
Sep 6 16:16:28	charon		00[CHD] CHILD_SA con1000{1} state change: ROUTED => DESTROYING
Sep 6 16:16:28	ipsec_starter	23301	charon stopped after 200 ms
Sep 6 16:16:28	ipsec_starter	23301	ipsec starter stopped

It seems as if the service hasn't started since the initial configuration. I've made and applied changes to the IPSec P1 and P2 and added new tunnels, but it has not restarted even after a complete restart. The remote side tries to send packets to pfsense but it doesn't seem to get a reply.

giving up after 5 retransmits
peer not responding, trying again (278/0)
initiating IKE_SA House-USG[3] to PUBLICIP
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from PUBLICIP[500] to PUBLICIP[500] (462 bytes)

I added a firewall rule for UDP 500 and there were hits, so the other side is sending packets.

kiokoman

charon 00[DMN] signal of type SIGINT received. Shutting down

increase daemon verbosity
VPN / IPsec / Advanced Settings

and report back if there is something more specific

if you are using ikev1 try with ikev2

macaddict89

Increased the verbosity but there are no new logs. It hasn't generated new logs since initial install. The service is not running.

kiokoman

of course, increse verbosity and restart the service.
charon crashed so the service is dead

macaddict89

I ran playback restartipsec but there do not seem to be any new logs.

kiokoman

can't you do it from the gui ?

macaddict89

isn't listed

kiokoman

what do you have here ?enabled or disabled?

macaddict89

ugh I'm not smart