IPSEC Service not starting after initial install
-
On a fresh install of pfsense 2.4.4-RELEASE-p3 I built a site-to-site VPN. After applying the config in Status-System Logs-IPSec it shows:
Sep 6 16:16:24 charon 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Sep 6 16:16:24 charon 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Sep 6 16:16:24 charon 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Sep 6 16:16:24 charon 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Sep 6 16:16:24 charon 00[CFG] loaded IKE secret for %any PUBLICIP Sep 6 16:16:24 charon 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory Sep 6 16:16:24 charon 00[CFG] loaded 0 RADIUS server configurations Sep 6 16:16:24 charon 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters Sep 6 16:16:24 charon 00[JOB] spawning 16 worker threads Sep 6 16:16:24 ipsec_starter 23301 charon (23489) started after 80 ms Sep 6 16:16:24 charon 16[CFG] received stroke: add connection 'bypasslan' Sep 6 16:16:24 charon 16[CFG] conn bypasslan Sep 6 16:16:24 charon 16[CFG] left=%any Sep 6 16:16:24 charon 16[CFG] leftsubnet=10.73.254.0/24 Sep 6 16:16:24 charon 16[CFG] right=%any Sep 6 16:16:24 charon 16[CFG] rightsubnet=10.73.254.0/24 Sep 6 16:16:24 charon 16[CFG] dpddelay=30 Sep 6 16:16:24 charon 16[CFG] dpdtimeout=150 Sep 6 16:16:24 charon 16[CFG] sha256_96=no Sep 6 16:16:24 charon 16[CFG] mediation=no Sep 6 16:16:24 charon 16[CFG] added configuration 'bypasslan' Sep 6 16:16:24 charon 13[CFG] received stroke: route 'bypasslan' Sep 6 16:16:24 ipsec_starter 23301 'bypasslan' shunt PASS policy installed Sep 6 16:16:24 charon 16[CFG] received stroke: add connection 'con1000' Sep 6 16:16:24 charon 16[CFG] conn con1000 Sep 6 16:16:24 charon 16[CFG] left=PUBLICIP Sep 6 16:16:24 charon 16[CFG] leftsubnet=10.73.254.0/24 Sep 6 16:16:24 charon 16[CFG] leftauth=psk Sep 6 16:16:24 charon 16[CFG] leftid=PUBLICIP Sep 6 16:16:24 charon 16[CFG] right=PUBLICIP Sep 6 16:16:24 charon 16[CFG] rightsubnet=10.6.1.1/24 Sep 6 16:16:24 charon 16[CFG] rightauth=psk Sep 6 16:16:24 charon 16[CFG] rightid=PUBLICIP Sep 6 16:16:24 charon 16[CFG] ike=aes128-sha1-modp2048! Sep 6 16:16:24 charon 16[CFG] esp=aes128-sha1-modp2048,aes128-sha256-modp2048,aes128gcm128-sha1-modp2048,aes128gcm128-sha256-modp2048! Sep 6 16:16:24 charon 16[CFG] dpddelay=10 Sep 6 16:16:24 charon 16[CFG] dpdtimeout=60 Sep 6 16:16:24 charon 16[CFG] dpdaction=3 Sep 6 16:16:24 charon 16[CFG] sha256_96=no Sep 6 16:16:24 charon 16[CFG] mediation=no Sep 6 16:16:24 charon 16[CFG] keyexchange=ikev2 Sep 6 16:16:24 charon 16[CFG] added configuration 'con1000' Sep 6 16:16:24 charon 12[CFG] received stroke: route 'con1000' Sep 6 16:16:24 charon 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ Sep 6 16:16:24 charon 12[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED Sep 6 16:16:24 ipsec_starter 23301 'con1000' routed Sep 6 16:16:28 charon 00[DMN] signal of type SIGINT received. Shutting down Sep 6 16:16:28 charon 00[CHD] CHILD_SA con1000{1} state change: ROUTED => DESTROYING Sep 6 16:16:28 ipsec_starter 23301 charon stopped after 200 ms Sep 6 16:16:28 ipsec_starter 23301 ipsec starter stopped
It seems as if the service hasn't started since the initial configuration. I've made and applied changes to the IPSec P1 and P2 and added new tunnels, but it has not restarted even after a complete restart. The remote side tries to send packets to pfsense but it doesn't seem to get a reply.
giving up after 5 retransmits peer not responding, trying again (278/0) initiating IKE_SA House-USG[3] to PUBLICIP generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from PUBLICIP[500] to PUBLICIP[500] (462 bytes)
I added a firewall rule for UDP 500 and there were hits, so the other side is sending packets.
-
charon 00[DMN] signal of type SIGINT received. Shutting down
increase daemon verbosity
VPN / IPsec / Advanced Settingsand report back if there is something more specific
if you are using ikev1 try with ikev2
-
Increased the verbosity but there are no new logs. It hasn't generated new logs since initial install. The service is not running.
-
of course, increse verbosity and restart the service.
charon crashed so the service is dead -
I ran playback restartipsec but there do not seem to be any new logs.
-
can't you do it from the gui ?
-
isn't listed
-
what do you have here ?enabled or disabled?
-
ugh I'm not smart