Fix the VPN IPSEC Dead Peer Detection in 1.2.2 or 1.2.3 {$200}



  • I need the dead pear detection fixed as this is for production firewall(s) and not for testing. Problem is if the remote site goes down and comes back up pfSense does not see the remote side as being down and I have to then log in and manually delete the SAD for that pair.  I need this to be automatic.

    Maybe a ping function that if it is unable to ping an IP on the remote side it will delete the 2 SAD entries for that specific VPN tunnel.

    Thanks,

    Mark



  • This problem is making me have to log into my firewall 10 times a day to delete the SA's for this tunnel.


  • Rebel Alliance Developer Netgate

    Are you sure there isn't something else going on?

    I have IPSec tunnels to several locations, and I don't have any problems at all. My connection at home has been very unstable lately, but every time it has reconnected the tunnel came back up without issue. Same with my other remote sites.

    However, most of these are PPPoE based, not sure if that makes a difference. Some more detail in that respect may help work toward a solution.



  • Connections are static IP.  The device is a Cisco VPN Concentrator 3005 and the other end is 1.2.2 embedded on ALIX.



  • Maybe this will help:

    From 1.2.2 Release on Alix

    May 6 18:58:13 racoon: [MSP Monitor]: INFO: ISAKMP-SA deleted 12.238.x.x[500]-69.12.x.x[500] spi:5b6b39080cbe0b85:29d8f870eded6416
    May 6 18:58:12 racoon: [MSP Monitor]: INFO: ISAKMP-SA expired 12.238.x.x[500]-69.12.x.x[500] spi:5b6b39080cbe0b85:29d8f870eded6416
    May 6 18:30:21 racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
    May 6 18:30:21 racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
    May 6 12:06:23 racoon: [MSP Monitor]: ERROR: no iph2 found: ESP 69.12.x.x[0]->12.238.x.x[0] spi=34828622(0x213714e)
    May 6 12:06:23 racoon: INFO: unsupported PF_KEY message REGISTER
    May 6 12:06:20 racoon: [MSP Monitor]: INFO: IPsec-SA established: ESP 12.238.x.x[0]->69.12.x.x[0] spi=1492648816(0x58f80370)
    May 6 12:06:20 racoon: [MSP Monitor]: INFO: IPsec-SA established: ESP 69.12.x.x[0]->12.238.x.x[0] spi=233661810(0xded6572)
    May 6 12:06:20 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    May 6 12:06:20 racoon: [MSP Monitor]: INFO: respond new phase 2 negotiation: 12.238.x.x[0]<=>69.12.x.x[0]
    May 6 12:06:20 racoon: [MSP Monitor]: INFO: ISAKMP-SA established 12.238.x.x[500]-69.12.x.x[500] spi:6605245b1011d662:5bac53ce09319aa9
    May 6 12:06:20 racoon: WARNING: No ID match.
    May 6 12:06:20 racoon: INFO: received Vendor ID: DPD
    May 6 12:06:20 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    May 6 12:06:20 racoon: INFO: received Vendor ID: CISCO-UNITY
    May 6 12:06:20 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    May 6 12:06:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    May 6 12:06:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 6 12:06:20 racoon: INFO: begin Identity Protection mode.
    May 6 12:06:20 racoon: [MSP Monitor]: INFO: respond new phase 1 negotiation: 12.238.x.x[500]<=>69.12.x.x[500]
    May 6 12:06:20 racoon: [MSP Monitor]: INFO: ISAKMP-SA deleted 12.238.x.x[500]-69.12.x.x[500] spi:26cc8a5bb4d644b5:5244b6db8d48c8dd
    May 6 12:06:19 racoon: [MSP Monitor]: INFO: ISAKMP-SA expired 12.238.x.x[500]-69.12.x.x[500] spi:26cc8a5bb4d644b5:5244b6db8d48c8dd
    May 6 12:06:19 racoon: [MSP Monitor]: ERROR: pfkey DELETE received: ESP 12.238.x.x[0]->69.12.x.x[0] spi=1907603162(0x71b3b6da)
    May 6 12:06:19 racoon: INFO: unsupported PF_KEY message REGISTER
    May 6 11:43:26 racoon: [MSP Monitor]: ERROR: no iph2 found: ESP 69.12.x.x[0]->12.238.x.x[0] spi=101591129(0x60e2859)
    May 6 11:43:26 racoon: INFO: unsupported PF_KEY message REGISTER
    May 6 11:43:24 racoon: [MSP Monitor]: INFO: IPsec-SA established: ESP 12.238.x.x[0]->69.12.x.x[0] spi=1907603162(0x71b3b6da)
    May 6 11:43:24 racoon: [MSP Monitor]: INFO: IPsec-SA established: ESP 69.12.x.x[0]->12.238.x.x[0] spi=34828622(0x213714e)
    May 6 11:43:23 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    May 6 11:43:23 racoon: [MSP Monitor]: INFO: respond new phase 2 negotiation: 12.238.x.x[0]<=>69.12.x.x[0]
    May 6 11:43:22 racoon: [MSP Monitor]: INFO: ISAKMP-SA established 12.238.x.x[500]-69.12.x.x[500] spi:26cc8a5bb4d644b5:5244b6db8d48c8dd
    May 6 11:43:22 racoon: WARNING: No ID match.
    May 6 11:43:22 racoon: INFO: received Vendor ID: DPD
    May 6 11:43:21 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    May 6 11:43:21 racoon: INFO: received Vendor ID: CISCO-UNITY
    May 6 11:43:20 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    May 6 11:43:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    May 6 11:43:20 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    May 6 11:43:20 racoon: INFO: begin Identity Protection mode.
    May 6 11:43:20 racoon: [MSP Monitor]: INFO: respond new phase 1 negotiation: 12.238.x.x[500]<=>69.12.x.x[500]
    May 6 11:43:15 racoon: [MSP Monitor]: ERROR: pfkey DELETE received: ESP 12.238.x.x[0]->69.12.x.x[0] spi=210205826(0xc877c82)
    May 6 11:43:15 racoon: INFO: unsupported PF_KEY message REGISTER
    May 6 11:32:21 racoon: [MSP Monitor]: INFO: IPsec-SA established: ESP 12.238.x.x[0]->69.12.x.x[0] spi=210205826(0xc877c82)
    May 6 11:32:21 racoon: [MSP Monitor]: INFO: IPsec-SA established: ESP 69.12.x.x[0]->12.238.x.x[0] spi=101591129(0x60e2859)
    May 6 11:32:21 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    May 6 11:32:21 racoon: [MSP Monitor]: INFO: respond new phase 2 negotiation: 12.238.x.x[0]<=>69.12.x.x[0]
    May 6 11:32:21 racoon: [MSP Monitor]: INFO: ISAKMP-SA established 12.238.x.x[500]-69.12.x.x[500] spi:e8110c06e832ad67:59e186430da18beb
    May 6 11:32:21 racoon: WARNING: No ID match.
    May 6 11:32:21 racoon: INFO: received Vendor ID: DPD
    May 6 11:32:21 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt


  • Rebel Alliance Developer Netgate

    I have one of those VPN concentrators sitting here collecting dust, but I'm not sure I'd have time to replicate a test environment.

    Would it be possible for you to post sanitized versions of the tunnel config from both sides?



  • Sure thing.  I will do it tonight.


  • Rebel Alliance Developer Netgate

    You may also want to include any other relevant config from the Cisco if you can, things that might alter the way IPSec is handled.



  • Just remembered…Already posted the screenshots...see the post below.

    http://forum.pfsense.org/index.php/topic,15678.msg81991.html#msg81991


  • Rebel Alliance Developer Netgate

    Ok. Doesn't look like anything exotic… I'll see if my VPN concentrator still boots, we acquired it used quite some time ago and never needed it.  :)


  • Rebel Alliance Developer Netgate

    Just a little update: I have at least managed to reproduce the problem. I can get the tunnel to come up, ping, etc. Then if I reboot the VPN Concentrator, the tunnel is down on the VC side, and the pfSense side still believes the tunnel is active.

    I have to bounce racoon to bring it back to life.

    In this scenario, .40 is the pfSense box and .49 is the Cisco VPN Concentrator
    # You can see the DPD heartbeat every 10 seconds
    15:31:54.836050 IP (tos 0x0, ttl 128, id 645, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:31:54.836829 IP (tos 0x0, ttl 64, id 7023, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:32:04.839087 IP (tos 0x0, ttl 128, id 646, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:32:04.839919 IP (tos 0x0, ttl 64, id 12303, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:32:14.842125 IP (tos 0x0, ttl 128, id 658, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:32:14.842992 IP (tos 0x0, ttl 64, id 2415, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:32:24.845161 IP (tos 0x0, ttl 128, id 685, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:32:24.845898 IP (tos 0x0, ttl 64, id 58238, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:32:34.848195 IP (tos 0x0, ttl 128, id 720, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:32:34.848982 IP (tos 0x0, ttl 64, id 2157, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:32:44.851233 IP (tos 0x0, ttl 128, id 751, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    15:32:44.852033 IP (tos 0x0, ttl 64, id 7995, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]
    # VPN Concentrator Rebooted Here
    15:33:46.287064 IP (tos 0x0, ttl 64, id 29287, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x17), length 116
    15:33:47.287790 IP (tos 0x0, ttl 64, id 3429, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x18), length 116
    15:33:48.288783 IP (tos 0x0, ttl 64, id 58683, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x19), length 116
    15:33:59.306212 IP (tos 0x0, ttl 64, id 23344, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x1a), length 116
    15:33:59.306992 arp who-has x.x.x.40 tell x.x.x.49
    15:33:59.307063 arp reply x.x.x.40 is-at 00:d0:b7:xx:xx:xx
    15:33:59.307392 IP (tos 0x0, ttl 128, id 1, offset 0, flags [none], proto UDP (17), length 72) x.x.x.49.500 > x.x.x.40.500: [udp sum ok] isakmp 1.0 msgid  cookie ->: phase 1 ? inf:
        (n: doi=ipsec proto=#0 type=INVALID-SPI orig=([|isakmp]))
    # Any more traffic that tries to traverse the tunnel gets back an invalid SPI reply from the Cisco, but racoon seems to ignore that(?)
    15:38:12.199544 IP (tos 0x0, ttl 64, id 44124, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x1b), length 116
    15:38:12.200149 IP (tos 0x0, ttl 128, id 2, offset 0, flags [none], proto UDP (17), length 72) x.x.x.49.500 > x.x.x.40.500: [udp sum ok] isakmp 1.0 msgid  cookie ->: phase 1 ? inf:
        (n: doi=ipsec proto=#0 type=INVALID-SPI orig=([|isakmp]))
    15:38:13.200220 IP (tos 0x0, ttl 64, id 32774, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x1c), length 116
    15:38:13.200783 IP (tos 0x0, ttl 128, id 3, offset 0, flags [none], proto UDP (17), length 72) x.x.x.49.500 > x.x.x.40.500: [udp sum ok] isakmp 1.0 msgid  cookie ->: phase 1 ? inf:
        (n: doi=ipsec proto=#0 type=INVALID-SPI orig=([|isakmp]))
    15:38:14.201177 IP (tos 0x0, ttl 64, id 12600, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x1d), length 116
    15:38:14.201741 IP (tos 0x0, ttl 128, id 4, offset 0, flags [none], proto UDP (17), length 72) x.x.x.49.500 > x.x.x.40.500: [udp sum ok] isakmp 1.0 msgid  cookie ->: phase 1 ? inf:
        (n: doi=ipsec proto=#0 type=INVALID-SPI orig=([|isakmp]))
    # Here is where I stopped/started racoon and the traffic started to flow again (just some pings)
    15:41:44.297629 IP (tos 0x0, ttl 64, id 52940, offset 0, flags [none], proto UDP (17), length 152) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 1 I ident: [|sa]
    15:41:44.395658 IP (tos 0x0, ttl 128, id 12, offset 0, flags [none], proto UDP (17), length 108) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|sa]
    15:41:44.424531 IP (tos 0x0, ttl 64, id 22746, offset 0, flags [none], proto UDP (17), length 208) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 1 I ident: [|ke]
    15:41:44.532342 IP (tos 0x0, ttl 128, id 13, offset 0, flags [none], proto UDP (17), length 284) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid  cookie ->: phase 1 R ident: [|ke]
    15:41:44.561447 IP (tos 0x0, ttl 64, id 61626, offset 0, flags [none], proto UDP (17), length 96) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 1 I ident[E]: [encrypted id]
    15:41:44.655766 IP (tos 0x0, ttl 128, id 14, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid  cookie ->: phase 1 R ident[E]: [encrypted id]
    15:41:44.656514 IP (tos 0x0, ttl 64, id 14790, offset 0, flags [none], proto UDP (17), length 112) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 2/others I inf[E]: [encrypted hash]
    15:41:45.658171 IP (tos 0x0, ttl 64, id 15246, offset 0, flags [none], proto UDP (17), length 192) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 2/others I oakley-quick[E]: [encrypted hash]
    15:41:45.664940 IP (tos 0x0, ttl 128, id 15, offset 0, flags [none], proto UDP (17), length 216) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid  cookie ->: phase 2/others R oakley-quick[E]: [encrypted hash]
    15:41:45.665747 IP (tos 0x0, ttl 64, id 56534, offset 0, flags [none], proto UDP (17), length 88) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid  cookie ->: phase 2/others I oakley-quick[E]: [encrypted hash]
    15:41:46.297514 IP (tos 0x0, ttl 64, id 53208, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x65050928,seq=0x1), length 116
    15:41:46.299785 IP (tos 0x0, ttl 64, id 34354, offset 0, flags [none], proto ESP (50), length 136) x.x.x.49 > x.x.x.40: ESP(spi=0x06fc83b9,seq=0x1), length 116
    15:41:47.299312 IP (tos 0x0, ttl 64, id 62344, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x65050928,seq=0x2), length 116
    15:41:47.301208 IP (tos 0x0, ttl 64, id 34355, offset 0, flags [none], proto ESP (50), length 136) x.x.x.49 > x.x.x.40: ESP(spi=0x06fc83b9,seq=0x2), length 116
    15:41:48.300263 IP (tos 0x0, ttl 64, id 22492, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x65050928,seq=0x3), length 116
    15:41:48.302170 IP (tos 0x0, ttl 64, id 34356, offset 0, flags [none], proto ESP (50), length 136) x.x.x.49 > x.x.x.40: ESP(spi=0x06fc83b9,seq=0x3), length 116
    
    


  • Exactly!!!!!!!!!!!!!!!!  ???  ???  ???  :'(  :'(  :'(


  • Rebel Alliance Developer Netgate

    I did notice something weird, if you look at the times on the DPD packets in my tcpdump, they were being initiated by the VPN concentrator, not pfSense.

    Perhaps that is why it isn't working? Even though pfSense is set for DPD, it has negotiated it with Cisco but is only replying and not initiating DPD checks?

    Just a guess… probably needs more experimentation.



  • What I find odd is none of the Devs have not responded to this post nor the other posts I have seen regarding this issue at least telling us it is a bug or if it is unable to be fixed.

    I will probably end up buying Cisco Linksys RV042's instead of implementing pfSense at remote locations until this can be fixed as I need to deploy about 7 locations with remote VPN's and needing to manually intervene each times is just a little too much for me.


  • Rebel Alliance Developer Netgate

    Actually, if you use the term "dev" loosely, I am one :-)

    (I am a committer on 2.0/HEAD and for packages, but I'm not a part of the core team)

    This still feels more like a racoon bug than a pfSense bug. If it does turn out to be a pfSense bug, it may just be in terms of how DPD is being configured by the WebGUI. There isn't much to go wrong there, though.

    I can try to build a tunnel to a 2.0 box and see if it behaves the same way.



  • As far as I know both should be able to initiate DPD.  I think this is part of the problem as DPD is not available in 1.2.2.  I have tried modifying the file in pfsense to enable it but it does nothing once I have edited the file.

    In 1.2.3 people are having the same problem.  I wish someone would shed some light on the issue.


  • Rebel Alliance Developer Netgate

    I should mention that I am testing this with 1.2.3, so DPD should be working, in theory anyhow.



  • Could it be something to do with the version of racoon?  I could not find much info about it besides a project called Kame..but that did not tell me much.



  • I have another tunnel between this 1.2.2 and another 1.2.2 and the tunnel has no problem coming back up.  But others have complained about it so there is no consistency.


  • Rebel Alliance Developer Netgate

    @kapara:

    Could it be something to do with the version of racoon?  I could not find much info about it besides a project called Kame..but that did not tell me much.

    That's possible, which is why I want to try it against 2.0 as well. They are both running the same version of ipsec-tools (http://ipsec-tools.sourceforge.net/) though:

    from 1.2.3:
    May 11 12:33:07 pfsense-123test racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)

    from 2.0:
    May 11 11:32:58 pfSense-20test racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)

    There is a slightly newer version of ipsec-tools (0.7.2) out, but I don't see any details release notes on the web site that state what bugs were fixed.


  • Rebel Alliance Developer Netgate

    It appears that what I thought was the DPD packet may have been Cisco's IPSec keep-alive. I disabled that, and left DPD enabled on the pfSense side, and I see no regular traffic on the tunnel.

    That makes me think that either DPD isn't being turned on, or it isn't being negotiated properly for the tunnel.

    With Cisco's Keep-Alive turned on, I get:
    May 11 15:41:44 pfsense-123test racoon: INFO: received Vendor ID: CISCO-UNITY
    May 11 15:41:44 pfsense-123test racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    May 11 15:41:44 pfsense-123test racoon: INFO: received Vendor ID: DPD

    With it disabled, I get:
    May 11 16:26:21 pfsense-123test racoon: INFO: received Vendor ID: CISCO-UNITY
    May 11 16:26:21 pfsense-123test racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

    That makes me wonder if, perhaps, the Cisco side really doesn't support DPD as well as it claims to. I'm not sure if there is some other mechanism to signal racoon when something else fails (i.e. the keepalive ping) to reload a specific tunnel. That would probably be more reliable than DPD since that must be supported by both sides.

    Why this works for some vendors/devices and not others is also puzzling…



  • Then why is it that when I reboot my concentrator the pfSense does not respond as seeing the tunnel go down at all but stays green?


  • Rebel Alliance Developer Netgate

    @kapara:

    Then why is it that when I reboot my concentrator the pfSense does not respond as seeing the tunnel go down at all but stays green?

    That is what I'm trying to figure out… :-)

    As you said, when both sides are pfSense, it seems to work. I'm wondering if the "invalid SPI" reply generated by the Cisco is broken in some way (or racoon's parsing thereof) such that it doesn't pick up on the fact that the tunnel traffic is being rejected.



  • Version history: –-------------- 0.7.1 - 23 July 2008 o Fixes a memory leak when invalid proposal received o Some fixes in DPD o do not set default gss id if xauth is used o fixed hybrid enabled builds o fixed compilation on FreeBSD8 o cleanup in network port value manipulation o gets ports from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi() o Generates a log if cert validation has been disabled by configuration o better handling for pfkey socket read errors o Fixes in yacc / bison stuff o new plog() macro (reduced CPU usage when logging is disabled) o Try to works better with huge SPD/SAD o Corrected modecfg option syntax o Many other various fixes…



  • That is all foreign to me but maybe it has something to do with the problem.


  • Rebel Alliance Developer Netgate

    I'll have to look at it more tomorrow, but I might be able to see if bumping ipsec-tools to 0.7.2 might help things along.
    Can't promise anything though.



  • Those aren't the changes in 0.7.2, but the changes in 0.7.1.  Here are the changes in 0.7.2:

    0.7.2 - 22 April 2009

    • Fix a remote crash in fragmentation code

    • Phase2 message identities are phase1 specific (Vista compatibility)

    • Autogenerate ChangeLog from cvs metadata

    • Fix mode config pool resizing

    • NAT-T fixes related to purging of IPsec SA:s and retransmission

    • Remove phase1 handler immediately if first exchange is bad

    • A bunch of memory leak and possible memory corruptions (triggerable
                by bad configuration or startup parameters)

    Seems like an update that is worth upgrading to given how many crash fixes there are in it.



  • But this is not likely to be applied to 1.2.2….... :'(  Or at least in 1.2.3 unless it is already there.  Just concerned about stability.



  • @kapara:

    But this is not likely to be applied to 1.2.2….... :'(  Or at least in 1.2.3 unless it is already there.  Just concerned about stability.

    The devs have to consider what is worse:

    1. Potential instability due to a new version of ipsec-tools or even an increase in stability due to bugs being fixed.
    2. Shipping with a remote DoS attack vulnerability that has been known for 3 weeks now.


  • Rebel Alliance Developer Netgate

    I am testing a build of 1.2.3-RC with ipsec-tools 0.7.2 and it may be my slightly weird test environment, but it didn't fix the issue so far.

    That said, if I switch both ends of the IPSec tunnel to Aggressive Mode instead of Main Mode, then DPD seems to want to work, but doesn't actually get all the way.

    May 14 10:17:55 pfsense-123test racoon: INFO: IPsec-SA request for x.x.x.49 queued due to no phase1 found.
    May 14 10:17:55 pfsense-123test racoon: INFO: initiate new phase 1 negotiation: x.x.x.40[500]<=>x.x.x.49[500]
    May 14 10:17:55 pfsense-123test racoon: INFO: begin Aggressive mode.
    May 14 10:17:55 pfsense-123test racoon: INFO: received Vendor ID: CISCO-UNITY
    May 14 10:17:55 pfsense-123test racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    May 14 10:17:55 pfsense-123test racoon: INFO: received Vendor ID: DPD
    May 14 10:17:55 pfsense-123test racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    May 14 10:17:55 pfsense-123test racoon: INFO: ISAKMP-SA established x.x.x.40[500]-x.x.x.49[500] spi:5570f421d746e391:6a94f32073b1ed3f
    May 14 10:17:56 pfsense-123test racoon: INFO: initiate new phase 2 negotiation: x.x.x.40[500]<=>x.x.x.49[500]
    May 14 10:17:56 pfsense-123test racoon: WARNING: ignore RESPONDER-LIFETIME notification.
    May 14 10:17:56 pfsense-123test racoon: INFO: IPsec-SA established: ESP x.x.x.49[0]->x.x.x.40[0] spi=165272301(0x9d9daed)
    May 14 10:17:56 pfsense-123test racoon: INFO: IPsec-SA established: ESP x.x.x.40[500]->x.x.x.49[500] spi=463118085(0x1b9a9f05)
    [Power off Cisco VPN Concentrator]
    May 14 10:19:10 pfsense-123test racoon: INFO: DPD: remote (ISAKMP-SA spi=5570f421d746e391:6a94f32073b1ed3f) seems to be dead.
    May 14 10:19:11 pfsense-123test racoon: INFO: ISAKMP-SA deleted x.x.x.40[500]-x.x.x.49[500] spi:5570f421d746e391:6a94f32073b1ed3f
    

    The log message is all well and good except it didn't actually delete the SAs. They're still there.

    I'm making a new build right now to see if things behave any differently. Before that, I'm going to go back to a stock 1.2.3 snapshot and see if Aggressive mode behaves the same way.



  • All is now working!  I removed the Concentrator from the DMZ of my local pfSense and connected it directly to a public IP.  I noticed in the firewall logs that my firewall was blocking port 500 traffic and all other traffic which originated from the remote sites to my local site.  Odd since I created a rule on my DMZ allowing all traffic to pass to the public interface of my concentrator.

    Lan 10.20.30.1
    DMZ 10.20.20.1

    Concentrator Private: 10.20.30.2
    Concentrator Public: 10.20.20.2

    I was seeing my customers IP's being blocked:

    10.0.0.0/24
    192.168.127.0/24
    172.20.30.0/16

    These were being blocked both on the LAN interface and on the DMZ.  I will post some of the logs.  I just need to reconfigure to internal again rather than direct connect to public IP on Concentrator Public interface.


  • Rebel Alliance Developer Netgate

    So your tunnel reestablishes OK now after a power cycle?

    That is strange, since my concentrator is already on a public IP and has no filtering in front of it. Its public is on the same switch as my pfSense test box.

    And yet if I power cycle the concentrator, the tunnel never comes back up.

    Are you sure nothing else changed in all that?



  • I did modify the DPD setting in the pfSense 1.2.2 by modifying the file.  I think DPD was enabled for phase 1 or phase 2 and I enabled it for the other one in the conf file.  If I can remember which file I will post the changes I made.


  • Rebel Alliance Developer Netgate

    Ok, that would help a lot.

    It should be /var/etc/racoon.conf

    If I can see how you changed it, I can probably get that into the code to see if it fixes for everyone.



  • Look for the dpd_delay.  On one of them it is commented out.  File is:  /etc/inc/vpn.inc

    See post: http://forum.pfsense.org/index.php/topic,10371.0.html

    From Pesh:

    I don't know if everyone else has encountered this, but I recently had a problem where if one of my pfSense firewalls was restarted for whatever reason, the other pfSenses on the other ends of the VPN tunnels wouldn't recognise this. They would keep the old SA up and not negotiate any new ones, causing a failure to pass any traffic over the VPN. The only fix was to manually delete the entries from the SAD on these other firewalls so it would make a fresh tunnel again.

    After reading around a bit, I saw an option for the racoon.conf that would turn on Dead Peer Detection, and figured I'd give that a try. In /etc/inc/vpn.inc, after each line saying proposal_check obey;, I added a line dpd_delay 20;. Then restarted racoon on each firewall, restarted one of the firewalls on its own and found that it renegotiated the tunnels straight away!

    Anyway just a suggestion, I think this would be a useful option to add to pfSense.

    /*
    	vpn.inc
    	Copyright (C) 2004-2006 Scott Ullrich
    	All rights reserved.
    
    	originally part of m0n0wall (http://m0n0.ch/wall)
    	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
    	All rights reserved.
    
    	Redistribution and use in source and binary forms, with or without
    	modification, are permitted provided that the following conditions are met:
    
    	1\. Redistributions of source code must retain the above copyright notice,
    	   this list of conditions and the following disclaimer.
    
    	2\. Redistributions in binary form must reproduce the above copyright
    	   notice, this list of conditions and the following disclaimer in the
    	   documentation and/or other materials provided with the distribution.
    
    	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
    	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
    	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
    	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    	POSSIBILITY OF SUCH DAMAGE.
    */
    
    /* include all configuration functions */
    require_once("functions.inc");
    
    /* master setup for vpn (mpd) */
    function vpn_setup() {
    	/* start pptpd */
    	vpn_pptpd_configure();
    
    	/* start pppoe server */
    	vpn_pppoe_configure();
    }
    
    function vpn_ipsec_failover_configure() {
    	global $config, $g;
    
    	$sasyncd_text = "";
    
    	if($config['installedpackages']['sasyncd']['config'] <> "")
    		foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) {
    			$enabled = isset($sasyncd['enable']);
    			if(!$enabled)
    				return;
    			if($sasyncd['peerip'] <> "")
    				$sasyncd_text .= "peer {$sasyncd['peerip']}\n";
    			if($sasyncd['interface'])
    				$sasyncd_text .= "carp interface {$sasyncd['interface']}\n";
    			if($sasyncd['sharedkey'] <> "")
    				$sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n";
    			if($sasyncd['mode'] <> "")
    				$sasyncd_text .= "mode {$sasyncd['mode']}\n";
    			if($sasyncd['listenon'] <> "")
    				$sasyncd_text .= "listen on {$sasyncd['listenon']}\n";
    			if($sasyncd['flushmodesync'] <> "")
    				$sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n";
    		}
    
    	$fd = fopen("{$g['varetc_path']}/sasyncd.conf", "w");
    	fwrite($fd, $sasyncd_text);
    	fclose($fd);
    	chmod("{$g['varetc_path']}/sasyncd.conf", 0600);
    
    	mwexec("killall sasyncd", true);
    
    	/* launch sasyncd, oh wise one */
    	/* mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); */
    }
    
    function find_last_gif_device() {
    	 	$regs = "";
            $last_gif_found = -1;
            if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1;
            $ifconfig_data = fread($fp, 4096);
            pclose($fp);
            $ifconfig_array = split(" ", $ifconfig_data);
            foreach ($ifconfig_array as $ifconfig) {
                    ereg("gif(.)", $ifconfig, $regs);
                    if($regs[0]) {
                            if($regs[0] > $last_gif_found)
                                    $last_gif_found = $regs[1];
                    }
            }
            return $last_gif_found;
    }
    
    function vpn_ipsec_configure($ipchg = false) {
    	global $config, $g, $sa, $sn;
    
    	mwexec("/sbin/ifconfig enc0 create", true);
    	mwexec("/sbin/ifconfig enc0 up", true);
    
    	/* get the automatic /etc/ping_hosts.sh ready */
    	unlink_if_exists("/var/db/ipsecpinghosts");
    	touch("/var/db/ipsecpinghosts");
    
    	if($g['booting'] == true) {
    		/* determine if we should load the via padlock module */
    		$dmesg_boot = `cat /var/log/dmesg.boot | grep CPU`;
    		if(stristr($dmesg_boot, "ACE") == true) {
    			//echo "Enabling [VIA Padlock] ...";
    			//mwexec("/sbin/kldload padlock");
    			//mwexec("/sbin/sysctl net.inet.ipsec.crypto_support=1");
    			//mwexec("/usr/local/sbin/setkey -F");
    			//mwexec("/usr/local/sbin/setkey -FP");
    			//echo " done.\n";
    		}
    	}
    
    	if(isset($config['ipsec']['preferredoldsa'])) {
    		mwexec("/sbin/sysctl net.key.preferred_oldsa=0");
    	} else {
    		mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
    	}
    
    	$number_of_gifs = find_last_gif_device();
    	for($x=0; $x<$number_of_gifs; $x++) {
    		mwexec("/sbin/ifconfig gif" . $x . " delete");
    	}
    
    	$curwanip = get_current_wan_address();
    
    	$syscfg = $config['system'];
    	$ipseccfg = $config['ipsec'];
    	$lancfg = $config['interfaces']['lan'];
    	$lanip = $lancfg['ipaddr'];
    	$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
    	$lansn = $lancfg['subnet'];
    
    	if (!isset($ipseccfg['enable'])) {
    		mwexec("/sbin/ifconfig enc0 down");
    		mwexec("/sbin/ifconfig enc0 destroy");
    
    		/* kill racoon */
    		mwexec("/usr/bin/killall racoon", true);
    
    		/* wait for process to die */
    		sleep(2);
    
    		/* send a SIGKILL to be sure */
    		sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL");
    
    		/* flush SPD and SAD */
    		mwexec("/usr/local/sbin/setkey -FP");
    		mwexec("/usr/local/sbin/setkey -F");
    
    		return true;
    	}
    
    	if ($g['booting']) {
    		echo "Configuring IPsec VPN... ";
    	}
    
    	if (isset($ipseccfg['enable'])) {
    
    		/* fastforwarding is not compatible with ipsec tunnels */
    		system("/sbin/sysctl net.inet.ip.fastforwarding=0 >/dev/null 2>&1");
    
    		if (!$curwanip) {
    			/* IP address not configured yet, exit */
    			if ($g['booting'])
    				echo "done\n";
    			return 0;
    		}
    
    		/* this loads a route table which is used to determine if a route needs to be removed. */
    		exec("/usr/bin/netstat -rn", $route_arr, $retval);
    		$route_str = implode("\n", $route_arr);
    
    		if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) ||
    				isset($ipseccfg['mobileclients']['enable'])) {
    
    			if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) {
    
    				/* generate spd.conf */
    				$fd = fopen("{$g['varetc_path']}/spd.conf", "w");
    				if (!$fd) {
    					printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n");
    					return 1;
    				}
    
    				$spdconf = "";
    
    				$spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n";
    				$spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";
    
    				foreach ($ipseccfg['tunnel'] as $tunnel) {
    
    					if (isset($tunnel['disabled']))
    						continue;
    
    					$ep = vpn_endpoint_determine($tunnel, $curwanip);
    					if (!$ep) {
    						log_error("Could not deterimine VPN endpoint for {$tunnel['descr']}");
    						continue;	
    					}
    
    					vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
    
    					if(is_domain($tunnel['remote-gateway'])) {
    						$tmp = gethostbyname($tunnel['remote-gateway']);
    						if($tmp)
    							$tunnel['remote-gateway'] = $tmp;
    					}
    
    					/* add entry to host pinger */
    					if ($tunnel['pinghost']) {
    						$pfd = fopen("/var/db/ipsecpinghosts", "a");
    						$iflist = array("lan" => "lan", "wan" => "wan");
    			          	for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++)
    			          		$iflist['opt' . $i] = "opt{$i}";
    			            foreach ($iflist as $ifent => $ifname) {
    			            	$interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']);
    			            	if (ip_in_subnet($interface_ip, $sa . "/" . $sn))
    			                	$srcip = find_interface_ip($config['interfaces'][$ifname]['if']);
    			            }
    						$dstip = $tunnel['pinghost'];
    						fwrite($pfd, "$srcip|$dstip|3\n");
    						fclose($pfd);
    					}
    					if(isset($tunnel['creategif'])) {
    						$number_of_gifs = find_last_gif_device();
    						$number_of_gifs++;
    						$curwanip = get_current_wan_address();
    
    						mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']);
    						mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32");
    					}
    
    					$spdconf .= "spdadd {$sa}/{$sn} " .
    						"{$tunnel['remote-subnet']} any -P out ipsec " .
    						"{$tunnel['p2']['protocol']}/tunnel/{$ep}-" .
    						"{$tunnel['remote-gateway']}/unique;\n";
    
    					$spdconf .= "spdadd {$tunnel['remote-subnet']} " .
    						"{$sa}/{$sn} any -P in ipsec " .
    						"{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" .
    						"{$ep}/unique;\n";
    
    					/* static route needed? */
    					if(preg_match("/^carp/i", $tunnel['interface'])) {
    						$parentinterface = link_carp_interface_to_parent($tunnel['interface']);
    					} else {
    						$parentinterface = $tunnel['interface'];
    					}
    					if($parentinterface <> "wan") {
    						/* add endpoint routes to correct gateway on interface */
    						if(interface_has_gateway($parentinterface)) {
    							$gatewayip = get_interface_gateway("$parentinterface");
    							$interfaceip = $config['interfaces'][$parentinterface]['ipaddr'];
    							$subnet_bits = $config['interfaces'][$parentinterface]['subnet'];
    							$subnet_ip = gen_subnet("{$interfaceip}", "{$subnet_bits}");
    							/* if the remote gateway is in the local subnet, then don't add a route */
    							if(! ip_in_subnet($tunnel['remote-gateway'], "{$subnet_ip}/{$subnet_bits}")) {
    								if(is_ipaddr($gatewayip)) {
    									log_error("IPSEC interface is not WAN but {$tunnel['interface']}, adding static route for VPN endpoint {$tunnel['remote-gateway']} via {$gatewayip}");
    									mwexec("/sbin/route delete -host {$tunnel['remote-gateway']}");
                                                                            mwexec("/sbin/route add -host {$tunnel['remote-gateway']} {$gatewayip}");
    								}
    							}
    						}
    					} else {
    						if(stristr($route_str, "/{$tunnel['remote-gateway']}/")) {
    							mwexec("/sbin/route delete -host {$tunnel['remote-gateway']}");
    						}
    					}
    				}
    
    				fwrite($fd, $spdconf);
    				fclose($fd);
    			}
    
    			/* generate racoon.conf */
    			$fd = fopen("{$g['varetc_path']}/racoon.conf", "w");
    			if (!$fd) {
    				printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n");
    				return 1;
    			}
    
    			$racoonconf = "";
    
    			$racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n";
    			$racoonconf .= "path certificate  \"{$g['varetc_path']}\";\n\n";
    
    			/* generate CA certificates files */
    			$cacertnum = 0;
    			if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert']))
    				foreach ($ipseccfg['cacert'] as $cacert) {
    					++$cacertnum;
    					if (isset($cacert['cert'])) {
    						$cert = base64_decode($cacert['cert']);
    						$x509cert = openssl_x509_parse(openssl_x509_read($cert));
    						if(is_array($x509cert) && isset($x509cert['hash'])) {
    							$fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w");
    							if (!$fd1) {
    								printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n");
    								return 1;
    							}
    							chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600);
    							fwrite($fd1, $cert);
    							fclose($fd1);
    						}
    					}
    				}
    
    			$tunnelnumber = 0;
    			if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel']))
    				foreach ($ipseccfg['tunnel'] as $tunnel) {
    
    				++$tunnelnumber;
    
    				if (isset($tunnel['disabled']))
    					continue;
    
    				$ep = vpn_endpoint_determine($tunnel, $curwanip);
    				if (!$ep)
    					continue;
    
    				vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
    
    				if (isset($tunnel['p1']['myident']['myaddress'])) {
    					$myidentt = "address";
    					$myident = $ep;
    				} else if (isset($tunnel['p1']['myident']['address'])) {
    					$myidentt = "address";
    					$myident = $tunnel['p1']['myident']['address'];
    				} else if (isset($tunnel['p1']['myident']['fqdn'])) {
    					$myidentt = "fqdn";
    					$myident = $tunnel['p1']['myident']['fqdn'];
    				} else if (isset($tunnel['p1']['myident']['ufqdn'])) {
    					$myidentt = "user_fqdn";
    					$myident = $tunnel['p1']['myident']['ufqdn'];
     				} else if (isset($tunnel['p1']['myident']['dyn_dns'])) {
    					$myidentt = "dyn_dns";
    					$myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']);
     				}
    
    				if (!($myidentt == "asn1dn" && $myident == "")) {
    					$myident = " \"".$myident."\"";
    				}
    
    				$nattline = '';
    				if (isset($tunnel['natt'])) {
    					$nattline = "nat_traversal on;";
    				}
    
    				if (isset($tunnel['p1']['authentication_method'])) {
    					$authmethod = $tunnel['p1']['authentication_method'];
    				} else {$authmethod = 'pre_shared_key';}
    
    				$certline = '';
    
    				if ($authmethod == 'rsasig') {
    					if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) {
    						$cert = base64_decode($tunnel['p1']['cert']);
    						$private_key = base64_decode($tunnel['p1']['private-key']);
    					} else {
    						/* null certificate/key */
    						$cert = '';
    						$private_key = '';
    					}
    
    					if ($tunnel['p1']['peercert'])
    						$peercert = base64_decode($tunnel['p1']['peercert']);
    					else
    						$peercert = '';
    
    					$fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w");
    					if (!$fd1) {
    						printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n");
    						return 1;
    					}
    					chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600);
    					fwrite($fd1, $cert);
    					fclose($fd1);
    
    					$fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w");
    					if (!$fd1) {
    						printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n");
    						return 1;
    					}
    					chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600);
    					fwrite($fd1, $private_key);
    					fclose($fd1);
    
    					$certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";";
    
    					if ($peercert!=''){
    						$fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w");
    						if (!$fd1) {
    							printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n");
    							return 1;
    						}
    						chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600);
    						fwrite($fd1, $peercert);
    						fclose($fd1);
    						$certline .= << <eod<br>peers_certfile "peer{$tunnelnumber}-signed.pem";
    EOD;
    					}
    				}
    				$racoonconf .= <<<eod<br>remote {$tunnel['remote-gateway']} \{
    	exchange_mode {$tunnel['p1']['mode']};
    	my_identifier {$myidentt}{$myident};
    	{$certline}
    	peers_identifier address {$tunnel['remote-gateway']};
    	initial_contact on;
    	#dpd_delay 120;                   # DPD poll every 120 seconds
    	ike_frag on;
    	support_proxy on;
    	proposal_check obey;
    	dpd_delay 20;
    
    	proposal \{
    		encryption_algorithm {$tunnel['p1']['encryption-algorithm']};
    		hash_algorithm {$tunnel['p1']['hash-algorithm']};
    		authentication_method {$authmethod};
    		dh_group {$tunnel['p1']['dhgroup']};
    
    EOD;
    				if ($tunnel['p1']['lifetime'])
    					$racoonconf .= "		lifetime time {$tunnel['p1']['lifetime']} secs;\n";
    
    				$racoonconf .= "	}\n";
    
    				if ($tunnel['p1']['lifetime'])
    					$racoonconf .= "	lifetime time {$tunnel['p1']['lifetime']} secs;\n";
    
    				$racoonconf .= "}\n\n";
    
    				$p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
    				$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
    
    				$racoonconf .= <<<eod<br>sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{
    	encryption_algorithm {$p2ealgos};
    	authentication_algorithm {$p2halgos};
    	compression_algorithm deflate;
    
    EOD;
    
    				if ($tunnel['p2']['pfsgroup'])
    					$racoonconf .= "	pfs_group {$tunnel['p2']['pfsgroup']};\n";
    
    				if ($tunnel['p2']['lifetime'])
    					$racoonconf .= "	lifetime time {$tunnel['p2']['lifetime']} secs;\n";
    
    				$racoonconf .= "}\n\n";
    			}
    
    			/* mobile clients? */
    			if (isset($ipseccfg['mobileclients']['enable'])) {
    
    				$tunnel = $ipseccfg['mobileclients'];
    
    				if (isset($tunnel['p1']['myident']['myaddress'])) {
    					$myidentt = "address ";
    					$myident = $curwanip;
    				} else if (isset($tunnel['p1']['myident']['address'])) {
    					$myidentt = "address ";
    					$myident = $tunnel['p1']['myident']['address'];
    				} else if (isset($tunnel['p1']['myident']['fqdn'])) {
    					$myidentt = "fqdn ";
    					$myident = $tunnel['p1']['myident']['fqdn'];
    				} else if (isset($tunnel['p1']['myident']['ufqdn'])) {
    					$myidentt = "user_fqdn ";
    					$myident = $tunnel['p1']['myident']['ufqdn'];
     				}
    
    				if (isset($tunnel['p1']['authentication_method'])) {
    					$authmethod = $tunnel['p1']['authentication_method'];
    				} else {$authmethod = 'pre_shared_key';}
    
    				$certline = '';
    				if ($authmethod == 'rsasig') {
    					if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) {
    						$cert = base64_decode($tunnel['p1']['cert']);
    						$private_key = base64_decode($tunnel['p1']['private-key']);
    					} else {
    						/* null certificate/key */
    						$cert = '';
    						$private_key = '';
    					}
    
    					if ($tunnel['p1']['peercert'])
    						$peercert = base64_decode($tunnel['p1']['peercert']);
    					else
    						$peercert = '';
    
    					$fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", "w");
    					if (!$fd1) {
    						printf("Error: cannot open server-mobile{$tunnelnumber}-signed.pem in vpn.\n");
    						return 1;
    					}
    					chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", 0600);
    					fwrite($fd1, $cert);
    					fclose($fd1);
    
    					$fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", "w");
    					if (!$fd1) {
    						printf("Error: cannot open server-mobile{$tunnelnumber}-key.pem in vpn.\n");
    						return 1;
    					}
    					chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", 0600);
    					fwrite($fd1, $private_key);
    					fclose($fd1);
    
    					$certline = "certificate_type x509 \"server-mobile{$tunnelnumber}-signed.pem\" \"server-mobile{$tunnelnumber}-key.pem\";";
    				}
    				$racoonconf .= <<<eod<br>remote anonymous \{
    	exchange_mode {$tunnel['p1']['mode']};
    	my_identifier {$myidentt}"{$myident}";	
    	{$nattline}
    	{$certline}
    	initial_contact on;
    	dpd_delay 120;                   # DPD poll every 120 seconds
    	ike_frag on;
    	passive on;
    	generate_policy on;
    	support_proxy on;
    	proposal_check obey;
    	dpd_delay 20;
    
    	proposal \{
    		encryption_algorithm {$tunnel['p1']['encryption-algorithm']};
    		hash_algorithm {$tunnel['p1']['hash-algorithm']};
    		authentication_method {$authmethod};
    		dh_group {$tunnel['p1']['dhgroup']};
    
    EOD;
    				if ($tunnel['p1']['lifetime'])
    					$racoonconf .= "		lifetime time {$tunnel['p1']['lifetime']} secs;\n";
    
    				$racoonconf .= "	}\n";
    
    				if ($tunnel['p1']['lifetime'])
    					$racoonconf .= "	lifetime time {$tunnel['p1']['lifetime']} secs;\n";
    
    				$racoonconf .= "}\n\n";
    
    				$p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
    				$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
    
    				$racoonconf .= <<<eod<br>sainfo anonymous \{
    	encryption_algorithm {$p2ealgos};
    	authentication_algorithm {$p2halgos};
    	compression_algorithm deflate;
    
    EOD;
    
    				if ($tunnel['p2']['pfsgroup'])
    					$racoonconf .= "	pfs_group {$tunnel['p2']['pfsgroup']};\n";
    
    				if ($tunnel['p2']['lifetime'])
    					$racoonconf .= "	lifetime time {$tunnel['p2']['lifetime']} secs;\n";
    
    				$racoonconf .= "}\n\n";
    			}
    
    			fwrite($fd, $racoonconf);
    			fclose($fd);
    
    			/* generate psk.txt */
    			$fd = fopen("{$g['varetc_path']}/psk.txt", "w");
    			if (!$fd) {
    				printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n");
    				return 1;
    			}
    
    			$pskconf = "";
    
    			if (is_array($ipseccfg['tunnel'])) {
    				foreach ($ipseccfg['tunnel'] as $tunnel) {
    					if (isset($tunnel['disabled']))
    						continue;
    					$pskconf .= "{$tunnel['remote-gateway']}	 {$tunnel['p1']['pre-shared-key']}\n";
    				}
    			}
    
    			/* add PSKs for mobile clients */
    			if (is_array($ipseccfg['mobilekey'])) {
    				foreach ($ipseccfg['mobilekey'] as $key) {
    					$pskconf .= "{$key['ident']}	{$key['pre-shared-key']}\n";
    				}
    			}
    
    			fwrite($fd, $pskconf);
    			fclose($fd);
    			chmod("{$g['varetc_path']}/psk.txt", 0600);
    
    			if(is_process_running("racoon")) {
    				/* flush SPD entries */
    				mwexec("/usr/local/sbin/setkey -FP");
    				sleep("0.1");
    				mwexec("/usr/local/sbin/setkey -F");
    				/* load SPD */
    				sleep("0.1");
    				mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf");
    				/* We are already online, reload */
    				sleep("0.1");
    				mwexec("/usr/bin/killall -HUP racoon", true);
    			} else {
    				/* flush SA + SPD entries */
    				mwexec("/usr/local/sbin/setkey -FP");
    				sleep("0.1");
    				mwexec("/usr/local/sbin/setkey -F");
    				sleep("0.1");
    				/* start racoon */
    				mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf");
    				sleep("0.1");
    				/* load SPD */
    				mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf");
    				/* We are already online, reload */
    				sleep("0.1");
    				mwexec("/usr/bin/killall -HUP racoon", true);
    			}
    		}
    	}
    
    	vpn_ipsec_failover_configure();
    
    	if (!$g['booting']) {
    		/* reload the filter */
    		touch("{$g["tmp_path"]}/filter_dirty");
    	}
    
    	if ($g['booting'])
    		echo "done\n";
    
    	return 0;
    }
    
    function vpn_pptpd_configure() {
    	global $config, $g;
    
    	$syscfg = $config['system'];
    	$pptpdcfg = $config['pptpd'];
    
    	if ($g['booting']) {
    		if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off"))
    			return 0;
    
    		echo "Configuring PPTP VPN service... ";
    	} else {
    		/* kill mpd */
    		killbypid("{$g['varrun_path']}/mpd-vpn.pid");
    
    		/* wait for process to die */
    		sleep(3);
    
    		if(is_process_running("mpd -b")) {
    			killbypid("{$g['varrun_path']}/mpd-vpn.pid");
    			log_error("Could not kill mpd within 3 seconds.   Trying again.");
    		}
    
    		/* remove mpd.conf, if it exists */
    		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf");
    		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links");
    		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret");
    	}
    
    	/* make sure mpd-vpn directory exists */
    	if (!file_exists("{$g['varetc_path']}/mpd-vpn"))
    		mkdir("{$g['varetc_path']}/mpd-vpn");
    
    	switch ($pptpdcfg['mode']) {
    
    		case 'server':
    
    			/* write mpd.conf */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w");
    			if (!$fd) {
    				printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n");
    				return 1;
    			}
    
    			$mpdconf = <<<eod<br>pptpd:
    
    EOD;
    
    			for ($i = 0; $i < $g['n_pptp_units']; $i++) {
    				$mpdconf .= "	load pt{$i}\n";
    			}
    
    			for ($i = 0; $i < $g['n_pptp_units']; $i++) {
    
    				$clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i);
    				$ngif = "ng" . ($i+1);
    
    				$mpdconf .= << <eod<br>pt{$i}:
    	new -i {$ngif} pt{$i} pt{$i}
    	set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32
    	load pts
    
    EOD;
    			}
    
    			$mpdconf .= << <eod<br>pts:
    	set iface disable on-demand
    	set iface enable proxy-arp
    	set iface enable tcpmssfix
    	set iface idle 1800
    	set iface up-script /usr/local/sbin/vpn-linkup
    	set iface down-script /usr/local/sbin/vpn-linkdown
    	set bundle enable multilink
    	set bundle enable crypt-reqd
    	set link yes acfcomp protocomp
    	set link no pap chap
    	set link enable chap-msv2
    	set link mtu 1460
    	set link keep-alive 10 60
    	set ipcp yes vjcomp
    	set bundle enable compression
    	set ccp yes mppc
    	set ccp yes mpp-e128
    	set ccp yes mpp-stateless
    
    EOD;
    
    			if (!isset($pptpdcfg['req128'])) {
    				$mpdconf .= << <eod<br>set ccp yes mpp-e40
    	set ccp yes mpp-e56
    
    EOD;
    			}
    			if  (isset($pptpdcfg["wins"]))
    				$mpdconf  .=  "	set ipcp nbns {$pptpdcfg['wins']}\n";
    			if (is_array($pptpdcfg['dnsserver']) && ($pptpdcfg['dnsserver'][0])) {
    				$mpdconf .= "	set ipcp dns " . join(" ", $pptpdcfg['dnsserver']) . "\n";
    			} else if (isset($config['dnsmasq']['enable'])) {
    				$mpdconf .= "	set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
    				if ($syscfg['dnsserver'][0])
    					$mpdconf .= " " . $syscfg['dnsserver'][0];
    				$mpdconf .= "\n";
    			} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
    				$mpdconf .= "	set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
    			}
    
    			if (isset($pptpdcfg['radius']['enable'])) {
    				$mpdconf .= << <eod<br>set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}"
    	set radius retries 3
    	set radius timeout 10
    	set bundle enable radius-auth
    	set bundle disable radius-fallback
    
    EOD;
    
    				if (isset($pptpdcfg['radius']['accounting'])) {
    					$mpdconf .= << <eod<br>set bundle enable radius-acct
    
    EOD;
    				}
    			}
    
    			fwrite($fd, $mpdconf);
    			fclose($fd);
    
    			/* write mpd.links */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w");
    			if (!$fd) {
    				printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n");
    				return 1;
    			}
    
    			$mpdlinks = "";
    
    			for ($i = 0; $i < $g['n_pptp_units']; $i++) {
    				$mpdlinks .= << <eod<br>pt{$i}:
    	set link type pptp
    	set pptp enable incoming
    	set pptp disable originate
    	set pptp disable windowing
    	set pptp self 127.0.0.1
    
    EOD;
    			}
    
    			fwrite($fd, $mpdlinks);
    			fclose($fd);
    
    			/* write mpd.secret */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w");
    			if (!$fd) {
    				printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n");
    				return 1;
    			}
    
    			$mpdsecret = "";
    
    			if (is_array($pptpdcfg['user'])) {
    				foreach ($pptpdcfg['user'] as $user)
    					$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
    			}
    
    			fwrite($fd, $mpdsecret);
    			fclose($fd);
    			chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600);
    
    			/* fire up mpd */
    			mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd");
    
    			break;
    
    		case 'redir':
    			break;
    	}
    
    	if (!$g['booting']) {
    		/* reload the filter */
    		filter_configure();
    	}
    
    	if ($g['booting'])
    		echo "done\n";
    
    	return 0;
    }
    
    function vpn_localnet_determine($adr, &$sa, &$sn) {
    	global $config, $g;
    
    	if (isset($adr)) {
    		if ($adr['network']) {
    			switch ($adr['network']) {
    				case 'lan':
    					$sn = $config['interfaces']['lan']['subnet'];
    					$sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);
    					break;
    			}
    		} else if ($adr['address']) {
    			list($sa,$sn) = explode("/", $adr['address']);
    			if (is_null($sn))
    				$sn = 32;
    		}
    	} else {
    		$sn = $config['interfaces']['lan']['subnet'];
    		$sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);
    	}
    }
    
    function vpn_endpoint_determine($tunnel, $curwanip) {
    	global $g, $config;
    
    	if(!$tunnel['interface']) {
    		return null;
    	}
    	if(is_ipaddr($curwanip)) {
    		if(preg_match("/^carp/i", $tunnel['interface'])) {
    			$iface = $tunnel['interface'];
    		} else {
    			if($config['interfaces'][$tunnel['interface']]['ipaddr'] == "pppoe" OR 
    				$config['interfaces'][$tunnel['interface']]['ipaddr'] == "pptp") {
    				$iface = "ng0";
    			} else {
    				$iface = $config['interfaces'][$tunnel['interface']]['if'];
    			}
    		}
    		$oc = $config['interfaces'][$tunnel['interface']];
    		/* carp ips, etc */
    		$ip = find_interface_ip($iface);
    		if($ip)
    			return $ip;
    
    		if (isset($oc['enable']) && $oc['if']) {
    			return $oc['ipaddr'];
    		}
    	}
    	return null;
    }
    
    function vpn_pppoe_configure() {
    	global $config, $g;
    
    	$syscfg = $config['system'];
    	$pppoecfg = $config['pppoe'];
    
    	/* create directory if it does not exist */
    	if(!is_dir("{$g['varetc_path']}/mpd-vpn"))
    		mkdir("{$g['varetc_path']}/mpd-vpn");
    
    	if ($g['booting']) {
    		if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off"))
    			return 0;
    
    		echo "Configuring PPPoE VPN service... ";
    	}
    
    	/* make sure mpd-vpn directory exists */
    	if (!file_exists("{$g['varetc_path']}/mpd-vpn"))
    		mkdir("{$g['varetc_path']}/mpd-vpn");
    
    	switch ($pppoecfg['mode']) {
    
    		case 'server':
    
    			$pppoe_interface = filter_translate_type_to_real_interface($pppoecfg['interface']);
    
    			/* write mpd.conf */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "a");
    			if (!$fd) {
    				printf("Error: cannot open mpd.conf in vpn_pppoe_configure().\n");
    				return 1;
    			}
    			$mpdconf = "\n\n";
    			$mpdconf .= <<<eod<br>pppoe:
    
    EOD;
    
    			for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
    				$mpdconf .= "	load pppoe{$i}\n";
    			}
    
    			for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
    
    				$clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i);
    				$ngif = "ng" . ($i+1);
    
    				if(isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['enable'])) {
    					$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
    					$isssue_ip_type .="\n\tset ipcp yes radius-ip";
    				} else {
    					$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
    				}
    
    				$mpdconf .= << <eod<br>pppoe{$i}:
    	new -i {$ngif} pppoe{$i} pppoe{$i}
    	{$isssue_ip_type}
    	load pppoe_standart
    
    EOD;
    			}
    
    			$mpdconf .= << <eod<br>pppoe_standart:
    	set link type pppoe
    	set pppoe iface {$pppoe_interface}
    	set pppoe service "*"
    	set pppoe disable originate
    	set pppoe enable incoming
    	set bundle no multilink
    	set bundle enable compression
    	set bundle max-logins 1
    	set iface idle 0
    	set iface disable on-demand
    	set iface disable proxy-arp
    	set iface enable tcpmssfix
    	set iface mtu 1500
    	set link no pap chap
    	set link enable chap
    	set link keep-alive 60 180
    	set ipcp yes vjcomp
    	set ipcp no vjcomp
    	set link max-redial -1
    	set link mtu 1492
    	set link mru 1492
    	set ccp yes mpp-e40
    	set ccp yes mpp-e128
    	set ccp yes mpp-stateless
    	set link latency 1
    	#set ipcp dns 10.10.1.3
    	#set bundle accept encryption
    
    EOD;
    
    			if (isset($config['dnsmasq']['enable'])) {
    				$mpdconf .= "	set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
    				if ($syscfg['dnsserver'][0])
    					$mpdconf .= " " . $syscfg['dnsserver'][0];
    				$mpdconf .= "\n";
    			} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
    				$mpdconf .= "	set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
    			}
    
    			if (isset($pppoecfg['radius']['enable'])) {
    				$mpdconf .= << <eod<br>set radius server {$pppoecfg['radius']['server']} "{$pppoecfg['radius']['secret']}"
    	set radius retries 3
    	set radius timeout 10
    	set bundle enable radius-auth
    	set bundle disable radius-fallback
    
    EOD;
    
    				if (isset($pppoecfg['radius']['accounting'])) {
    					$mpdconf .= << <eod<br>set bundle enable radius-acct
    	set radius acct-update 300
    EOD;
    				}
    			}
    
    			fwrite($fd, $mpdconf);
    			fclose($fd);
    
    			/* write mpd.links */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "a");
    			if (!$fd) {
    				printf("Error: cannot open mpd.links in vpn_pppoe_configure().\n");
    				return 1;
    			}
    
    			$mpdlinks = "";
    
    			for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
    				$mpdlinks .= << <eod<br>pppoe:
    	set link type pppoe
    	set pppoe iface {$pppoe_interface}
    
    EOD;
    			}
    
    			fwrite($fd, $mpdlinks);
    			fclose($fd);
    
    			/* write mpd.secret */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "a");
    			if (!$fd) {
    				printf("Error: cannot open mpd.secret in vpn_pppoe_configure().\n");
    				return 1;
    			}
    
    			$mpdsecret = "\n\n";
    
    			if (is_array($pppoecfg['user'])) {
    				foreach ($pppoecfg['user'] as $user)
    					$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
    			}
    
    			fwrite($fd, $mpdsecret);
    			fclose($fd);
    			chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600);
    
    			/* fire up mpd */
    			mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pppoe");
    
    			break;
    
    		case 'redir':
    			break;
    	}
    
    	touch("{$g["tmp_path"]}/filter_dirty");
    
    	if ($g['booting'])
    		echo "done\n";
    
    	return 0;
    }
    
    /* Forcefully restart IPSEC
     * This is required for when dynamic interfaces reload
     * For all other occasions the normal vpn_ipsec_configure()
     * will gracefully reload the settings without restarting
     */
    function vpn_ipsec_force_reload() {
    	global $config;
    	global $g;
    
    	$ipseccfg = $config['ipsec'];
    
    	/* kill any ipsec communications regardless when we are invoked */
    	mwexec("/sbin/ifconfig enc0 down");
    
    	/* kill racoon */
    	mwexec("/usr/bin/killall racoon", true);
    
    	/* wait for process to die */
    	sleep(4);
    
    	/* send a SIGKILL to be sure */
    	sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL");
    
    	/* wait for flushing to finish */
    	sleep(1);
    
    	/* if ipsec is enabled, start up again */
    	if (isset($ipseccfg['enable'])) {
    		log_error("Forcefully reloading IPSEC racoon daemon");
    		vpn_ipsec_configure();
    	}
    
    }
    
    ?></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></mk@neon1.net> 
    

  • Rebel Alliance Developer Netgate

    Ok, so if you look at the output of that, in your /var/etc/racoon.conf, where does dpd_delay show up there?



  • It is not the racoon.conf  It is the vpn.inc that needs to be edited


  • Rebel Alliance Developer Netgate

    Yes, I know that, but I wanted to know what the output from vpn.inc resulted in.

    Even after moving the dpd line to the same location in that file, it still doesn't work for me, but I'm using 1.2.3-RC1. It looks from the vpn.inc that you're using that you're on 1.2.2 still.



  • path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    remote 67.114.XXX.XXX {
    	exchange_mode main;
    	my_identifier address "12.238.XXX.XXX";
    
    	peers_identifier address 67.114.XXX.XXX;
    	initial_contact on;
    	#dpd_delay 120;                   # DPD poll every 120 seconds
    	ike_frag on;
    	support_proxy on;
    	proposal_check obey;
    	dpd_delay 20;
    
    	proposal {
    		encryption_algorithm blowfish;
    		hash_algorithm sha1;
    		authentication_method pre_shared_key;
    		dh_group 2;
    		lifetime time 28800 secs;
    	}
    	lifetime time 28800 secs;
    }
    
    sainfo address 172.20.0.0/16 any address 192.168.100.0/24 any {
    	encryption_algorithm rijndael;
    	authentication_algorithm hmac_sha1;
    	compression_algorithm deflate;
    	pfs_group 2;
    	lifetime time 86400 secs;
    }
    
    remote 69.12.XXX.XXX {
    	exchange_mode main;
    	my_identifier address "12.238.XXX.XXX";
    
    	peers_identifier address 69.12.XXX.XXX;
    	initial_contact on;
    	#dpd_delay 120;                   # DPD poll every 120 seconds
    	ike_frag on;
    	support_proxy on;
    	proposal_check obey;
    	dpd_delay 20;
    
    	proposal {
    		encryption_algorithm 3des;
    		hash_algorithm sha1;
    		authentication_method pre_shared_key;
    		dh_group 2;
    		lifetime time 28800 secs;
    	}
    	lifetime time 28800 secs;
    }
    
    sainfo address 172.20.0.0/16 any address 10.20.30.0/24 any {
    	encryption_algorithm 3des;
    	authentication_algorithm hmac_sha1;
    	compression_algorithm deflate;
    	pfs_group 2;
    	lifetime time 86400 secs;
    }
    
    


  • On my 1.2.3 RC1 system it shows up after initial_contact.

            peers_identifier address x.x.x.x;
            initial_contact on;
            dpd_delay 30;
            ike_frag on;
            support_proxy on;
            proposal_check obey;
    
    

    I can't imagine the placement of dpd_delay would have an affect on it's effectiveness, though unless it was a bug in racoon.

    Easy enough to change, through just move line 447 of /etc/inc/vpn.inc down a bit.


Locked