Fix the VPN IPSEC Dead Peer Detection in 1.2.2 or 1.2.3 {$200}
-
Ok. Doesn't look like anything exotic… I'll see if my VPN concentrator still boots, we acquired it used quite some time ago and never needed it. :)
-
Just a little update: I have at least managed to reproduce the problem. I can get the tunnel to come up, ping, etc. Then if I reboot the VPN Concentrator, the tunnel is down on the VC side, and the pfSense side still believes the tunnel is active.
I have to bounce racoon to bring it back to life.
In this scenario, .40 is the pfSense box and .49 is the Cisco VPN Concentrator # You can see the DPD heartbeat every 10 seconds 15:31:54.836050 IP (tos 0x0, ttl 128, id 645, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:31:54.836829 IP (tos 0x0, ttl 64, id 7023, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:32:04.839087 IP (tos 0x0, ttl 128, id 646, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:32:04.839919 IP (tos 0x0, ttl 64, id 12303, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:32:14.842125 IP (tos 0x0, ttl 128, id 658, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:32:14.842992 IP (tos 0x0, ttl 64, id 2415, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:32:24.845161 IP (tos 0x0, ttl 128, id 685, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:32:24.845898 IP (tos 0x0, ttl 64, id 58238, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:32:34.848195 IP (tos 0x0, ttl 128, id 720, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:32:34.848982 IP (tos 0x0, ttl 64, id 2157, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:32:44.851233 IP (tos 0x0, ttl 128, id 751, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] 15:32:44.852033 IP (tos 0x0, ttl 64, id 7995, offset 0, flags [none], proto UDP (17), length 120) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash] # VPN Concentrator Rebooted Here 15:33:46.287064 IP (tos 0x0, ttl 64, id 29287, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x17), length 116 15:33:47.287790 IP (tos 0x0, ttl 64, id 3429, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x18), length 116 15:33:48.288783 IP (tos 0x0, ttl 64, id 58683, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x19), length 116 15:33:59.306212 IP (tos 0x0, ttl 64, id 23344, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x1a), length 116 15:33:59.306992 arp who-has x.x.x.40 tell x.x.x.49 15:33:59.307063 arp reply x.x.x.40 is-at 00:d0:b7:xx:xx:xx 15:33:59.307392 IP (tos 0x0, ttl 128, id 1, offset 0, flags [none], proto UDP (17), length 72) x.x.x.49.500 > x.x.x.40.500: [udp sum ok] isakmp 1.0 msgid cookie ->: phase 1 ? inf: (n: doi=ipsec proto=#0 type=INVALID-SPI orig=([|isakmp])) # Any more traffic that tries to traverse the tunnel gets back an invalid SPI reply from the Cisco, but racoon seems to ignore that(?) 15:38:12.199544 IP (tos 0x0, ttl 64, id 44124, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x1b), length 116 15:38:12.200149 IP (tos 0x0, ttl 128, id 2, offset 0, flags [none], proto UDP (17), length 72) x.x.x.49.500 > x.x.x.40.500: [udp sum ok] isakmp 1.0 msgid cookie ->: phase 1 ? inf: (n: doi=ipsec proto=#0 type=INVALID-SPI orig=([|isakmp])) 15:38:13.200220 IP (tos 0x0, ttl 64, id 32774, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x1c), length 116 15:38:13.200783 IP (tos 0x0, ttl 128, id 3, offset 0, flags [none], proto UDP (17), length 72) x.x.x.49.500 > x.x.x.40.500: [udp sum ok] isakmp 1.0 msgid cookie ->: phase 1 ? inf: (n: doi=ipsec proto=#0 type=INVALID-SPI orig=([|isakmp])) 15:38:14.201177 IP (tos 0x0, ttl 64, id 12600, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x08d978ba,seq=0x1d), length 116 15:38:14.201741 IP (tos 0x0, ttl 128, id 4, offset 0, flags [none], proto UDP (17), length 72) x.x.x.49.500 > x.x.x.40.500: [udp sum ok] isakmp 1.0 msgid cookie ->: phase 1 ? inf: (n: doi=ipsec proto=#0 type=INVALID-SPI orig=([|isakmp])) # Here is where I stopped/started racoon and the traffic started to flow again (just some pings) 15:41:44.297629 IP (tos 0x0, ttl 64, id 52940, offset 0, flags [none], proto UDP (17), length 152) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 1 I ident: [|sa] 15:41:44.395658 IP (tos 0x0, ttl 128, id 12, offset 0, flags [none], proto UDP (17), length 108) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid cookie ->: phase 1 R ident: [|sa] 15:41:44.424531 IP (tos 0x0, ttl 64, id 22746, offset 0, flags [none], proto UDP (17), length 208) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 1 I ident: [|ke] 15:41:44.532342 IP (tos 0x0, ttl 128, id 13, offset 0, flags [none], proto UDP (17), length 284) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid cookie ->: phase 1 R ident: [|ke] 15:41:44.561447 IP (tos 0x0, ttl 64, id 61626, offset 0, flags [none], proto UDP (17), length 96) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 1 I ident[E]: [encrypted id] 15:41:44.655766 IP (tos 0x0, ttl 128, id 14, offset 0, flags [none], proto UDP (17), length 112) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid cookie ->: phase 1 R ident[E]: [encrypted id] 15:41:44.656514 IP (tos 0x0, ttl 64, id 14790, offset 0, flags [none], proto UDP (17), length 112) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 2/others I inf[E]: [encrypted hash] 15:41:45.658171 IP (tos 0x0, ttl 64, id 15246, offset 0, flags [none], proto UDP (17), length 192) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 2/others I oakley-quick[E]: [encrypted hash] 15:41:45.664940 IP (tos 0x0, ttl 128, id 15, offset 0, flags [none], proto UDP (17), length 216) x.x.x.49.500 > x.x.x.40.500: isakmp 1.0 msgid cookie ->: phase 2/others R oakley-quick[E]: [encrypted hash] 15:41:45.665747 IP (tos 0x0, ttl 64, id 56534, offset 0, flags [none], proto UDP (17), length 88) x.x.x.40.500 > x.x.x.49.500: isakmp 1.0 msgid cookie ->: phase 2/others I oakley-quick[E]: [encrypted hash] 15:41:46.297514 IP (tos 0x0, ttl 64, id 53208, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x65050928,seq=0x1), length 116 15:41:46.299785 IP (tos 0x0, ttl 64, id 34354, offset 0, flags [none], proto ESP (50), length 136) x.x.x.49 > x.x.x.40: ESP(spi=0x06fc83b9,seq=0x1), length 116 15:41:47.299312 IP (tos 0x0, ttl 64, id 62344, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x65050928,seq=0x2), length 116 15:41:47.301208 IP (tos 0x0, ttl 64, id 34355, offset 0, flags [none], proto ESP (50), length 136) x.x.x.49 > x.x.x.40: ESP(spi=0x06fc83b9,seq=0x2), length 116 15:41:48.300263 IP (tos 0x0, ttl 64, id 22492, offset 0, flags [none], proto ESP (50), length 136) x.x.x.40 > x.x.x.49: ESP(spi=0x65050928,seq=0x3), length 116 15:41:48.302170 IP (tos 0x0, ttl 64, id 34356, offset 0, flags [none], proto ESP (50), length 136) x.x.x.49 > x.x.x.40: ESP(spi=0x06fc83b9,seq=0x3), length 116
-
Exactly!!!!!!!!!!!!!!!! ??? ??? ??? :'( :'( :'(
-
I did notice something weird, if you look at the times on the DPD packets in my tcpdump, they were being initiated by the VPN concentrator, not pfSense.
Perhaps that is why it isn't working? Even though pfSense is set for DPD, it has negotiated it with Cisco but is only replying and not initiating DPD checks?
Just a guess… probably needs more experimentation.
-
What I find odd is none of the Devs have not responded to this post nor the other posts I have seen regarding this issue at least telling us it is a bug or if it is unable to be fixed.
I will probably end up buying Cisco Linksys RV042's instead of implementing pfSense at remote locations until this can be fixed as I need to deploy about 7 locations with remote VPN's and needing to manually intervene each times is just a little too much for me.
-
Actually, if you use the term "dev" loosely, I am one :-)
(I am a committer on 2.0/HEAD and for packages, but I'm not a part of the core team)
This still feels more like a racoon bug than a pfSense bug. If it does turn out to be a pfSense bug, it may just be in terms of how DPD is being configured by the WebGUI. There isn't much to go wrong there, though.
I can try to build a tunnel to a 2.0 box and see if it behaves the same way.
-
As far as I know both should be able to initiate DPD. I think this is part of the problem as DPD is not available in 1.2.2. I have tried modifying the file in pfsense to enable it but it does nothing once I have edited the file.
In 1.2.3 people are having the same problem. I wish someone would shed some light on the issue.
-
I should mention that I am testing this with 1.2.3, so DPD should be working, in theory anyhow.
-
Could it be something to do with the version of racoon? I could not find much info about it besides a project called Kame..but that did not tell me much.
-
I have another tunnel between this 1.2.2 and another 1.2.2 and the tunnel has no problem coming back up. But others have complained about it so there is no consistency.
-
Could it be something to do with the version of racoon? I could not find much info about it besides a project called Kame..but that did not tell me much.
That's possible, which is why I want to try it against 2.0 as well. They are both running the same version of ipsec-tools (http://ipsec-tools.sourceforge.net/) though:
from 1.2.3:
May 11 12:33:07 pfsense-123test racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)from 2.0:
May 11 11:32:58 pfSense-20test racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)There is a slightly newer version of ipsec-tools (0.7.2) out, but I don't see any details release notes on the web site that state what bugs were fixed.
-
It appears that what I thought was the DPD packet may have been Cisco's IPSec keep-alive. I disabled that, and left DPD enabled on the pfSense side, and I see no regular traffic on the tunnel.
That makes me think that either DPD isn't being turned on, or it isn't being negotiated properly for the tunnel.
With Cisco's Keep-Alive turned on, I get:
May 11 15:41:44 pfsense-123test racoon: INFO: received Vendor ID: CISCO-UNITY
May 11 15:41:44 pfsense-123test racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May 11 15:41:44 pfsense-123test racoon: INFO: received Vendor ID: DPDWith it disabled, I get:
May 11 16:26:21 pfsense-123test racoon: INFO: received Vendor ID: CISCO-UNITY
May 11 16:26:21 pfsense-123test racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txtThat makes me wonder if, perhaps, the Cisco side really doesn't support DPD as well as it claims to. I'm not sure if there is some other mechanism to signal racoon when something else fails (i.e. the keepalive ping) to reload a specific tunnel. That would probably be more reliable than DPD since that must be supported by both sides.
Why this works for some vendors/devices and not others is also puzzling…
-
Then why is it that when I reboot my concentrator the pfSense does not respond as seeing the tunnel go down at all but stays green?
-
Then why is it that when I reboot my concentrator the pfSense does not respond as seeing the tunnel go down at all but stays green?
That is what I'm trying to figure out… :-)
As you said, when both sides are pfSense, it seems to work. I'm wondering if the "invalid SPI" reply generated by the Cisco is broken in some way (or racoon's parsing thereof) such that it doesn't pick up on the fact that the tunnel traffic is being rejected.
-
Version history: –-------------- 0.7.1 - 23 July 2008 o Fixes a memory leak when invalid proposal received o Some fixes in DPD o do not set default gss id if xauth is used o fixed hybrid enabled builds o fixed compilation on FreeBSD8 o cleanup in network port value manipulation o gets ports from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi() o Generates a log if cert validation has been disabled by configuration o better handling for pfkey socket read errors o Fixes in yacc / bison stuff o new plog() macro (reduced CPU usage when logging is disabled) o Try to works better with huge SPD/SAD o Corrected modecfg option syntax o Many other various fixes…
-
That is all foreign to me but maybe it has something to do with the problem.
-
I'll have to look at it more tomorrow, but I might be able to see if bumping ipsec-tools to 0.7.2 might help things along.
Can't promise anything though. -
Those aren't the changes in 0.7.2, but the changes in 0.7.1. Here are the changes in 0.7.2:
0.7.2 - 22 April 2009
-
Fix a remote crash in fragmentation code
-
Phase2 message identities are phase1 specific (Vista compatibility)
-
Autogenerate ChangeLog from cvs metadata
-
Fix mode config pool resizing
-
NAT-T fixes related to purging of IPsec SA:s and retransmission
-
Remove phase1 handler immediately if first exchange is bad
-
A bunch of memory leak and possible memory corruptions (triggerable
by bad configuration or startup parameters)
Seems like an update that is worth upgrading to given how many crash fixes there are in it.
-
-
But this is not likely to be applied to 1.2.2….... :'( Or at least in 1.2.3 unless it is already there. Just concerned about stability.
-
But this is not likely to be applied to 1.2.2….... :'( Or at least in 1.2.3 unless it is already there. Just concerned about stability.
The devs have to consider what is worse:
1. Potential instability due to a new version of ipsec-tools or even an increase in stability due to bugs being fixed.
2. Shipping with a remote DoS attack vulnerability that has been known for 3 weeks now. -
I am testing a build of 1.2.3-RC with ipsec-tools 0.7.2 and it may be my slightly weird test environment, but it didn't fix the issue so far.
That said, if I switch both ends of the IPSec tunnel to Aggressive Mode instead of Main Mode, then DPD seems to want to work, but doesn't actually get all the way.
May 14 10:17:55 pfsense-123test racoon: INFO: IPsec-SA request for x.x.x.49 queued due to no phase1 found. May 14 10:17:55 pfsense-123test racoon: INFO: initiate new phase 1 negotiation: x.x.x.40[500]<=>x.x.x.49[500] May 14 10:17:55 pfsense-123test racoon: INFO: begin Aggressive mode. May 14 10:17:55 pfsense-123test racoon: INFO: received Vendor ID: CISCO-UNITY May 14 10:17:55 pfsense-123test racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt May 14 10:17:55 pfsense-123test racoon: INFO: received Vendor ID: DPD May 14 10:17:55 pfsense-123test racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. May 14 10:17:55 pfsense-123test racoon: INFO: ISAKMP-SA established x.x.x.40[500]-x.x.x.49[500] spi:5570f421d746e391:6a94f32073b1ed3f May 14 10:17:56 pfsense-123test racoon: INFO: initiate new phase 2 negotiation: x.x.x.40[500]<=>x.x.x.49[500] May 14 10:17:56 pfsense-123test racoon: WARNING: ignore RESPONDER-LIFETIME notification. May 14 10:17:56 pfsense-123test racoon: INFO: IPsec-SA established: ESP x.x.x.49[0]->x.x.x.40[0] spi=165272301(0x9d9daed) May 14 10:17:56 pfsense-123test racoon: INFO: IPsec-SA established: ESP x.x.x.40[500]->x.x.x.49[500] spi=463118085(0x1b9a9f05) [Power off Cisco VPN Concentrator] May 14 10:19:10 pfsense-123test racoon: INFO: DPD: remote (ISAKMP-SA spi=5570f421d746e391:6a94f32073b1ed3f) seems to be dead. May 14 10:19:11 pfsense-123test racoon: INFO: ISAKMP-SA deleted x.x.x.40[500]-x.x.x.49[500] spi:5570f421d746e391:6a94f32073b1ed3f
The log message is all well and good except it didn't actually delete the SAs. They're still there.
I'm making a new build right now to see if things behave any differently. Before that, I'm going to go back to a stock 1.2.3 snapshot and see if Aggressive mode behaves the same way.
-
All is now working! I removed the Concentrator from the DMZ of my local pfSense and connected it directly to a public IP. I noticed in the firewall logs that my firewall was blocking port 500 traffic and all other traffic which originated from the remote sites to my local site. Odd since I created a rule on my DMZ allowing all traffic to pass to the public interface of my concentrator.
Lan 10.20.30.1
DMZ 10.20.20.1Concentrator Private: 10.20.30.2
Concentrator Public: 10.20.20.2I was seeing my customers IP's being blocked:
10.0.0.0/24
192.168.127.0/24
172.20.30.0/16These were being blocked both on the LAN interface and on the DMZ. I will post some of the logs. I just need to reconfigure to internal again rather than direct connect to public IP on Concentrator Public interface.
-
So your tunnel reestablishes OK now after a power cycle?
That is strange, since my concentrator is already on a public IP and has no filtering in front of it. Its public is on the same switch as my pfSense test box.
And yet if I power cycle the concentrator, the tunnel never comes back up.
Are you sure nothing else changed in all that?
-
I did modify the DPD setting in the pfSense 1.2.2 by modifying the file. I think DPD was enabled for phase 1 or phase 2 and I enabled it for the other one in the conf file. If I can remember which file I will post the changes I made.
-
Ok, that would help a lot.
It should be /var/etc/racoon.conf
If I can see how you changed it, I can probably get that into the code to see if it fixes for everyone.
-
Look for the dpd_delay. On one of them it is commented out. File is: /etc/inc/vpn.inc
See post: http://forum.pfsense.org/index.php/topic,10371.0.html
From Pesh:
I don't know if everyone else has encountered this, but I recently had a problem where if one of my pfSense firewalls was restarted for whatever reason, the other pfSenses on the other ends of the VPN tunnels wouldn't recognise this. They would keep the old SA up and not negotiate any new ones, causing a failure to pass any traffic over the VPN. The only fix was to manually delete the entries from the SAD on these other firewalls so it would make a fresh tunnel again.
After reading around a bit, I saw an option for the racoon.conf that would turn on Dead Peer Detection, and figured I'd give that a try. In /etc/inc/vpn.inc, after each line saying proposal_check obey;, I added a line dpd_delay 20;. Then restarted racoon on each firewall, restarted one of the firewalls on its own and found that it renegotiated the tunnels straight away!
Anyway just a suggestion, I think this would be a useful option to add to pfSense.
/* vpn.inc Copyright (C) 2004-2006 Scott Ullrich All rights reserved. originally part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* include all configuration functions */ require_once("functions.inc"); /* master setup for vpn (mpd) */ function vpn_setup() { /* start pptpd */ vpn_pptpd_configure(); /* start pppoe server */ vpn_pppoe_configure(); } function vpn_ipsec_failover_configure() { global $config, $g; $sasyncd_text = ""; if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { $enabled = isset($sasyncd['enable']); if(!$enabled) return; if($sasyncd['peerip'] <> "") $sasyncd_text .= "peer {$sasyncd['peerip']}\n"; if($sasyncd['interface']) $sasyncd_text .= "carp interface {$sasyncd['interface']}\n"; if($sasyncd['sharedkey'] <> "") $sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n"; if($sasyncd['mode'] <> "") $sasyncd_text .= "mode {$sasyncd['mode']}\n"; if($sasyncd['listenon'] <> "") $sasyncd_text .= "listen on {$sasyncd['listenon']}\n"; if($sasyncd['flushmodesync'] <> "") $sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n"; } $fd = fopen("{$g['varetc_path']}/sasyncd.conf", "w"); fwrite($fd, $sasyncd_text); fclose($fd); chmod("{$g['varetc_path']}/sasyncd.conf", 0600); mwexec("killall sasyncd", true); /* launch sasyncd, oh wise one */ /* mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); */ } function find_last_gif_device() { $regs = ""; $last_gif_found = -1; if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1; $ifconfig_data = fread($fp, 4096); pclose($fp); $ifconfig_array = split(" ", $ifconfig_data); foreach ($ifconfig_array as $ifconfig) { ereg("gif(.)", $ifconfig, $regs); if($regs[0]) { if($regs[0] > $last_gif_found) $last_gif_found = $regs[1]; } } return $last_gif_found; } function vpn_ipsec_configure($ipchg = false) { global $config, $g, $sa, $sn; mwexec("/sbin/ifconfig enc0 create", true); mwexec("/sbin/ifconfig enc0 up", true); /* get the automatic /etc/ping_hosts.sh ready */ unlink_if_exists("/var/db/ipsecpinghosts"); touch("/var/db/ipsecpinghosts"); if($g['booting'] == true) { /* determine if we should load the via padlock module */ $dmesg_boot = `cat /var/log/dmesg.boot | grep CPU`; if(stristr($dmesg_boot, "ACE") == true) { //echo "Enabling [VIA Padlock] ..."; //mwexec("/sbin/kldload padlock"); //mwexec("/sbin/sysctl net.inet.ipsec.crypto_support=1"); //mwexec("/usr/local/sbin/setkey -F"); //mwexec("/usr/local/sbin/setkey -FP"); //echo " done.\n"; } } if(isset($config['ipsec']['preferredoldsa'])) { mwexec("/sbin/sysctl net.key.preferred_oldsa=0"); } else { mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30"); } $number_of_gifs = find_last_gif_device(); for($x=0; $x<$number_of_gifs; $x++) { mwexec("/sbin/ifconfig gif" . $x . " delete"); } $curwanip = get_current_wan_address(); $syscfg = $config['system']; $ipseccfg = $config['ipsec']; $lancfg = $config['interfaces']['lan']; $lanip = $lancfg['ipaddr']; $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; if (!isset($ipseccfg['enable'])) { mwexec("/sbin/ifconfig enc0 down"); mwexec("/sbin/ifconfig enc0 destroy"); /* kill racoon */ mwexec("/usr/bin/killall racoon", true); /* wait for process to die */ sleep(2); /* send a SIGKILL to be sure */ sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); /* flush SPD and SAD */ mwexec("/usr/local/sbin/setkey -FP"); mwexec("/usr/local/sbin/setkey -F"); return true; } if ($g['booting']) { echo "Configuring IPsec VPN... "; } if (isset($ipseccfg['enable'])) { /* fastforwarding is not compatible with ipsec tunnels */ system("/sbin/sysctl net.inet.ip.fastforwarding=0 >/dev/null 2>&1"); if (!$curwanip) { /* IP address not configured yet, exit */ if ($g['booting']) echo "done\n"; return 0; } /* this loads a route table which is used to determine if a route needs to be removed. */ exec("/usr/bin/netstat -rn", $route_arr, $retval); $route_str = implode("\n", $route_arr); if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) || isset($ipseccfg['mobileclients']['enable'])) { if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) { /* generate spd.conf */ $fd = fopen("{$g['varetc_path']}/spd.conf", "w"); if (!$fd) { printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n"); return 1; } $spdconf = ""; $spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n"; $spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n"; foreach ($ipseccfg['tunnel'] as $tunnel) { if (isset($tunnel['disabled'])) continue; $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) { log_error("Could not deterimine VPN endpoint for {$tunnel['descr']}"); continue; } vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); if(is_domain($tunnel['remote-gateway'])) { $tmp = gethostbyname($tunnel['remote-gateway']); if($tmp) $tunnel['remote-gateway'] = $tmp; } /* add entry to host pinger */ if ($tunnel['pinghost']) { $pfd = fopen("/var/db/ipsecpinghosts", "a"); $iflist = array("lan" => "lan", "wan" => "wan"); for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) $iflist['opt' . $i] = "opt{$i}"; foreach ($iflist as $ifent => $ifname) { $interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']); if (ip_in_subnet($interface_ip, $sa . "/" . $sn)) $srcip = find_interface_ip($config['interfaces'][$ifname]['if']); } $dstip = $tunnel['pinghost']; fwrite($pfd, "$srcip|$dstip|3\n"); fclose($pfd); } if(isset($tunnel['creategif'])) { $number_of_gifs = find_last_gif_device(); $number_of_gifs++; $curwanip = get_current_wan_address(); mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']); mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); } $spdconf .= "spdadd {$sa}/{$sn} " . "{$tunnel['remote-subnet']} any -P out ipsec " . "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" . "{$tunnel['remote-gateway']}/unique;\n"; $spdconf .= "spdadd {$tunnel['remote-subnet']} " . "{$sa}/{$sn} any -P in ipsec " . "{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" . "{$ep}/unique;\n"; /* static route needed? */ if(preg_match("/^carp/i", $tunnel['interface'])) { $parentinterface = link_carp_interface_to_parent($tunnel['interface']); } else { $parentinterface = $tunnel['interface']; } if($parentinterface <> "wan") { /* add endpoint routes to correct gateway on interface */ if(interface_has_gateway($parentinterface)) { $gatewayip = get_interface_gateway("$parentinterface"); $interfaceip = $config['interfaces'][$parentinterface]['ipaddr']; $subnet_bits = $config['interfaces'][$parentinterface]['subnet']; $subnet_ip = gen_subnet("{$interfaceip}", "{$subnet_bits}"); /* if the remote gateway is in the local subnet, then don't add a route */ if(! ip_in_subnet($tunnel['remote-gateway'], "{$subnet_ip}/{$subnet_bits}")) { if(is_ipaddr($gatewayip)) { log_error("IPSEC interface is not WAN but {$tunnel['interface']}, adding static route for VPN endpoint {$tunnel['remote-gateway']} via {$gatewayip}"); mwexec("/sbin/route delete -host {$tunnel['remote-gateway']}"); mwexec("/sbin/route add -host {$tunnel['remote-gateway']} {$gatewayip}"); } } } } else { if(stristr($route_str, "/{$tunnel['remote-gateway']}/")) { mwexec("/sbin/route delete -host {$tunnel['remote-gateway']}"); } } } fwrite($fd, $spdconf); fclose($fd); } /* generate racoon.conf */ $fd = fopen("{$g['varetc_path']}/racoon.conf", "w"); if (!$fd) { printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n"); return 1; } $racoonconf = ""; $racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; $racoonconf .= "path certificate \"{$g['varetc_path']}\";\n\n"; /* generate CA certificates files */ $cacertnum = 0; if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) foreach ($ipseccfg['cacert'] as $cacert) { ++$cacertnum; if (isset($cacert['cert'])) { $cert = base64_decode($cacert['cert']); $x509cert = openssl_x509_parse(openssl_x509_read($cert)); if(is_array($x509cert) && isset($x509cert['hash'])) { $fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w"); if (!$fd1) { printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600); fwrite($fd1, $cert); fclose($fd1); } } } $tunnelnumber = 0; if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) foreach ($ipseccfg['tunnel'] as $tunnel) { ++$tunnelnumber; if (isset($tunnel['disabled'])) continue; $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) continue; vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address"; $myident = $ep; } else if (isset($tunnel['p1']['myident']['address'])) { $myidentt = "address"; $myident = $tunnel['p1']['myident']['address']; } else if (isset($tunnel['p1']['myident']['fqdn'])) { $myidentt = "fqdn"; $myident = $tunnel['p1']['myident']['fqdn']; } else if (isset($tunnel['p1']['myident']['ufqdn'])) { $myidentt = "user_fqdn"; $myident = $tunnel['p1']['myident']['ufqdn']; } else if (isset($tunnel['p1']['myident']['dyn_dns'])) { $myidentt = "dyn_dns"; $myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']); } if (!($myidentt == "asn1dn" && $myident == "")) { $myident = " \"".$myident."\""; } $nattline = ''; if (isset($tunnel['natt'])) { $nattline = "nat_traversal on;"; } if (isset($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; } else {$authmethod = 'pre_shared_key';} $certline = ''; if ($authmethod == 'rsasig') { if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { $cert = base64_decode($tunnel['p1']['cert']); $private_key = base64_decode($tunnel['p1']['private-key']); } else { /* null certificate/key */ $cert = ''; $private_key = ''; } if ($tunnel['p1']['peercert']) $peercert = base64_decode($tunnel['p1']['peercert']); else $peercert = ''; $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $cert); fclose($fd1); $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600); fwrite($fd1, $private_key); fclose($fd1); $certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";"; if ($peercert!=''){ $fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $peercert); fclose($fd1); $certline .= << <eod<br>peers_certfile "peer{$tunnelnumber}-signed.pem"; EOD; } } $racoonconf .= <<<eod<br>remote {$tunnel['remote-gateway']} \{ exchange_mode {$tunnel['p1']['mode']}; my_identifier {$myidentt}{$myident}; {$certline} peers_identifier address {$tunnel['remote-gateway']}; initial_contact on; #dpd_delay 120; # DPD poll every 120 seconds ike_frag on; support_proxy on; proposal_check obey; dpd_delay 20; proposal \{ encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; hash_algorithm {$tunnel['p1']['hash-algorithm']}; authentication_method {$authmethod}; dh_group {$tunnel['p1']['dhgroup']}; EOD; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= " }\n"; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); $racoonconf .= <<<eod<br>sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{ encryption_algorithm {$p2ealgos}; authentication_algorithm {$p2halgos}; compression_algorithm deflate; EOD; if ($tunnel['p2']['pfsgroup']) $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; if ($tunnel['p2']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; } /* mobile clients? */ if (isset($ipseccfg['mobileclients']['enable'])) { $tunnel = $ipseccfg['mobileclients']; if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address "; $myident = $curwanip; } else if (isset($tunnel['p1']['myident']['address'])) { $myidentt = "address "; $myident = $tunnel['p1']['myident']['address']; } else if (isset($tunnel['p1']['myident']['fqdn'])) { $myidentt = "fqdn "; $myident = $tunnel['p1']['myident']['fqdn']; } else if (isset($tunnel['p1']['myident']['ufqdn'])) { $myidentt = "user_fqdn "; $myident = $tunnel['p1']['myident']['ufqdn']; } if (isset($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; } else {$authmethod = 'pre_shared_key';} $certline = ''; if ($authmethod == 'rsasig') { if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { $cert = base64_decode($tunnel['p1']['cert']); $private_key = base64_decode($tunnel['p1']['private-key']); } else { /* null certificate/key */ $cert = ''; $private_key = ''; } if ($tunnel['p1']['peercert']) $peercert = base64_decode($tunnel['p1']['peercert']); else $peercert = ''; $fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server-mobile{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $cert); fclose($fd1); $fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", "w"); if (!$fd1) { printf("Error: cannot open server-mobile{$tunnelnumber}-key.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", 0600); fwrite($fd1, $private_key); fclose($fd1); $certline = "certificate_type x509 \"server-mobile{$tunnelnumber}-signed.pem\" \"server-mobile{$tunnelnumber}-key.pem\";"; } $racoonconf .= <<<eod<br>remote anonymous \{ exchange_mode {$tunnel['p1']['mode']}; my_identifier {$myidentt}"{$myident}"; {$nattline} {$certline} initial_contact on; dpd_delay 120; # DPD poll every 120 seconds ike_frag on; passive on; generate_policy on; support_proxy on; proposal_check obey; dpd_delay 20; proposal \{ encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; hash_algorithm {$tunnel['p1']['hash-algorithm']}; authentication_method {$authmethod}; dh_group {$tunnel['p1']['dhgroup']}; EOD; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= " }\n"; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); $racoonconf .= <<<eod<br>sainfo anonymous \{ encryption_algorithm {$p2ealgos}; authentication_algorithm {$p2halgos}; compression_algorithm deflate; EOD; if ($tunnel['p2']['pfsgroup']) $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; if ($tunnel['p2']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; } fwrite($fd, $racoonconf); fclose($fd); /* generate psk.txt */ $fd = fopen("{$g['varetc_path']}/psk.txt", "w"); if (!$fd) { printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n"); return 1; } $pskconf = ""; if (is_array($ipseccfg['tunnel'])) { foreach ($ipseccfg['tunnel'] as $tunnel) { if (isset($tunnel['disabled'])) continue; $pskconf .= "{$tunnel['remote-gateway']} {$tunnel['p1']['pre-shared-key']}\n"; } } /* add PSKs for mobile clients */ if (is_array($ipseccfg['mobilekey'])) { foreach ($ipseccfg['mobilekey'] as $key) { $pskconf .= "{$key['ident']} {$key['pre-shared-key']}\n"; } } fwrite($fd, $pskconf); fclose($fd); chmod("{$g['varetc_path']}/psk.txt", 0600); if(is_process_running("racoon")) { /* flush SPD entries */ mwexec("/usr/local/sbin/setkey -FP"); sleep("0.1"); mwexec("/usr/local/sbin/setkey -F"); /* load SPD */ sleep("0.1"); mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf"); /* We are already online, reload */ sleep("0.1"); mwexec("/usr/bin/killall -HUP racoon", true); } else { /* flush SA + SPD entries */ mwexec("/usr/local/sbin/setkey -FP"); sleep("0.1"); mwexec("/usr/local/sbin/setkey -F"); sleep("0.1"); /* start racoon */ mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf"); sleep("0.1"); /* load SPD */ mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf"); /* We are already online, reload */ sleep("0.1"); mwexec("/usr/bin/killall -HUP racoon", true); } } } vpn_ipsec_failover_configure(); if (!$g['booting']) { /* reload the filter */ touch("{$g["tmp_path"]}/filter_dirty"); } if ($g['booting']) echo "done\n"; return 0; } function vpn_pptpd_configure() { global $config, $g; $syscfg = $config['system']; $pptpdcfg = $config['pptpd']; if ($g['booting']) { if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) return 0; echo "Configuring PPTP VPN service... "; } else { /* kill mpd */ killbypid("{$g['varrun_path']}/mpd-vpn.pid"); /* wait for process to die */ sleep(3); if(is_process_running("mpd -b")) { killbypid("{$g['varrun_path']}/mpd-vpn.pid"); log_error("Could not kill mpd within 3 seconds. Trying again."); } /* remove mpd.conf, if it exists */ unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf"); unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links"); unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret"); } /* make sure mpd-vpn directory exists */ if (!file_exists("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); switch ($pptpdcfg['mode']) { case 'server': /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n"); return 1; } $mpdconf = <<<eod<br>pptpd: EOD; for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdconf .= " load pt{$i}\n"; } for ($i = 0; $i < $g['n_pptp_units']; $i++) { $clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i); $ngif = "ng" . ($i+1); $mpdconf .= << <eod<br>pt{$i}: new -i {$ngif} pt{$i} pt{$i} set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32 load pts EOD; } $mpdconf .= << <eod<br>pts: set iface disable on-demand set iface enable proxy-arp set iface enable tcpmssfix set iface idle 1800 set iface up-script /usr/local/sbin/vpn-linkup set iface down-script /usr/local/sbin/vpn-linkdown set bundle enable multilink set bundle enable crypt-reqd set link yes acfcomp protocomp set link no pap chap set link enable chap-msv2 set link mtu 1460 set link keep-alive 10 60 set ipcp yes vjcomp set bundle enable compression set ccp yes mppc set ccp yes mpp-e128 set ccp yes mpp-stateless EOD; if (!isset($pptpdcfg['req128'])) { $mpdconf .= << <eod<br>set ccp yes mpp-e40 set ccp yes mpp-e56 EOD; } if (isset($pptpdcfg["wins"])) $mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n"; if (is_array($pptpdcfg['dnsserver']) && ($pptpdcfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $pptpdcfg['dnsserver']) . "\n"; } else if (isset($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; if ($syscfg['dnsserver'][0]) $mpdconf .= " " . $syscfg['dnsserver'][0]; $mpdconf .= "\n"; } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; } if (isset($pptpdcfg['radius']['enable'])) { $mpdconf .= << <eod<br>set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}" set radius retries 3 set radius timeout 10 set bundle enable radius-auth set bundle disable radius-fallback EOD; if (isset($pptpdcfg['radius']['accounting'])) { $mpdconf .= << <eod<br>set bundle enable radius-acct EOD; } } fwrite($fd, $mpdconf); fclose($fd); /* write mpd.links */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n"); return 1; } $mpdlinks = ""; for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdlinks .= << <eod<br>pt{$i}: set link type pptp set pptp enable incoming set pptp disable originate set pptp disable windowing set pptp self 127.0.0.1 EOD; } fwrite($fd, $mpdlinks); fclose($fd); /* write mpd.secret */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n"); return 1; } $mpdsecret = ""; if (is_array($pptpdcfg['user'])) { foreach ($pptpdcfg['user'] as $user) $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; } fwrite($fd, $mpdsecret); fclose($fd); chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); /* fire up mpd */ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd"); break; case 'redir': break; } if (!$g['booting']) { /* reload the filter */ filter_configure(); } if ($g['booting']) echo "done\n"; return 0; } function vpn_localnet_determine($adr, &$sa, &$sn) { global $config, $g; if (isset($adr)) { if ($adr['network']) { switch ($adr['network']) { case 'lan': $sn = $config['interfaces']['lan']['subnet']; $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); break; } } else if ($adr['address']) { list($sa,$sn) = explode("/", $adr['address']); if (is_null($sn)) $sn = 32; } } else { $sn = $config['interfaces']['lan']['subnet']; $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); } } function vpn_endpoint_determine($tunnel, $curwanip) { global $g, $config; if(!$tunnel['interface']) { return null; } if(is_ipaddr($curwanip)) { if(preg_match("/^carp/i", $tunnel['interface'])) { $iface = $tunnel['interface']; } else { if($config['interfaces'][$tunnel['interface']]['ipaddr'] == "pppoe" OR $config['interfaces'][$tunnel['interface']]['ipaddr'] == "pptp") { $iface = "ng0"; } else { $iface = $config['interfaces'][$tunnel['interface']]['if']; } } $oc = $config['interfaces'][$tunnel['interface']]; /* carp ips, etc */ $ip = find_interface_ip($iface); if($ip) return $ip; if (isset($oc['enable']) && $oc['if']) { return $oc['ipaddr']; } } return null; } function vpn_pppoe_configure() { global $config, $g; $syscfg = $config['system']; $pppoecfg = $config['pppoe']; /* create directory if it does not exist */ if(!is_dir("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); if ($g['booting']) { if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) return 0; echo "Configuring PPPoE VPN service... "; } /* make sure mpd-vpn directory exists */ if (!file_exists("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); switch ($pppoecfg['mode']) { case 'server': $pppoe_interface = filter_translate_type_to_real_interface($pppoecfg['interface']); /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "a"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pppoe_configure().\n"); return 1; } $mpdconf = "\n\n"; $mpdconf .= <<<eod<br>pppoe: EOD; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $mpdconf .= " load pppoe{$i}\n"; } for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i); $ngif = "ng" . ($i+1); if(isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['enable'])) { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0"; $isssue_ip_type .="\n\tset ipcp yes radius-ip"; } else { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32"; } $mpdconf .= << <eod<br>pppoe{$i}: new -i {$ngif} pppoe{$i} pppoe{$i} {$isssue_ip_type} load pppoe_standart EOD; } $mpdconf .= << <eod<br>pppoe_standart: set link type pppoe set pppoe iface {$pppoe_interface} set pppoe service "*" set pppoe disable originate set pppoe enable incoming set bundle no multilink set bundle enable compression set bundle max-logins 1 set iface idle 0 set iface disable on-demand set iface disable proxy-arp set iface enable tcpmssfix set iface mtu 1500 set link no pap chap set link enable chap set link keep-alive 60 180 set ipcp yes vjcomp set ipcp no vjcomp set link max-redial -1 set link mtu 1492 set link mru 1492 set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless set link latency 1 #set ipcp dns 10.10.1.3 #set bundle accept encryption EOD; if (isset($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; if ($syscfg['dnsserver'][0]) $mpdconf .= " " . $syscfg['dnsserver'][0]; $mpdconf .= "\n"; } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; } if (isset($pppoecfg['radius']['enable'])) { $mpdconf .= << <eod<br>set radius server {$pppoecfg['radius']['server']} "{$pppoecfg['radius']['secret']}" set radius retries 3 set radius timeout 10 set bundle enable radius-auth set bundle disable radius-fallback EOD; if (isset($pppoecfg['radius']['accounting'])) { $mpdconf .= << <eod<br>set bundle enable radius-acct set radius acct-update 300 EOD; } } fwrite($fd, $mpdconf); fclose($fd); /* write mpd.links */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "a"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pppoe_configure().\n"); return 1; } $mpdlinks = ""; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $mpdlinks .= << <eod<br>pppoe: set link type pppoe set pppoe iface {$pppoe_interface} EOD; } fwrite($fd, $mpdlinks); fclose($fd); /* write mpd.secret */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "a"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pppoe_configure().\n"); return 1; } $mpdsecret = "\n\n"; if (is_array($pppoecfg['user'])) { foreach ($pppoecfg['user'] as $user) $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; } fwrite($fd, $mpdsecret); fclose($fd); chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); /* fire up mpd */ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pppoe"); break; case 'redir': break; } touch("{$g["tmp_path"]}/filter_dirty"); if ($g['booting']) echo "done\n"; return 0; } /* Forcefully restart IPSEC * This is required for when dynamic interfaces reload * For all other occasions the normal vpn_ipsec_configure() * will gracefully reload the settings without restarting */ function vpn_ipsec_force_reload() { global $config; global $g; $ipseccfg = $config['ipsec']; /* kill any ipsec communications regardless when we are invoked */ mwexec("/sbin/ifconfig enc0 down"); /* kill racoon */ mwexec("/usr/bin/killall racoon", true); /* wait for process to die */ sleep(4); /* send a SIGKILL to be sure */ sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); /* wait for flushing to finish */ sleep(1); /* if ipsec is enabled, start up again */ if (isset($ipseccfg['enable'])) { log_error("Forcefully reloading IPSEC racoon daemon"); vpn_ipsec_configure(); } } ?></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></mk@neon1.net>
-
Ok, so if you look at the output of that, in your /var/etc/racoon.conf, where does dpd_delay show up there?
-
It is not the racoon.conf It is the vpn.inc that needs to be edited
-
Yes, I know that, but I wanted to know what the output from vpn.inc resulted in.
Even after moving the dpd line to the same location in that file, it still doesn't work for me, but I'm using 1.2.3-RC1. It looks from the vpn.inc that you're using that you're on 1.2.2 still.
-
path pre_shared_key "/var/etc/psk.txt"; path certificate "/var/etc"; remote 67.114.XXX.XXX { exchange_mode main; my_identifier address "12.238.XXX.XXX"; peers_identifier address 67.114.XXX.XXX; initial_contact on; #dpd_delay 120; # DPD poll every 120 seconds ike_frag on; support_proxy on; proposal_check obey; dpd_delay 20; proposal { encryption_algorithm blowfish; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 28800 secs; } lifetime time 28800 secs; } sainfo address 172.20.0.0/16 any address 192.168.100.0/24 any { encryption_algorithm rijndael; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group 2; lifetime time 86400 secs; } remote 69.12.XXX.XXX { exchange_mode main; my_identifier address "12.238.XXX.XXX"; peers_identifier address 69.12.XXX.XXX; initial_contact on; #dpd_delay 120; # DPD poll every 120 seconds ike_frag on; support_proxy on; proposal_check obey; dpd_delay 20; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 28800 secs; } lifetime time 28800 secs; } sainfo address 172.20.0.0/16 any address 10.20.30.0/24 any { encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group 2; lifetime time 86400 secs; }
-
On my 1.2.3 RC1 system it shows up after initial_contact.
peers_identifier address x.x.x.x; initial_contact on; dpd_delay 30; ike_frag on; support_proxy on; proposal_check obey;
I can't imagine the placement of dpd_delay would have an affect on it's effectiveness, though unless it was a bug in racoon.
Easy enough to change, through just move line 447 of /etc/inc/vpn.inc down a bit.
-
Yeah, it makes no difference for me where it is, so that's why I wanted to know more about kapara's config file.
Something else must have been changed that made it start working, as that doesn't seem to work for everyone.
-
Also I am using 1.2.2 Release embedded. Another thing was I was lazy and actually have 2 DPD entries at the same time. one for 120 and another for 20. Forgot to remove it and it is still there based on the exisiting vpn.inc
-
There is a patch that was just added this evening that may fix this, but I won't be able to test it more until tomorrow. If someone else who is seeing the DPD failure/IPSec stuck open issue could try pfSense-Full-Update-1.2.3-20090514-1908.tgz or later, it may behave differently.
-
Still broken here with the latest snapshots, but I have heard from other sources that there is some ongoing work with ipsec-tools that may result in a fix. So we'll have to wait and see what becomes of that.
-
Since I have mine working maybe it would be a good idea to move this to IPSEC rathern than the Bounty section.
-
Was this actually a successful bounty or did you just figure out how to ultimately make it work?
-
He got it working on his own.
The problem is now that nobody else can replicate his success on his own setup :)
I'll start a fresh thread on the IPSec forum for the remaining issue. Actually, it's a toss up between that and the 1.2.3-RC forum since that's what I'm testing on.
-
I can post any information that you would like on my setup. Just let me know what you want me to post. Also when I have had problems in the past I have done a complete rebuild of my system and manually entered all rules, aliases, etc by hand. This actually has fixed some problems of mine in the past rather than trying to figure out what went wrong. It seems that sometimes some changes that are made do not get removed properly or some thing do not get implemented properly and there is no "simple" way to fix it other than a manual rebuild. Though I am not a dev and do not understand the mechanisims of how it works in the background.
Let me know if I can post anything which might help.
-
I think what you already posted (vpn.inc and snippet of racoon.conf) is enough for the pfSense side.
If you have more information you wan to add, you can do so in the new thread I made:
http://forum.pfsense.org/index.php/topic,16274.0.html