Fix the VPN IPSEC Dead Peer Detection in 1.2.2 or 1.2.3 {$200}
-
Those aren't the changes in 0.7.2, but the changes in 0.7.1. Here are the changes in 0.7.2:
0.7.2 - 22 April 2009
-
Fix a remote crash in fragmentation code
-
Phase2 message identities are phase1 specific (Vista compatibility)
-
Autogenerate ChangeLog from cvs metadata
-
Fix mode config pool resizing
-
NAT-T fixes related to purging of IPsec SA:s and retransmission
-
Remove phase1 handler immediately if first exchange is bad
-
A bunch of memory leak and possible memory corruptions (triggerable
by bad configuration or startup parameters)
Seems like an update that is worth upgrading to given how many crash fixes there are in it.
-
-
But this is not likely to be applied to 1.2.2….... :'( Or at least in 1.2.3 unless it is already there. Just concerned about stability.
-
But this is not likely to be applied to 1.2.2….... :'( Or at least in 1.2.3 unless it is already there. Just concerned about stability.
The devs have to consider what is worse:
1. Potential instability due to a new version of ipsec-tools or even an increase in stability due to bugs being fixed.
2. Shipping with a remote DoS attack vulnerability that has been known for 3 weeks now. -
I am testing a build of 1.2.3-RC with ipsec-tools 0.7.2 and it may be my slightly weird test environment, but it didn't fix the issue so far.
That said, if I switch both ends of the IPSec tunnel to Aggressive Mode instead of Main Mode, then DPD seems to want to work, but doesn't actually get all the way.
May 14 10:17:55 pfsense-123test racoon: INFO: IPsec-SA request for x.x.x.49 queued due to no phase1 found. May 14 10:17:55 pfsense-123test racoon: INFO: initiate new phase 1 negotiation: x.x.x.40[500]<=>x.x.x.49[500] May 14 10:17:55 pfsense-123test racoon: INFO: begin Aggressive mode. May 14 10:17:55 pfsense-123test racoon: INFO: received Vendor ID: CISCO-UNITY May 14 10:17:55 pfsense-123test racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt May 14 10:17:55 pfsense-123test racoon: INFO: received Vendor ID: DPD May 14 10:17:55 pfsense-123test racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. May 14 10:17:55 pfsense-123test racoon: INFO: ISAKMP-SA established x.x.x.40[500]-x.x.x.49[500] spi:5570f421d746e391:6a94f32073b1ed3f May 14 10:17:56 pfsense-123test racoon: INFO: initiate new phase 2 negotiation: x.x.x.40[500]<=>x.x.x.49[500] May 14 10:17:56 pfsense-123test racoon: WARNING: ignore RESPONDER-LIFETIME notification. May 14 10:17:56 pfsense-123test racoon: INFO: IPsec-SA established: ESP x.x.x.49[0]->x.x.x.40[0] spi=165272301(0x9d9daed) May 14 10:17:56 pfsense-123test racoon: INFO: IPsec-SA established: ESP x.x.x.40[500]->x.x.x.49[500] spi=463118085(0x1b9a9f05) [Power off Cisco VPN Concentrator] May 14 10:19:10 pfsense-123test racoon: INFO: DPD: remote (ISAKMP-SA spi=5570f421d746e391:6a94f32073b1ed3f) seems to be dead. May 14 10:19:11 pfsense-123test racoon: INFO: ISAKMP-SA deleted x.x.x.40[500]-x.x.x.49[500] spi:5570f421d746e391:6a94f32073b1ed3f
The log message is all well and good except it didn't actually delete the SAs. They're still there.
I'm making a new build right now to see if things behave any differently. Before that, I'm going to go back to a stock 1.2.3 snapshot and see if Aggressive mode behaves the same way.
-
All is now working! I removed the Concentrator from the DMZ of my local pfSense and connected it directly to a public IP. I noticed in the firewall logs that my firewall was blocking port 500 traffic and all other traffic which originated from the remote sites to my local site. Odd since I created a rule on my DMZ allowing all traffic to pass to the public interface of my concentrator.
Lan 10.20.30.1
DMZ 10.20.20.1Concentrator Private: 10.20.30.2
Concentrator Public: 10.20.20.2I was seeing my customers IP's being blocked:
10.0.0.0/24
192.168.127.0/24
172.20.30.0/16These were being blocked both on the LAN interface and on the DMZ. I will post some of the logs. I just need to reconfigure to internal again rather than direct connect to public IP on Concentrator Public interface.
-
So your tunnel reestablishes OK now after a power cycle?
That is strange, since my concentrator is already on a public IP and has no filtering in front of it. Its public is on the same switch as my pfSense test box.
And yet if I power cycle the concentrator, the tunnel never comes back up.
Are you sure nothing else changed in all that?
-
I did modify the DPD setting in the pfSense 1.2.2 by modifying the file. I think DPD was enabled for phase 1 or phase 2 and I enabled it for the other one in the conf file. If I can remember which file I will post the changes I made.
-
Ok, that would help a lot.
It should be /var/etc/racoon.conf
If I can see how you changed it, I can probably get that into the code to see if it fixes for everyone.
-
Look for the dpd_delay. On one of them it is commented out. File is: /etc/inc/vpn.inc
See post: http://forum.pfsense.org/index.php/topic,10371.0.html
From Pesh:
I don't know if everyone else has encountered this, but I recently had a problem where if one of my pfSense firewalls was restarted for whatever reason, the other pfSenses on the other ends of the VPN tunnels wouldn't recognise this. They would keep the old SA up and not negotiate any new ones, causing a failure to pass any traffic over the VPN. The only fix was to manually delete the entries from the SAD on these other firewalls so it would make a fresh tunnel again.
After reading around a bit, I saw an option for the racoon.conf that would turn on Dead Peer Detection, and figured I'd give that a try. In /etc/inc/vpn.inc, after each line saying proposal_check obey;, I added a line dpd_delay 20;. Then restarted racoon on each firewall, restarted one of the firewalls on its own and found that it renegotiated the tunnels straight away!
Anyway just a suggestion, I think this would be a useful option to add to pfSense.
/* vpn.inc Copyright (C) 2004-2006 Scott Ullrich All rights reserved. originally part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* include all configuration functions */ require_once("functions.inc"); /* master setup for vpn (mpd) */ function vpn_setup() { /* start pptpd */ vpn_pptpd_configure(); /* start pppoe server */ vpn_pppoe_configure(); } function vpn_ipsec_failover_configure() { global $config, $g; $sasyncd_text = ""; if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { $enabled = isset($sasyncd['enable']); if(!$enabled) return; if($sasyncd['peerip'] <> "") $sasyncd_text .= "peer {$sasyncd['peerip']}\n"; if($sasyncd['interface']) $sasyncd_text .= "carp interface {$sasyncd['interface']}\n"; if($sasyncd['sharedkey'] <> "") $sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n"; if($sasyncd['mode'] <> "") $sasyncd_text .= "mode {$sasyncd['mode']}\n"; if($sasyncd['listenon'] <> "") $sasyncd_text .= "listen on {$sasyncd['listenon']}\n"; if($sasyncd['flushmodesync'] <> "") $sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n"; } $fd = fopen("{$g['varetc_path']}/sasyncd.conf", "w"); fwrite($fd, $sasyncd_text); fclose($fd); chmod("{$g['varetc_path']}/sasyncd.conf", 0600); mwexec("killall sasyncd", true); /* launch sasyncd, oh wise one */ /* mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); */ } function find_last_gif_device() { $regs = ""; $last_gif_found = -1; if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1; $ifconfig_data = fread($fp, 4096); pclose($fp); $ifconfig_array = split(" ", $ifconfig_data); foreach ($ifconfig_array as $ifconfig) { ereg("gif(.)", $ifconfig, $regs); if($regs[0]) { if($regs[0] > $last_gif_found) $last_gif_found = $regs[1]; } } return $last_gif_found; } function vpn_ipsec_configure($ipchg = false) { global $config, $g, $sa, $sn; mwexec("/sbin/ifconfig enc0 create", true); mwexec("/sbin/ifconfig enc0 up", true); /* get the automatic /etc/ping_hosts.sh ready */ unlink_if_exists("/var/db/ipsecpinghosts"); touch("/var/db/ipsecpinghosts"); if($g['booting'] == true) { /* determine if we should load the via padlock module */ $dmesg_boot = `cat /var/log/dmesg.boot | grep CPU`; if(stristr($dmesg_boot, "ACE") == true) { //echo "Enabling [VIA Padlock] ..."; //mwexec("/sbin/kldload padlock"); //mwexec("/sbin/sysctl net.inet.ipsec.crypto_support=1"); //mwexec("/usr/local/sbin/setkey -F"); //mwexec("/usr/local/sbin/setkey -FP"); //echo " done.\n"; } } if(isset($config['ipsec']['preferredoldsa'])) { mwexec("/sbin/sysctl net.key.preferred_oldsa=0"); } else { mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30"); } $number_of_gifs = find_last_gif_device(); for($x=0; $x<$number_of_gifs; $x++) { mwexec("/sbin/ifconfig gif" . $x . " delete"); } $curwanip = get_current_wan_address(); $syscfg = $config['system']; $ipseccfg = $config['ipsec']; $lancfg = $config['interfaces']['lan']; $lanip = $lancfg['ipaddr']; $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; if (!isset($ipseccfg['enable'])) { mwexec("/sbin/ifconfig enc0 down"); mwexec("/sbin/ifconfig enc0 destroy"); /* kill racoon */ mwexec("/usr/bin/killall racoon", true); /* wait for process to die */ sleep(2); /* send a SIGKILL to be sure */ sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); /* flush SPD and SAD */ mwexec("/usr/local/sbin/setkey -FP"); mwexec("/usr/local/sbin/setkey -F"); return true; } if ($g['booting']) { echo "Configuring IPsec VPN... "; } if (isset($ipseccfg['enable'])) { /* fastforwarding is not compatible with ipsec tunnels */ system("/sbin/sysctl net.inet.ip.fastforwarding=0 >/dev/null 2>&1"); if (!$curwanip) { /* IP address not configured yet, exit */ if ($g['booting']) echo "done\n"; return 0; } /* this loads a route table which is used to determine if a route needs to be removed. */ exec("/usr/bin/netstat -rn", $route_arr, $retval); $route_str = implode("\n", $route_arr); if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) || isset($ipseccfg['mobileclients']['enable'])) { if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) { /* generate spd.conf */ $fd = fopen("{$g['varetc_path']}/spd.conf", "w"); if (!$fd) { printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n"); return 1; } $spdconf = ""; $spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n"; $spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n"; foreach ($ipseccfg['tunnel'] as $tunnel) { if (isset($tunnel['disabled'])) continue; $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) { log_error("Could not deterimine VPN endpoint for {$tunnel['descr']}"); continue; } vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); if(is_domain($tunnel['remote-gateway'])) { $tmp = gethostbyname($tunnel['remote-gateway']); if($tmp) $tunnel['remote-gateway'] = $tmp; } /* add entry to host pinger */ if ($tunnel['pinghost']) { $pfd = fopen("/var/db/ipsecpinghosts", "a"); $iflist = array("lan" => "lan", "wan" => "wan"); for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) $iflist['opt' . $i] = "opt{$i}"; foreach ($iflist as $ifent => $ifname) { $interface_ip = find_interface_ip($config['interfaces'][$ifname]['if']); if (ip_in_subnet($interface_ip, $sa . "/" . $sn)) $srcip = find_interface_ip($config['interfaces'][$ifname]['if']); } $dstip = $tunnel['pinghost']; fwrite($pfd, "$srcip|$dstip|3\n"); fclose($pfd); } if(isset($tunnel['creategif'])) { $number_of_gifs = find_last_gif_device(); $number_of_gifs++; $curwanip = get_current_wan_address(); mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']); mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); } $spdconf .= "spdadd {$sa}/{$sn} " . "{$tunnel['remote-subnet']} any -P out ipsec " . "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" . "{$tunnel['remote-gateway']}/unique;\n"; $spdconf .= "spdadd {$tunnel['remote-subnet']} " . "{$sa}/{$sn} any -P in ipsec " . "{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" . "{$ep}/unique;\n"; /* static route needed? */ if(preg_match("/^carp/i", $tunnel['interface'])) { $parentinterface = link_carp_interface_to_parent($tunnel['interface']); } else { $parentinterface = $tunnel['interface']; } if($parentinterface <> "wan") { /* add endpoint routes to correct gateway on interface */ if(interface_has_gateway($parentinterface)) { $gatewayip = get_interface_gateway("$parentinterface"); $interfaceip = $config['interfaces'][$parentinterface]['ipaddr']; $subnet_bits = $config['interfaces'][$parentinterface]['subnet']; $subnet_ip = gen_subnet("{$interfaceip}", "{$subnet_bits}"); /* if the remote gateway is in the local subnet, then don't add a route */ if(! ip_in_subnet($tunnel['remote-gateway'], "{$subnet_ip}/{$subnet_bits}")) { if(is_ipaddr($gatewayip)) { log_error("IPSEC interface is not WAN but {$tunnel['interface']}, adding static route for VPN endpoint {$tunnel['remote-gateway']} via {$gatewayip}"); mwexec("/sbin/route delete -host {$tunnel['remote-gateway']}"); mwexec("/sbin/route add -host {$tunnel['remote-gateway']} {$gatewayip}"); } } } } else { if(stristr($route_str, "/{$tunnel['remote-gateway']}/")) { mwexec("/sbin/route delete -host {$tunnel['remote-gateway']}"); } } } fwrite($fd, $spdconf); fclose($fd); } /* generate racoon.conf */ $fd = fopen("{$g['varetc_path']}/racoon.conf", "w"); if (!$fd) { printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n"); return 1; } $racoonconf = ""; $racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; $racoonconf .= "path certificate \"{$g['varetc_path']}\";\n\n"; /* generate CA certificates files */ $cacertnum = 0; if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) foreach ($ipseccfg['cacert'] as $cacert) { ++$cacertnum; if (isset($cacert['cert'])) { $cert = base64_decode($cacert['cert']); $x509cert = openssl_x509_parse(openssl_x509_read($cert)); if(is_array($x509cert) && isset($x509cert['hash'])) { $fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w"); if (!$fd1) { printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600); fwrite($fd1, $cert); fclose($fd1); } } } $tunnelnumber = 0; if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) foreach ($ipseccfg['tunnel'] as $tunnel) { ++$tunnelnumber; if (isset($tunnel['disabled'])) continue; $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) continue; vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address"; $myident = $ep; } else if (isset($tunnel['p1']['myident']['address'])) { $myidentt = "address"; $myident = $tunnel['p1']['myident']['address']; } else if (isset($tunnel['p1']['myident']['fqdn'])) { $myidentt = "fqdn"; $myident = $tunnel['p1']['myident']['fqdn']; } else if (isset($tunnel['p1']['myident']['ufqdn'])) { $myidentt = "user_fqdn"; $myident = $tunnel['p1']['myident']['ufqdn']; } else if (isset($tunnel['p1']['myident']['dyn_dns'])) { $myidentt = "dyn_dns"; $myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']); } if (!($myidentt == "asn1dn" && $myident == "")) { $myident = " \"".$myident."\""; } $nattline = ''; if (isset($tunnel['natt'])) { $nattline = "nat_traversal on;"; } if (isset($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; } else {$authmethod = 'pre_shared_key';} $certline = ''; if ($authmethod == 'rsasig') { if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { $cert = base64_decode($tunnel['p1']['cert']); $private_key = base64_decode($tunnel['p1']['private-key']); } else { /* null certificate/key */ $cert = ''; $private_key = ''; } if ($tunnel['p1']['peercert']) $peercert = base64_decode($tunnel['p1']['peercert']); else $peercert = ''; $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $cert); fclose($fd1); $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600); fwrite($fd1, $private_key); fclose($fd1); $certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";"; if ($peercert!=''){ $fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $peercert); fclose($fd1); $certline .= << <eod<br>peers_certfile "peer{$tunnelnumber}-signed.pem"; EOD; } } $racoonconf .= <<<eod<br>remote {$tunnel['remote-gateway']} \{ exchange_mode {$tunnel['p1']['mode']}; my_identifier {$myidentt}{$myident}; {$certline} peers_identifier address {$tunnel['remote-gateway']}; initial_contact on; #dpd_delay 120; # DPD poll every 120 seconds ike_frag on; support_proxy on; proposal_check obey; dpd_delay 20; proposal \{ encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; hash_algorithm {$tunnel['p1']['hash-algorithm']}; authentication_method {$authmethod}; dh_group {$tunnel['p1']['dhgroup']}; EOD; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= " }\n"; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); $racoonconf .= <<<eod<br>sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{ encryption_algorithm {$p2ealgos}; authentication_algorithm {$p2halgos}; compression_algorithm deflate; EOD; if ($tunnel['p2']['pfsgroup']) $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; if ($tunnel['p2']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; } /* mobile clients? */ if (isset($ipseccfg['mobileclients']['enable'])) { $tunnel = $ipseccfg['mobileclients']; if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address "; $myident = $curwanip; } else if (isset($tunnel['p1']['myident']['address'])) { $myidentt = "address "; $myident = $tunnel['p1']['myident']['address']; } else if (isset($tunnel['p1']['myident']['fqdn'])) { $myidentt = "fqdn "; $myident = $tunnel['p1']['myident']['fqdn']; } else if (isset($tunnel['p1']['myident']['ufqdn'])) { $myidentt = "user_fqdn "; $myident = $tunnel['p1']['myident']['ufqdn']; } if (isset($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; } else {$authmethod = 'pre_shared_key';} $certline = ''; if ($authmethod == 'rsasig') { if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { $cert = base64_decode($tunnel['p1']['cert']); $private_key = base64_decode($tunnel['p1']['private-key']); } else { /* null certificate/key */ $cert = ''; $private_key = ''; } if ($tunnel['p1']['peercert']) $peercert = base64_decode($tunnel['p1']['peercert']); else $peercert = ''; $fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server-mobile{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $cert); fclose($fd1); $fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", "w"); if (!$fd1) { printf("Error: cannot open server-mobile{$tunnelnumber}-key.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", 0600); fwrite($fd1, $private_key); fclose($fd1); $certline = "certificate_type x509 \"server-mobile{$tunnelnumber}-signed.pem\" \"server-mobile{$tunnelnumber}-key.pem\";"; } $racoonconf .= <<<eod<br>remote anonymous \{ exchange_mode {$tunnel['p1']['mode']}; my_identifier {$myidentt}"{$myident}"; {$nattline} {$certline} initial_contact on; dpd_delay 120; # DPD poll every 120 seconds ike_frag on; passive on; generate_policy on; support_proxy on; proposal_check obey; dpd_delay 20; proposal \{ encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; hash_algorithm {$tunnel['p1']['hash-algorithm']}; authentication_method {$authmethod}; dh_group {$tunnel['p1']['dhgroup']}; EOD; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= " }\n"; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); $racoonconf .= <<<eod<br>sainfo anonymous \{ encryption_algorithm {$p2ealgos}; authentication_algorithm {$p2halgos}; compression_algorithm deflate; EOD; if ($tunnel['p2']['pfsgroup']) $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; if ($tunnel['p2']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; } fwrite($fd, $racoonconf); fclose($fd); /* generate psk.txt */ $fd = fopen("{$g['varetc_path']}/psk.txt", "w"); if (!$fd) { printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n"); return 1; } $pskconf = ""; if (is_array($ipseccfg['tunnel'])) { foreach ($ipseccfg['tunnel'] as $tunnel) { if (isset($tunnel['disabled'])) continue; $pskconf .= "{$tunnel['remote-gateway']} {$tunnel['p1']['pre-shared-key']}\n"; } } /* add PSKs for mobile clients */ if (is_array($ipseccfg['mobilekey'])) { foreach ($ipseccfg['mobilekey'] as $key) { $pskconf .= "{$key['ident']} {$key['pre-shared-key']}\n"; } } fwrite($fd, $pskconf); fclose($fd); chmod("{$g['varetc_path']}/psk.txt", 0600); if(is_process_running("racoon")) { /* flush SPD entries */ mwexec("/usr/local/sbin/setkey -FP"); sleep("0.1"); mwexec("/usr/local/sbin/setkey -F"); /* load SPD */ sleep("0.1"); mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf"); /* We are already online, reload */ sleep("0.1"); mwexec("/usr/bin/killall -HUP racoon", true); } else { /* flush SA + SPD entries */ mwexec("/usr/local/sbin/setkey -FP"); sleep("0.1"); mwexec("/usr/local/sbin/setkey -F"); sleep("0.1"); /* start racoon */ mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf"); sleep("0.1"); /* load SPD */ mwexec("/usr/local/sbin/setkey -f {$g['varetc_path']}/spd.conf"); /* We are already online, reload */ sleep("0.1"); mwexec("/usr/bin/killall -HUP racoon", true); } } } vpn_ipsec_failover_configure(); if (!$g['booting']) { /* reload the filter */ touch("{$g["tmp_path"]}/filter_dirty"); } if ($g['booting']) echo "done\n"; return 0; } function vpn_pptpd_configure() { global $config, $g; $syscfg = $config['system']; $pptpdcfg = $config['pptpd']; if ($g['booting']) { if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) return 0; echo "Configuring PPTP VPN service... "; } else { /* kill mpd */ killbypid("{$g['varrun_path']}/mpd-vpn.pid"); /* wait for process to die */ sleep(3); if(is_process_running("mpd -b")) { killbypid("{$g['varrun_path']}/mpd-vpn.pid"); log_error("Could not kill mpd within 3 seconds. Trying again."); } /* remove mpd.conf, if it exists */ unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf"); unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links"); unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret"); } /* make sure mpd-vpn directory exists */ if (!file_exists("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); switch ($pptpdcfg['mode']) { case 'server': /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n"); return 1; } $mpdconf = <<<eod<br>pptpd: EOD; for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdconf .= " load pt{$i}\n"; } for ($i = 0; $i < $g['n_pptp_units']; $i++) { $clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i); $ngif = "ng" . ($i+1); $mpdconf .= << <eod<br>pt{$i}: new -i {$ngif} pt{$i} pt{$i} set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32 load pts EOD; } $mpdconf .= << <eod<br>pts: set iface disable on-demand set iface enable proxy-arp set iface enable tcpmssfix set iface idle 1800 set iface up-script /usr/local/sbin/vpn-linkup set iface down-script /usr/local/sbin/vpn-linkdown set bundle enable multilink set bundle enable crypt-reqd set link yes acfcomp protocomp set link no pap chap set link enable chap-msv2 set link mtu 1460 set link keep-alive 10 60 set ipcp yes vjcomp set bundle enable compression set ccp yes mppc set ccp yes mpp-e128 set ccp yes mpp-stateless EOD; if (!isset($pptpdcfg['req128'])) { $mpdconf .= << <eod<br>set ccp yes mpp-e40 set ccp yes mpp-e56 EOD; } if (isset($pptpdcfg["wins"])) $mpdconf .= " set ipcp nbns {$pptpdcfg['wins']}\n"; if (is_array($pptpdcfg['dnsserver']) && ($pptpdcfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $pptpdcfg['dnsserver']) . "\n"; } else if (isset($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; if ($syscfg['dnsserver'][0]) $mpdconf .= " " . $syscfg['dnsserver'][0]; $mpdconf .= "\n"; } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; } if (isset($pptpdcfg['radius']['enable'])) { $mpdconf .= << <eod<br>set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}" set radius retries 3 set radius timeout 10 set bundle enable radius-auth set bundle disable radius-fallback EOD; if (isset($pptpdcfg['radius']['accounting'])) { $mpdconf .= << <eod<br>set bundle enable radius-acct EOD; } } fwrite($fd, $mpdconf); fclose($fd); /* write mpd.links */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n"); return 1; } $mpdlinks = ""; for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdlinks .= << <eod<br>pt{$i}: set link type pptp set pptp enable incoming set pptp disable originate set pptp disable windowing set pptp self 127.0.0.1 EOD; } fwrite($fd, $mpdlinks); fclose($fd); /* write mpd.secret */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n"); return 1; } $mpdsecret = ""; if (is_array($pptpdcfg['user'])) { foreach ($pptpdcfg['user'] as $user) $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; } fwrite($fd, $mpdsecret); fclose($fd); chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); /* fire up mpd */ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd"); break; case 'redir': break; } if (!$g['booting']) { /* reload the filter */ filter_configure(); } if ($g['booting']) echo "done\n"; return 0; } function vpn_localnet_determine($adr, &$sa, &$sn) { global $config, $g; if (isset($adr)) { if ($adr['network']) { switch ($adr['network']) { case 'lan': $sn = $config['interfaces']['lan']['subnet']; $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); break; } } else if ($adr['address']) { list($sa,$sn) = explode("/", $adr['address']); if (is_null($sn)) $sn = 32; } } else { $sn = $config['interfaces']['lan']['subnet']; $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); } } function vpn_endpoint_determine($tunnel, $curwanip) { global $g, $config; if(!$tunnel['interface']) { return null; } if(is_ipaddr($curwanip)) { if(preg_match("/^carp/i", $tunnel['interface'])) { $iface = $tunnel['interface']; } else { if($config['interfaces'][$tunnel['interface']]['ipaddr'] == "pppoe" OR $config['interfaces'][$tunnel['interface']]['ipaddr'] == "pptp") { $iface = "ng0"; } else { $iface = $config['interfaces'][$tunnel['interface']]['if']; } } $oc = $config['interfaces'][$tunnel['interface']]; /* carp ips, etc */ $ip = find_interface_ip($iface); if($ip) return $ip; if (isset($oc['enable']) && $oc['if']) { return $oc['ipaddr']; } } return null; } function vpn_pppoe_configure() { global $config, $g; $syscfg = $config['system']; $pppoecfg = $config['pppoe']; /* create directory if it does not exist */ if(!is_dir("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); if ($g['booting']) { if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) return 0; echo "Configuring PPPoE VPN service... "; } /* make sure mpd-vpn directory exists */ if (!file_exists("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); switch ($pppoecfg['mode']) { case 'server': $pppoe_interface = filter_translate_type_to_real_interface($pppoecfg['interface']); /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "a"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pppoe_configure().\n"); return 1; } $mpdconf = "\n\n"; $mpdconf .= <<<eod<br>pppoe: EOD; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $mpdconf .= " load pppoe{$i}\n"; } for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i); $ngif = "ng" . ($i+1); if(isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['enable'])) { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0"; $isssue_ip_type .="\n\tset ipcp yes radius-ip"; } else { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32"; } $mpdconf .= << <eod<br>pppoe{$i}: new -i {$ngif} pppoe{$i} pppoe{$i} {$isssue_ip_type} load pppoe_standart EOD; } $mpdconf .= << <eod<br>pppoe_standart: set link type pppoe set pppoe iface {$pppoe_interface} set pppoe service "*" set pppoe disable originate set pppoe enable incoming set bundle no multilink set bundle enable compression set bundle max-logins 1 set iface idle 0 set iface disable on-demand set iface disable proxy-arp set iface enable tcpmssfix set iface mtu 1500 set link no pap chap set link enable chap set link keep-alive 60 180 set ipcp yes vjcomp set ipcp no vjcomp set link max-redial -1 set link mtu 1492 set link mru 1492 set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless set link latency 1 #set ipcp dns 10.10.1.3 #set bundle accept encryption EOD; if (isset($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; if ($syscfg['dnsserver'][0]) $mpdconf .= " " . $syscfg['dnsserver'][0]; $mpdconf .= "\n"; } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; } if (isset($pppoecfg['radius']['enable'])) { $mpdconf .= << <eod<br>set radius server {$pppoecfg['radius']['server']} "{$pppoecfg['radius']['secret']}" set radius retries 3 set radius timeout 10 set bundle enable radius-auth set bundle disable radius-fallback EOD; if (isset($pppoecfg['radius']['accounting'])) { $mpdconf .= << <eod<br>set bundle enable radius-acct set radius acct-update 300 EOD; } } fwrite($fd, $mpdconf); fclose($fd); /* write mpd.links */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "a"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pppoe_configure().\n"); return 1; } $mpdlinks = ""; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $mpdlinks .= << <eod<br>pppoe: set link type pppoe set pppoe iface {$pppoe_interface} EOD; } fwrite($fd, $mpdlinks); fclose($fd); /* write mpd.secret */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "a"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pppoe_configure().\n"); return 1; } $mpdsecret = "\n\n"; if (is_array($pppoecfg['user'])) { foreach ($pppoecfg['user'] as $user) $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; } fwrite($fd, $mpdsecret); fclose($fd); chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); /* fire up mpd */ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pppoe"); break; case 'redir': break; } touch("{$g["tmp_path"]}/filter_dirty"); if ($g['booting']) echo "done\n"; return 0; } /* Forcefully restart IPSEC * This is required for when dynamic interfaces reload * For all other occasions the normal vpn_ipsec_configure() * will gracefully reload the settings without restarting */ function vpn_ipsec_force_reload() { global $config; global $g; $ipseccfg = $config['ipsec']; /* kill any ipsec communications regardless when we are invoked */ mwexec("/sbin/ifconfig enc0 down"); /* kill racoon */ mwexec("/usr/bin/killall racoon", true); /* wait for process to die */ sleep(4); /* send a SIGKILL to be sure */ sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); /* wait for flushing to finish */ sleep(1); /* if ipsec is enabled, start up again */ if (isset($ipseccfg['enable'])) { log_error("Forcefully reloading IPSEC racoon daemon"); vpn_ipsec_configure(); } } ?></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></mk@neon1.net>
-
Ok, so if you look at the output of that, in your /var/etc/racoon.conf, where does dpd_delay show up there?
-
It is not the racoon.conf It is the vpn.inc that needs to be edited
-
Yes, I know that, but I wanted to know what the output from vpn.inc resulted in.
Even after moving the dpd line to the same location in that file, it still doesn't work for me, but I'm using 1.2.3-RC1. It looks from the vpn.inc that you're using that you're on 1.2.2 still.
-
path pre_shared_key "/var/etc/psk.txt"; path certificate "/var/etc"; remote 67.114.XXX.XXX { exchange_mode main; my_identifier address "12.238.XXX.XXX"; peers_identifier address 67.114.XXX.XXX; initial_contact on; #dpd_delay 120; # DPD poll every 120 seconds ike_frag on; support_proxy on; proposal_check obey; dpd_delay 20; proposal { encryption_algorithm blowfish; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 28800 secs; } lifetime time 28800 secs; } sainfo address 172.20.0.0/16 any address 192.168.100.0/24 any { encryption_algorithm rijndael; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group 2; lifetime time 86400 secs; } remote 69.12.XXX.XXX { exchange_mode main; my_identifier address "12.238.XXX.XXX"; peers_identifier address 69.12.XXX.XXX; initial_contact on; #dpd_delay 120; # DPD poll every 120 seconds ike_frag on; support_proxy on; proposal_check obey; dpd_delay 20; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 28800 secs; } lifetime time 28800 secs; } sainfo address 172.20.0.0/16 any address 10.20.30.0/24 any { encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; pfs_group 2; lifetime time 86400 secs; }
-
On my 1.2.3 RC1 system it shows up after initial_contact.
peers_identifier address x.x.x.x; initial_contact on; dpd_delay 30; ike_frag on; support_proxy on; proposal_check obey;
I can't imagine the placement of dpd_delay would have an affect on it's effectiveness, though unless it was a bug in racoon.
Easy enough to change, through just move line 447 of /etc/inc/vpn.inc down a bit.
-
Yeah, it makes no difference for me where it is, so that's why I wanted to know more about kapara's config file.
Something else must have been changed that made it start working, as that doesn't seem to work for everyone.
-
Also I am using 1.2.2 Release embedded. Another thing was I was lazy and actually have 2 DPD entries at the same time. one for 120 and another for 20. Forgot to remove it and it is still there based on the exisiting vpn.inc
-
There is a patch that was just added this evening that may fix this, but I won't be able to test it more until tomorrow. If someone else who is seeing the DPD failure/IPSec stuck open issue could try pfSense-Full-Update-1.2.3-20090514-1908.tgz or later, it may behave differently.
-
Still broken here with the latest snapshots, but I have heard from other sources that there is some ongoing work with ipsec-tools that may result in a fix. So we'll have to wait and see what becomes of that.
-
Since I have mine working maybe it would be a good idea to move this to IPSEC rathern than the Bounty section.
-
Was this actually a successful bounty or did you just figure out how to ultimately make it work?