IPsec VPN woodoo

preatorian

IPSEC beta3 WEIRDness

I have a setup of two PFSENSE firewalls (identical hardware and NICs).
After setting up a VPN tunnel, everything was ok, but I see tunnel
falling down - some times for 30 minuts or less.. here are some
tipical errors I see in the IPsec VPN log.

PFSENSE IP 1: AAA.AAA.AAA.AAA
PFSENSE IP 2: BBB.BBB.BBB.BBB

Both sites have an excellent uplink quality (no dropped packets) and a broad band connection.
Best regards !
Preatorian

Jul 7 09:00:39 racoon: INFO: initiate new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
Jul 7 09:00:39 racoon: INFO: ISAKMP-SA deleted AAA.AAA.AAA.AA[500]-BBB.BBB.BBB.BBB[500] spi:724b0fc30c81adf6:c5fd15594eb58245
Jul 7 09:00:39 racoon: ERROR: none message must be encrypted
Jul 7 09:00:41 racoon: INFO: respond new phase 1 negotiation: AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
Jul 7 09:00:41 racoon: INFO: begin Aggressive mode.
Jul 7 09:00:41 racoon: INFO: received Vendor ID: DPD
Jul 7 09:00:41 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jul 7 09:00:41 racoon: INFO: ISAKMP-SA established AAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:1a14311a1b8268c2:a54dbb7e299c31f6
Jul 7 09:00:42 racoon: INFO: respond new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
Jul 7 09:00:42 racoon: INFO: IPsec-SA established: ESP/Tunnel BBB.BBB.BBB.BBB[0]->AAA.AAA.AAA.AAA[0] spi=69362467(0x4226323)
Jul 7 09:00:42 racoon: INFO: IPsec-SA established: ESP/Tunnel AAA.AAA.AAA.AAA[0]->BBB.BBB.BBB.BBB[0] spi=133988124(0x7fc7f1c)
Jul 7 09:00:49 racoon: ERROR: none message must be encrypted
Jul 7 09:00:59 racoon: ERROR: none message must be encrypted
Jul 7 09:01:09 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.
Jul 7 09:50:37 racoon: INFO: purged IPsec-SA proto_id=ESP spi=133988124.
Jul 7 09:50:37 racoon: INFO: initiate new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
Jul 7 09:50:38 racoon: INFO: purging ISAKMP-SA spi=1a14311a1b8268c2:a54dbb7e299c31f6.
Jul 7 09:50:38 racoon: INFO: Unknown IPsec-SA spi=69362467, hmmmm?
Jul 7 09:50:38 racoon: INFO: purged IPsec-SA spi=69362467.
Jul 7 09:50:38 racoon: INFO: purged IPsec-SA spi=193528058.
Jul 7 09:50:38 racoon: INFO: purged ISAKMP-SA spi=1a14311a1b8268c2:a54dbb7e299c31f6.
Jul 7 09:50:38 racoon: INFO: initiate new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
Jul 7 09:50:39 racoon: INFO: ISAKMP-SA deleted AAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:1a14311a1b8268c2:a54dbb7e299c31f6
Jul 7 09:50:40 racoon: INFO: respond new phase 1 negotiation: AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
Jul 7 09:50:40 racoon: INFO: begin Aggressive mode.
Jul 7 09:50:40 racoon: INFO: received Vendor ID: DPD
Jul 7 09:50:40 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jul 7 09:50:40 racoon: INFO: ISAKMP-SA established AAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:5e7b852dd63400be:ca73b9cddbc974b1
Jul 7 09:50:41 racoon: INFO: respond new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
Jul 7 09:50:41 racoon: INFO: IPsec-SA established: ESP/Tunnel BBB.BBB.BBB.BBB[0]->AAA.AAA.AAA.AAA[0] spi=204582594(0xc31aec2)
Jul 7 09:50:41 racoon: INFO: IPsec-SA established: ESP/Tunnel AAA.AAA.AAA.AAA[0]->BBB.BBB.BBB.BBB[0] spi=153619864(0x9280d98)
Jul 7 09:50:48 racoon: ERROR: none message must be encrypted
Jul 7 09:50:58 racoon: ERROR: none message must be encrypted
Jul 7 09:51:08 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.
Jul 7 10:44:27 racoon: INFO: purged IPsec-SA proto_id=ESP spi=153619864.
Jul 7 10:44:27 racoon: INFO: respond new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
Jul 7 10:44:28 racoon: INFO: initiate new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
Jul 7 10:44:30 racoon: INFO: respond new phase 1 negotiation: AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
Jul 7 10:44:30 racoon: INFO: begin Aggressive mode.
Jul 7 10:44:30 racoon: INFO: received Vendor ID: DPD
Jul 7 10:44:30 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jul 7 10:44:30 racoon: INFO: ISAKMP-SA established AAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:b37f301d2d18665a:9581b125f85a9205
Jul 7 10:44:30 racoon: INFO: purging spi=204582594.
Jul 7 10:44:31 racoon: INFO: respond new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
Jul 7 10:44:31 racoon: INFO: IPsec-SA established: ESP/Tunnel BBB.BBB.BBB.BBB[0]->AAA.AAA.AAA.AAA[0] spi=210806202(0xc90a5ba)
Jul 7 10:44:31 racoon: INFO: IPsec-SA established: ESP/Tunnel AAA.AAA.AAA.AAA[0]->BBB.BBB.BBB.BBB[0] spi=260373579(0xf84fc4b)
Jul 7 10:44:38 racoon: ERROR: none message must be encrypted
Jul 7 10:44:48 last message repeated 3 times
Jul 7 10:44:57 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.
Jul 7 10:44:58 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.

hoba

We don't support old versions. Upgrade to the latest RC1 snapshot. If the problem still exists raise your voice again. The version you are using is outdated since month and a lot of things have been changed that might resolve your issue.