Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec VPN woodoo

    IPsec
    2
    2
    3.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      preatorian
      last edited by

      IPSEC beta3 WEIRDness

      I have a setup of two PFSENSE firewalls (identical hardware and NICs).
      After setting up a VPN tunnel, everything was ok, but I see tunnel
      falling down - some times for 30 minuts or less.. here are some
      tipical errors I see in the IPsec VPN log.

      PFSENSE IP 1: AAA.AAA.AAA.AAA
      PFSENSE IP 2: BBB.BBB.BBB.BBB

      Both sites have an excellent uplink quality (no dropped packets) and a broad band connection.
      Best regards !
      Preatorian

      Jul 7 09:00:39 racoon: INFO: initiate new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
      Jul 7 09:00:39 racoon: INFO: ISAKMP-SA deleted AAA.AAA.AAA.AA[500]-BBB.BBB.BBB.BBB[500] spi:724b0fc30c81adf6:c5fd15594eb58245
      Jul 7 09:00:39 racoon: ERROR: none message must be encrypted
      Jul 7 09:00:41 racoon: INFO: respond new phase 1 negotiation: AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
      Jul 7 09:00:41 racoon: INFO: begin Aggressive mode.
      Jul 7 09:00:41 racoon: INFO: received Vendor ID: DPD
      Jul 7 09:00:41 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Jul 7 09:00:41 racoon: INFO: ISAKMP-SA established AAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:1a14311a1b8268c2:a54dbb7e299c31f6
      Jul 7 09:00:42 racoon: INFO: respond new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
      Jul 7 09:00:42 racoon: INFO: IPsec-SA established: ESP/Tunnel BBB.BBB.BBB.BBB[0]->AAA.AAA.AAA.AAA[0] spi=69362467(0x4226323)
      Jul 7 09:00:42 racoon: INFO: IPsec-SA established: ESP/Tunnel AAA.AAA.AAA.AAA[0]->BBB.BBB.BBB.BBB[0] spi=133988124(0x7fc7f1c)
      Jul 7 09:00:49 racoon: ERROR: none message must be encrypted
      Jul 7 09:00:59 racoon: ERROR: none message must be encrypted
      Jul 7 09:01:09 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.
      Jul 7 09:50:37 racoon: INFO: purged IPsec-SA proto_id=ESP spi=133988124.
      Jul 7 09:50:37 racoon: INFO: initiate new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
      Jul 7 09:50:38 racoon: INFO: purging ISAKMP-SA spi=1a14311a1b8268c2:a54dbb7e299c31f6.
      Jul 7 09:50:38 racoon: INFO: Unknown IPsec-SA spi=69362467, hmmmm?
      Jul 7 09:50:38 racoon: INFO: purged IPsec-SA spi=69362467.
      Jul 7 09:50:38 racoon: INFO: purged IPsec-SA spi=193528058.
      Jul 7 09:50:38 racoon: INFO: purged ISAKMP-SA spi=1a14311a1b8268c2:a54dbb7e299c31f6.
      Jul 7 09:50:38 racoon: INFO: initiate new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
      Jul 7 09:50:39 racoon: INFO: ISAKMP-SA deleted AAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:1a14311a1b8268c2:a54dbb7e299c31f6
      Jul 7 09:50:40 racoon: INFO: respond new phase 1 negotiation: AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
      Jul 7 09:50:40 racoon: INFO: begin Aggressive mode.
      Jul 7 09:50:40 racoon: INFO: received Vendor ID: DPD
      Jul 7 09:50:40 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Jul 7 09:50:40 racoon: INFO: ISAKMP-SA established AAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:5e7b852dd63400be:ca73b9cddbc974b1
      Jul 7 09:50:41 racoon: INFO: respond new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
      Jul 7 09:50:41 racoon: INFO: IPsec-SA established: ESP/Tunnel BBB.BBB.BBB.BBB[0]->AAA.AAA.AAA.AAA[0] spi=204582594(0xc31aec2)
      Jul 7 09:50:41 racoon: INFO: IPsec-SA established: ESP/Tunnel AAA.AAA.AAA.AAA[0]->BBB.BBB.BBB.BBB[0] spi=153619864(0x9280d98)
      Jul 7 09:50:48 racoon: ERROR: none message must be encrypted
      Jul 7 09:50:58 racoon: ERROR: none message must be encrypted
      Jul 7 09:51:08 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.
      Jul 7 10:44:27 racoon: INFO: purged IPsec-SA proto_id=ESP spi=153619864.
      Jul 7 10:44:27 racoon: INFO: respond new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
      Jul 7 10:44:28 racoon: INFO: initiate new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
      Jul 7 10:44:30 racoon: INFO: respond new phase 1 negotiation: AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
      Jul 7 10:44:30 racoon: INFO: begin Aggressive mode.
      Jul 7 10:44:30 racoon: INFO: received Vendor ID: DPD
      Jul 7 10:44:30 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Jul 7 10:44:30 racoon: INFO: ISAKMP-SA established AAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:b37f301d2d18665a:9581b125f85a9205
      Jul 7 10:44:30 racoon: INFO: purging spi=204582594.
      Jul 7 10:44:31 racoon: INFO: respond new phase 2 negotiation: AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
      Jul 7 10:44:31 racoon: INFO: IPsec-SA established: ESP/Tunnel BBB.BBB.BBB.BBB[0]->AAA.AAA.AAA.AAA[0] spi=210806202(0xc90a5ba)
      Jul 7 10:44:31 racoon: INFO: IPsec-SA established: ESP/Tunnel AAA.AAA.AAA.AAA[0]->BBB.BBB.BBB.BBB[0] spi=260373579(0xf84fc4b)
      Jul 7 10:44:38 racoon: ERROR: none message must be encrypted
      Jul 7 10:44:48 last message repeated 3 times
      Jul 7 10:44:57 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.
      Jul 7 10:44:58 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        We don't support old versions. Upgrade to the latest RC1 snapshot. If the problem still exists raise your voice again. The version you are using is outdated since month and a lot of things have been changed that might resolve your issue.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post