IPsec fails to renegotiate after loss of a peer
- 
 I'm interested in what other devices everyone is using at the other end of the tunnels. I see in your other thread netmethods, you say All ipsec tunnels are to sonicwalls with standard and enhanced os and one watchguard I currently have a pfSense 1.2.2 box connecting to about 28 remote locations which are all using a mixture of pfSense 1.2.2 (1 - 1.2.3-PRE-testing but it's working so I don't want to upgrade just yet) and Linksys BEFVP41 and Linksys BEFSX41. These are stable for the most part, meaning they rarely go down and if they do it is usually something other than the equipment that causes it. I am setting up a new box now because we are changing over to a new ISP and doing it slowly starting with our site-to-site VPNs. I built the box using 1.2.3-RC3 and moved 3 of the remote locations to it. 2 of these are pfSense (1.2.2 and the 1.2.3-PRE-testing) and one is a BEFVP41. The BEFVP41 has been going down every hour when the phase 2 expires. I could increase the lifetime but I want to know sooner when my changes don't work so I can try something else. I'm going to try the "prefer old SAs" later tonight now that the office is closed and see what happens. 
- 
 I just updated one of my routers to 1.2.3-RC3 which has several tunnels to different places, a pfSense 1.2.3-RC3 box, two pfSense 1.2.2 boxes, and a Linksys BEFSX41. All my tunnels came up immediately when it booted, but I'll try to keep track of how well it does overnight/tomorrow. 
- 
 Those who are having problems with renegotiation, try going to Diagnostics -> Command and running: fetch -o /etc/inc/vpn.inc http://cvs.pfsense.org/~cmb/rekeyforcevpn.inc Then restart the racoon service, or reboot, and see what happens. There is a known issue in the latest stable racoon in some circumstances that this may fix. This sets rekey to force. rekey - Enable automatic renegotiation of expired phase1 when 
 there are non-dying phase2 SAs. Possible values are:
 force Rekeying is done unconditionally.
 on Rekeying is done only if DPD monitoring is
 active. This is the default.
 off No automatic rekeying. Do note that turning off
 automatic rekeying will result in inaccurate DPD
 monitoring.
- 
 Thanks cmb. I don't think I'll be able to test that just now because I seem to have found a setting that worked. I enabled "Prefer old IPSEC SAs" option and the tunnel that was going down every hour (phase 2 lifetime) has been up for about 12 hours now. I wasn't sure if that option would affect the two other tunnels I have on the box that are connected to pfSense boxes in a negative way but they seem to still be working fine with this option as well. I'm going to move another Linksys BEFVP41 router to this box and see if that setting continues to make the tunnel work for this other one as well. 
- 
 I cannot say for certain that I am still having issues with renegotiation. My tunnels had stayed up for 4-5 days. I was out of the office yesterday when they went down. The IPSec log did not show anything at all when this happened until I restarted racoon. This latest problem does not look like a renegotiation issue. I am guessing that everything was fine until after 12:51. At 14:17 I restarted racoon. Oct 27 12:51:03 pffw racoon: INFO: IPsec-SA established: ESP tunnelIP[0]->WANIP[0] spi=9536865(0x918561) 
 Oct 27 12:51:03 pffw racoon: INFO: IPsec-SA established: ESP WANIP[0]->tunnelIP[0] spi=3936270732(0xea9eb98c)
 Oct 27 14:17:17 pffw racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
 Oct 27 14:17:17 pffw racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
 Oct 27 14:17:17 pffw racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
 Oct 27 14:17:17 pffw racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
 Oct 27 14:17:17 pffw racoon: INFO: LanIP[500] used as isakmp port (fd=15)
 Oct 27 14:17:17 pffw racoon: INFO: OPT1IP[500] used as isakmp port (fd=16)
 Oct 27 14:17:17 pffw racoon: INFO: WanIP[500] used as isakmp port (fd=17)
 Oct 27 14:17:17 pffw racoon: INFO: unsupported PF_KEY message REGISTER
 Oct 27 14:17:17 pffw racoon: ERROR: such policy already exists. anyway replace it: …Below are some error messages that have shown up in the logs. During the time that these messages occurred, I was not notified that there were any problems and I did nothing to resolve them. A tunnel may or may not have went down. These are just random entries and not specific to any tunnel. I put a "Reg" in front of errors that seem to appear regularly. Reg -Oct 23 16:00:35 pffw racoon: ERROR: fatal INVALID-SPI notify messsage, phase1 should be deleted. 
 Reg -Oct 23 16:00:35 pffw last message repeated 2 timesReg -Oct 26 01:37:08 pffw racoon: WARNING: ignore RESPONDER-LIFETIME notification. Reg -Oct 23 16:06:51 pffw racoon: ERROR: none message must be encrypted 
 Reg -Oct 23 16:07:11 pffw last message repeated 2 times
 Reg -Oct 23 16:07:13 pffw racoon: INFO: unsupported PF_KEY message REGISTER
 Reg -Oct 23 16:07:13 pffw racoon: ERROR: no iph2 found: ESP tunnelIP[0]->WANIP[0] spi=250476046(0xeedf60e)
 Reg -Oct 23 16:07:13 pffw racoon: ERROR: no iph2 found: ESP tunnelIP[0]->WANIP[0] spi=257766112(0xf5d32e0)
 (None since last change) -Oct 23 16:07:13 pffw racoon: ERROR: pfkey DELETE received: ESP WANIP[0]->tunnelIP[0] spi=53406546(0x32eeb52)(None since last change) -Oct 23 16:08:02 pffw racoon: ERROR: tunnelIP give up to get IPsec-SA due to time up to wait. Reg -Oct 23 16:08:19 pffw racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Oct 24 11:13:01 pffw racoon: ERROR: no policy found for spid:59. 
 Oct 24 11:13:01 pffw racoon: ERROR: failed to get ID.
 Oct 24 11:13:01 pffw racoon: ERROR: failed to start post getspi.Reg -Oct 26 03:15:00 pffw racoon: ERROR: unknown Informational exchange received. Reg -Oct 26 04:53:39 pffw racoon: ERROR: couldn't find configuration. –------------ 
 cmb - what is the command to change the rekey back to the default if I later change it to force as below:fetch -o /etc/inc/vpn.inc http://cvs.pfsense.org/~cmb/rekeyforcevpn.inc I think you also posted somewhere about the tunnels taking a long time to come back up? I will try to restart racoon some evening when I have time to wait for everything to come back up on its own. When everything goes down, I get a little impatient. I'm interested in what other devices everyone is using at the other end of the tunnels. I am currently using a bunch of Netopia routers that I inherited at this job. Tunnels between these devices worked fine. I switched to pfSense for the multi-wan feature and the ability to have more than 15 tunnels (a Netopia limitation). Thanks to everyone for their input. 
- 
 @bkm: cmb - what is the command to change the rekey back to the default if I later change it to force as below: Edit /etc/inc/vpn.inc and remove the line: rekey force; 
- 
 Thanks cmb. 
 The rekey option looks similar to an option on my Netopias that I am testing on a few tunnels. I haven't been able to tell yet if it has helped. I may try the rekey option in pfSense in a couple weeks if I am still having issues.
- 
 So far all of my tunnels have been fine since the update. And that even includes a connectivity loss between one of the remote routers which renegotiated fine, and lifetime expirations on all of them. I'll keep an eye on them though. 
- 
 Jimp, do you have Prefer old IPSEC SAs turned on? I know the BEFSX41 is quite similar to the BEFVP41 and I'd be surprised if yours worked without that setting. Following two ISP equipment malfunctions today from the ISP we are moving away from, I will be changing over all the other locations early tomorrow morning. I'm fairly confident that it should go smoothly because of the one tunnel I got to stay up last night and a second I moved over today. I'll report any issues I come across. 
- 
 You know, I don't remember checking that but it is set. 
- 
 I restarted racoon today when all of my tunnels were up. It only took about 3 minutes for 9 tunnels to come back. This was not the case when the tunnels had died on their own. I'm guessing that some state or SAD was probably not letting itself get terminated. I'll post again if I have any new info. 
- 
 I just ran fetch -o /etc/inc/vpn.inc rekeyforcevpn.inc, restarted racoon and the service would no longer start. Since I needed these tunnels back up and running, I just reinstalled 1.2.3-rc3 and things came back up. Not sure if it's something I did or an issue with the script. 
- 
 I just ran fetch -o /etc/inc/vpn.inc rekeyforcevpn.inc, restarted racoon and the service would no longer start. I'll admit I didn't test it, but it's a simple one line config change that per the racoon man page is correct. What did your logs show? 
- 
 To be honest, I didn't even look. It was already late and I didn't have the energy to troubleshoot it when I figured just a quick reload of the firmware would fix it. I just tried running clog /var/log/ipsec.log in Diag>Command, but I didn't see anything relevant. 
- 
 Well, I moved over almost every location this morning so there are now 25 tunnels up and running for about 6 hours. No VPN issues so far and each phase 2 lifetime is set to 3600 seconds. I'll hold off final judgment for a few more days but so far so good with 1.2.3-RC3 and all the devices I previously mentioned. 
- 
 I updated from 1.2.2 to 1.2.3-RC3 in efforts to do some testing. I noticed 1 thing so far, that all my encryption algorithms are blank/reset, yet all my tunnels came up after about 2 minutes (automatically). 
 I have 12 tunnels, all but 1 to pfsesne, the 1 to cisco pix.
- 
 So everything has been staying up over the weekend. I'd call it a successful upgrade. The only issue for me was the IPSEC SAs to get the linksys boxes happy. Thanks for the help and suggestions everyone. 
 ;D
- 
 Seems like rekeyforcevpn.inc is no longer available, could anyone kindly post it somewhere else? Thanks a lot. 
- 
 Seems like rekeyforcevpn.inc is no longer available, could anyone kindly post it somewhere else? Because it did nothing but generate a broken configuration, so it was removed. It's also not needed. 
