Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense plus 21.02-RELEASE-p1 (amd64) (Version: 4.2.amazon) IPSec Issue

    Scheduled Pinned Locked Moved IPsec
    9 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vishal.mhatre2310
      last edited by

      Hi I've recently upgrade to pfsense plus 21.02-RELEASE-p1 (amd64) (Version: 4.2.amazon) IPSec Issue on amazon. My IPSec have suddenly stopped working with AWS VPC's. I Tried and am able to connect with other pfsense instance but not with AWS VPN. (I am suspecting version issue here)
      Logs are of no help.
      Below are the logs i am getting please help.
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] remote_addrs = <Destination IP>
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] local_port = 500
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] remote_port = 500
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] send_certreq = 1
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] send_cert = CERT_SEND_IF_ASKED
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] ppk_id = (null)
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] ppk_required = 0
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] mobike = 0
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] aggressive = 0
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] dscp = 0x00
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] encap = 0
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] dpd_delay = 10
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] dpd_timeout = 60
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] fragmentation = 2
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] childless = 0
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] unique = UNIQUE_REPLACE
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] keyingtries = 1
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] reauth_time = 25920
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] rekey_time = 0
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] over_time = 2880
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] rand_time = 2880
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] proposals = IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] if_id_in = 0
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] if_id_out = 0
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] local:
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] class = pre-shared key
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] id = <pfsense Public IP>
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] remote:
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] class = pre-shared key
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] id = <Destination IP>
      Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] updated vici connection: con200000
      Apr 1 00:07:48 pfsdp charon[57948]: 08[CFG] vici client 195 disconnected
      Apr 1 00:07:55 pfsdp charon[57948]: 06[CFG] vici client 196 connected
      Apr 1 00:07:55 pfsdp charon[57948]: 08[CFG] vici client 196 registered for: list-sa
      Apr 1 00:07:55 pfsdp charon[57948]: 08[CFG] vici client 196 requests: list-sas
      Apr 1 00:07:55 pfsdp charon[57948]: 08[CFG] vici client 196 disconnected
      Apr 1 00:07:57 pfsdp charon[57948]: 13[CFG] vici client 197 connected
      Apr 1 00:07:57 pfsdp charon[57948]: 13[CFG] vici client 197 registered for: control-log
      Apr 1 00:07:57 pfsdp charon[57948]: 07[CFG] vici client 198 connected
      Apr 1 00:07:57 pfsdp charon[57948]: 13[CFG] vici client 198 registered for: control-log
      Apr 1 00:07:57 pfsdp charon[57948]: 07[CFG] vici client 197 requests: terminate
      Apr 1 00:07:57 pfsdp charon[57948]: 07[CFG] vici terminate CHILD_SA 'con2000'
      Apr 1 00:07:57 pfsdp charon[57948]: 10[CFG] vici client 198 requests: initiate
      Apr 1 00:07:57 pfsdp charon[57948]: 10[CFG] vici initiate CHILD_SA 'con2000'
      Apr 1 00:07:57 pfsdp charon[57948]: 08[CFG] vici client 198 disconnected
      Apr 1 00:07:57 pfsdp charon[57948]: 08[CFG] vici client 197 disconnected
      Apr 1 00:07:57 pfsdp charon[57948]: 10[CFG] vici client 199 connected
      Apr 1 00:07:57 pfsdp charon[57948]: 07[CFG] vici client 199 registered for: list-sa
      Apr 1 00:07:57 pfsdp charon[57948]: 08[CFG] vici client 199 requests: list-sas
      Apr 1 00:07:57 pfsdp charon[57948]: 08[CFG] vici client 199 disconnected

      1 Reply Last reply Reply Quote 0
      • V
        viniciusmerlim
        last edited by viniciusmerlim

        Hello @vishal-mhatre2310.

        There is a known IPSec issue in 21.02-p1. You could patch your system.
        To do so, install the System Patches package https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
        and apply these IPsec-related patches:

        ead6515637a34ce6e170e2d2b0802e4fa1e63a00 #11435
        57beb9ad8ca11703778fc483c7cba0f6770657ac #11435
        10eb04259fd139c62e08df8de877b71fdd0eedc8 #11442
        ded7970ba57a99767e08243103e55d8a58edfc35 #11486
        afffe759c4fd19fe6b8311196f4b6d5e288ea4fb #11487
        2fe5cc52bd881ed26723a81e0eed848fd505fba6 #11488

        To install patches. Go to > System > Patches > Add new patch.
        In description put any descritive text like ipsec1 > put a CommitID and save. After that you need to fetch > test and apply.

        Do it for all the commitID here and let me know if helps.

        Regards
        Vinicius

        M V 3 Replies Last reply Reply Quote 1
        • M
          markgca @viniciusmerlim
          last edited by

          @viniciusmerlim thanks for the suggestion

          i added the patches, then restarted ipsec service, with no effect - still getting the same error message

          1 Reply Last reply Reply Quote 0
          • V
            viniciusmerlim
            last edited by

            @markgca Can you export your status IPSec logs? Go to: pfsenseip/status.php > download.

            Then extract ipseclogs from the file and reply here with the all connection attempt part. Please have in mind that you need to hide ips, shared keys and any other sensitive information.

            Maybe we could fully understand what’s happening in your instance.

            M 1 Reply Last reply Reply Quote 0
            • M
              markgca @viniciusmerlim
              last edited by

              This post is deleted!
              M 1 Reply Last reply Reply Quote 0
              • M
                markgca @markgca
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • V
                  vishal.mhatre2310 @viniciusmerlim
                  last edited by vishal.mhatre2310

                  @viniciusmerlim - Thanks for the information. I had tried this from jimps post in "https://forum.netgate.com/topic/161265/pfsense-2-5-problems-with-site-to-site-aws-vpn-connection/2". However, it worked on one of our pfsense. However, on one of them I started facing new issue post applying patches. That is the service ipsec entire hangs up. When try to restart the service nothing happens. Only when i restart the entire aws instance it connects back for few minutes before freezing again. no logs are being recorded when it freezes. I've also tried command line restart for service using following command with no luck.

                  "pfSsh.php playback restartipsec" & "pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec"

                  Any know resolution for this issue? Please help.

                  1 Reply Last reply Reply Quote 0
                  • V
                    vishal.mhatre2310 @viniciusmerlim
                    last edited by

                    @viniciusmerlim - I am now getting following error and am unable to restart the Ipsec service

                    connecting to 'unix:///var/run/charon.vici' failed: Connection refused

                    Can you please help. It only works for few minutes after restarting the instance and then goes back to same state. It also stops recording logs once it freezes. Please help.

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viniciusmerlim @vishal.mhatre2310
                      last edited by

                      @vishal-mhatre2310 Sorry for the late response. Do you still need help here?

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.