pfsense plus 21.02-RELEASE-p1 (amd64) (Version: 4.2.amazon) IPSec Issue
-
Hi I've recently upgrade to pfsense plus 21.02-RELEASE-p1 (amd64) (Version: 4.2.amazon) IPSec Issue on amazon. My IPSec have suddenly stopped working with AWS VPC's. I Tried and am able to connect with other pfsense instance but not with AWS VPN. (I am suspecting version issue here)
Logs are of no help.
Below are the logs i am getting please help.
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] remote_addrs = <Destination IP>
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] local_port = 500
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] remote_port = 500
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] send_certreq = 1
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] send_cert = CERT_SEND_IF_ASKED
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] ppk_id = (null)
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] ppk_required = 0
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] mobike = 0
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] aggressive = 0
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] dscp = 0x00
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] encap = 0
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] dpd_delay = 10
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] dpd_timeout = 60
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] fragmentation = 2
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] childless = 0
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] unique = UNIQUE_REPLACE
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] keyingtries = 1
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] reauth_time = 25920
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] rekey_time = 0
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] over_time = 2880
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] rand_time = 2880
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] proposals = IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] if_id_in = 0
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] if_id_out = 0
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] local:
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] class = pre-shared key
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] id = <pfsense Public IP>
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] remote:
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] class = pre-shared key
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] id = <Destination IP>
Apr 1 00:07:48 pfsdp charon[57948]: 06[CFG] updated vici connection: con200000
Apr 1 00:07:48 pfsdp charon[57948]: 08[CFG] vici client 195 disconnected
Apr 1 00:07:55 pfsdp charon[57948]: 06[CFG] vici client 196 connected
Apr 1 00:07:55 pfsdp charon[57948]: 08[CFG] vici client 196 registered for: list-sa
Apr 1 00:07:55 pfsdp charon[57948]: 08[CFG] vici client 196 requests: list-sas
Apr 1 00:07:55 pfsdp charon[57948]: 08[CFG] vici client 196 disconnected
Apr 1 00:07:57 pfsdp charon[57948]: 13[CFG] vici client 197 connected
Apr 1 00:07:57 pfsdp charon[57948]: 13[CFG] vici client 197 registered for: control-log
Apr 1 00:07:57 pfsdp charon[57948]: 07[CFG] vici client 198 connected
Apr 1 00:07:57 pfsdp charon[57948]: 13[CFG] vici client 198 registered for: control-log
Apr 1 00:07:57 pfsdp charon[57948]: 07[CFG] vici client 197 requests: terminate
Apr 1 00:07:57 pfsdp charon[57948]: 07[CFG] vici terminate CHILD_SA 'con2000'
Apr 1 00:07:57 pfsdp charon[57948]: 10[CFG] vici client 198 requests: initiate
Apr 1 00:07:57 pfsdp charon[57948]: 10[CFG] vici initiate CHILD_SA 'con2000'
Apr 1 00:07:57 pfsdp charon[57948]: 08[CFG] vici client 198 disconnected
Apr 1 00:07:57 pfsdp charon[57948]: 08[CFG] vici client 197 disconnected
Apr 1 00:07:57 pfsdp charon[57948]: 10[CFG] vici client 199 connected
Apr 1 00:07:57 pfsdp charon[57948]: 07[CFG] vici client 199 registered for: list-sa
Apr 1 00:07:57 pfsdp charon[57948]: 08[CFG] vici client 199 requests: list-sas
Apr 1 00:07:57 pfsdp charon[57948]: 08[CFG] vici client 199 disconnected -
Hello @vishal-mhatre2310.
There is a known IPSec issue in 21.02-p1. You could patch your system.
To do so, install the System Patches package https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
and apply these IPsec-related patches:ead6515637a34ce6e170e2d2b0802e4fa1e63a00 #11435
57beb9ad8ca11703778fc483c7cba0f6770657ac #11435
10eb04259fd139c62e08df8de877b71fdd0eedc8 #11442
ded7970ba57a99767e08243103e55d8a58edfc35 #11486
afffe759c4fd19fe6b8311196f4b6d5e288ea4fb #11487
2fe5cc52bd881ed26723a81e0eed848fd505fba6 #11488To install patches. Go to > System > Patches > Add new patch.
In description put any descritive text like ipsec1 > put a CommitID and save. After that you need to fetch > test and apply.Do it for all the commitID here and let me know if helps.
Regards
Vinicius -
@viniciusmerlim thanks for the suggestion
i added the patches, then restarted ipsec service, with no effect - still getting the same error message
-
@markgca Can you export your status IPSec logs? Go to: pfsenseip/status.php > download.
Then extract ipseclogs from the file and reply here with the all connection attempt part. Please have in mind that you need to hide ips, shared keys and any other sensitive information.
Maybe we could fully understand what’s happening in your instance.
-
This post is deleted! -
This post is deleted! -
@viniciusmerlim - Thanks for the information. I had tried this from jimps post in "https://forum.netgate.com/topic/161265/pfsense-2-5-problems-with-site-to-site-aws-vpn-connection/2". However, it worked on one of our pfsense. However, on one of them I started facing new issue post applying patches. That is the service ipsec entire hangs up. When try to restart the service nothing happens. Only when i restart the entire aws instance it connects back for few minutes before freezing again. no logs are being recorded when it freezes. I've also tried command line restart for service using following command with no luck.
"pfSsh.php playback restartipsec" & "pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec"
Any know resolution for this issue? Please help.
-
@viniciusmerlim - I am now getting following error and am unable to restart the Ipsec service
connecting to 'unix:///var/run/charon.vici' failed: Connection refused
Can you please help. It only works for few minutes after restarting the instance and then goes back to same state. It also stops recording logs once it freezes. Please help.
-
@vishal-mhatre2310 Sorry for the late response. Do you still need help here?