Unstoppable IPSec charon daemon and no tunnel is working
-
Hi,
I upgraded pfSense from 2.5.0 to 2.5.1 and IPSec stopped working.
What's more, I cannot stop IPSec in any way, either from GUI or by killing charon.
Stopping from GUI does not seem to have any effect at all and I see nothing in the system.log or ipsec.log.
When I kill charon from terminal, I see this.Apr 14 16:40:23 gw charon[35925]: 00[MGR] destroy all entries Apr 14 16:40:23 gw ipsec_starter[88762]: charon has died -- restart scheduled (5sec) Apr 14 16:40:28 gw ipsec_starter[88762]: charon (32453) started after 40 ms
When I enable high logging level of IPSec, I see these entries:
Apr 14 16:41:40 gw charon[32453]: 13[MGR] checkout IKEv1 SA by message with SPIs b842a166ba75a408_i 0000000000000000_r Apr 14 16:41:40 gw charon[32453]: 13[MGR] created IKE_SA (unnamed)[10] Apr 14 16:41:40 gw charon[32453]: 13[IKE] <10> no IKE config found for GW_A...GW_B, sending NO_PROPOSAL_CHOSEN Apr 14 16:41:40 gw charon[32453]: 13[MGR] <10> checkin and destroy IKE_SA (unnamed)[10] Apr 14 16:41:40 gw charon[32453]: 13[IKE] <10> IKE_SA (unnamed)[10] state change: CREATED => DESTROYING Apr 14 16:41:40 gw charon[32453]: 13[MGR] checkin and destroy of IKE_SA successful Apr 14 16:41:40 gw charon[32453]: 13[MGR] checkout IKEv1 SA by message with SPIs b842a166ba75a408_i cb3532f24ed15bef_r Apr 14 16:41:40 gw charon[32453]: 13[MGR] IKE_SA checkout not successful
But this particular tunnel from GW_A to GW_B is disabled!
Actually, I even deleted configuration referring to GW_B completely, but it still appears in the ipsec.log.
I'd appreciate any help to stop this madness.
I've rebooted this pfSense twice.
Thanks a lot in advance.
shpokas -
@shpokas
This thread got me going and then using the same troubleshooting commands I found I am missing "Virtual IPv6 Address Pool" for mobile IPSec config. Once I did that, all was good.
How this was working before upgrade to 2.5.1 I have no explanation.