IPSEC WOODOO Pfsense RC1



  • After Updating Pfsense to RC1, I get the same problem.. every, say hour/hour and a half (not time bound) IPsec falls (see log below). It goes down for few minutes and renegotiates, then comes up.. in this time, connections between remote locations fall down.
    ERROR about policy replacement is a no issue, as it is in fact just a message…
    But sygnal 15 ? Racoon shutdown ? hmm...

    I tried P1 config aggressive and main - both fail the sam way..
    using Identifyer - My IP address, pre shared key, 3DES, MD5 and lifetime of 86400 secs

    Phase 2
    ESP
    BLOWFISH, MD5 no PFS key group, 86400 sec lifetime
    Pinging a server on the remote lan/s.

    Best regards.
    Preatorian


    Aug 2 17:32:46 racoon: INFO: received Vendor ID: KAME/racoon
    Aug 2 17:32:46 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-BB.BB.BB.BB[500] spi:818744c516c14ffa:538d0a005e0610db
    Aug 2 17:32:47 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>BB.BB.BB.BB[0]
    Aug 2 17:32:47 racoon: INFO: IPsec-SA established: ESP/Tunnel BB.BB.BB.BB[0]->AA.AA.AA.AA[0] spi=109287135(0x68396df)
    Aug 2 17:32:47 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->BB.BB.BB.BB[0] spi=164563998(0x9cf0c1e)
    Aug 2 17:32:47 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000b8f7
    Aug 2 17:32:49 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000edb0
    Aug 2 17:32:57 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000b8f7
    Aug 2 17:32:58 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000edb0
    Aug 2 18:22:37 racoon: INFO: caught signal 15
    Aug 2 18:22:38 racoon: INFO: racoon shutdown

    Aug 2 18:22:39 racoon: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
    Aug 2 18:22:39 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    Aug 2 18:22:39 racoon: INFO: fe80::204:e2ff:fee9:e3b1%ng2[500] used as isakmp port (fd=8)
    Aug 2 18:22:39 racoon: INFO: fe80::204:e2ff:fee9:e3b1%ng1[500] used as isakmp port (fd=9)
    Aug 2 18:22:39 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=10)
    Aug 2 18:22:39 racoon: INFO: ::1[500] used as isakmp port (fd=11)
    Aug 2 18:22:39 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=12)
    Aug 2 18:22:39 racoon: INFO: fe80::204:e2ff:fee9:e3b1%fxp0[500] used as isakmp port (fd=13)
    Aug 2 18:22:39 racoon: INFO: AA.AA.AA.AA[500] used as isakmp port (fd=14)
    Aug 2 18:22:39 racoon: INFO: fe80::2a0:f9ff:fe05:cf45%rl0[500] used as isakmp port (fd=15)
    Aug 2 18:22:39 racoon: INFO: fe80::204:e2ff:fee9:e3b1%sk0[500] used as isakmp port (fd=16)
    Aug 2 18:22:39 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=17)
    Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.0.1/32[0] proto=any dir=in
    Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 190.20.10.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 192.168.16.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.1/32[0] 192.168.0.0/24[0] proto=any dir=out
    Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 190.20.10.0/24[0] proto=any dir=out
    Aug 2 18:22:39 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.16.0/24[0] proto=any dir=out
    Aug 2 18:23:00 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000abe3
    Aug 2 18:23:21 last message repeated 2 times Aug 2 18:24:13 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 9d8828fff132d97d:e01f7e80d79ce9c9:0000c417
    Aug 2 18:24:33 last message repeated 2 times

    Aug 2 18:25:00 racoon: INFO: IPsec-SA request for BB.BB.BB.BB queued due to no phase1 found.
    Aug 2 18:25:00 racoon: INFO: initiate new phase 1 negotiation: AA.AA.AA.AA[500]<=>BB.BB.BB.BB[500]
    Aug 2 18:25:00 racoon: INFO: begin Identity Protection mode.
    Aug 2 18:25:00 racoon: INFO: received Vendor ID: KAME/racoon
    Aug 2 18:25:01 racoon: INFO: received Vendor ID: KAME/racoon
    Aug 2 18:25:01 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-BB.BB.BB.BB[500] spi:a6e545f6a12c5ab6:655b8822f063d9b1
    Aug 2 18:25:02 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>BB.BB.BB.BB[0]
    Aug 2 18:25:02 racoon: INFO: IPsec-SA established: ESP/Tunnel BB.BB.BB.BB[0]->AA.AA.AA.AA[0] spi=151851937(0x90d13a1)
    Aug 2 18:25:02 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->BB.BB.BB.BB[0] spi=77296916(0x49b7514)
    Aug 2 18:25:20 racoon: INFO: IPsec-SA request for CC.CC.CC.CC queued due to no phase1 found.
    Aug 2 18:25:20 racoon: INFO: initiate new phase 1 negotiation: AA.AA.AA.AA[500]<=>CC.CC.CC.CC[500]
    Aug 2 18:25:20 racoon: INFO: begin Identity Protection mode.
    Aug 2 18:25:20 racoon: INFO: received Vendor ID: DPD
    Aug 2 18:25:21 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:549f3b89283f92a3:ce235874b45c2300
    Aug 2 18:25:22 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
    Aug 2 18:25:22 racoon: INFO: IPsec-SA established: ESP/Tunnel CC.CC.CC.CC[0]->AA.AA.AA.AA[0] spi=130184044(0x7c2736c)
    Aug 2 18:25:22 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->CC.CC.CC.CC[0] spi=105454316(0x6491aec)
    –--------------------------

    Aug 2 16:44:25 racoon: ERROR: CC.CC.CC.CC give up to get IPsec-SA due to time up to wait.
    Aug 2 16:44:34 racoon: INFO: respond new phase 1 negotiation: AA.AA.AA.AA[500]<=>CC.CC.CC.CC[500]
    Aug 2 16:44:34 racoon: INFO: begin Identity Protection mode.
    Aug 2 16:44:34 racoon: INFO: received Vendor ID: DPD
    Aug 2 16:44:34 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:9d8828fff132d97d:e01f7e80d79ce9c9
    Aug 2 16:44:35 racoon: INFO: respond new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
    Aug 2 16:44:35 racoon: INFO: IPsec-SA established: ESP/Tunnel CC.CC.CC.CC[0]->AA.AA.AA.AA[0] spi=175908704(0xa7c2760)
    Aug 2 16:44:35 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->CC.CC.CC.CC[0] spi=193699577(0xb8b9ef9)
    Aug 2 17:32:37 racoon: INFO: purged IPsec-SA proto_id=ESP spi=193699577.
    Aug 2 17:32:37 racoon: INFO: respond new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
    Aug 2 17:32:38 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
    Aug 2 17:32:41 racoon: INFO: respond new phase 1 negotiation: AA.AA.AA.AA[500]<=>CC.CC.CC.CC[500]
    Aug 2 17:32:41 racoon: INFO: begin Identity Protection mode.
    Aug 2 17:32:41 racoon: INFO: received Vendor ID: DPD
    Aug 2 17:32:41 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:a2cb2090b1702450:90cd4325a60d18cb
    Aug 2 17:32:41 racoon: INFO: purging spi=175908704.
    Aug 2 17:32:42 racoon: INFO: respond new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
    Aug 2 17:32:42 racoon: INFO: IPsec-SA established: ESP/Tunnel CC.CC.CC.CC[0]->AA.AA.AA.AA[0] spi=51025277(0x30a957d)
    Aug 2 17:32:42 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->CC.CC.CC.CC[0] spi=80763934(0x4d05c1e) Aug 2 17:32:47 racoon: ERROR: none message must be encrypted
    Aug 2 17:32:58 last message repeated 3 times
    Aug 2 17:33:07 racoon: ERROR: CC.CC.CC.CC give up to get IPsec-SA due to time up to wait.
    Aug 2 17:33:08 racoon: ERROR: CC.CC.CC.CC give up to get IPsec-SA due to time up to wait.

    Aug 2 18:13:14 racoon: INFO: ISAKMP-SA expired AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:0b921a024c0b0b56:7ebf0298b4ef3ff6
    Aug 2 18:13:15 racoon: INFO: ISAKMP-SA deleted AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:0b921a024c0b0b56:7ebf0298b4ef3ff6
    Aug 2 18:22:37 racoon: INFO: purged IPsec-SA proto_id=ESP spi=80763934.
    Aug 2 18:22:38 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
    Aug 2 18:22:38 racoon: INFO: purging ISAKMP-SA spi=a2cb2090b1702450:90cd4325a60d18cb.
    Aug 2 18:22:38 racoon: INFO: Unknown IPsec-SA spi=51025277, hmmmm?
    Aug 2 18:22:38 racoon: INFO: purged IPsec-SA spi=51025277.
    Aug 2 18:22:38 racoon: INFO: purged IPsec-SA spi=102246445.
    Aug 2 18:22:38 racoon: INFO: purged ISAKMP-SA spi=a2cb2090b1702450:90cd4325a60d18cb.
    Aug 2 18:22:39 racoon: INFO: ISAKMP-SA deleted AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:a2cb2090b1702450:90cd4325a60d18cb
    Aug 2 18:23:00 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0] Aug 2 18:23:00 racoon: ERROR: none message must be encrypted
    Aug 2 18:23:21 last message repeated 2 times
    Aug 2 18:23:30 racoon: ERROR: CC.CC.CC.CC give up to get IPsec-SA due to time up to wait.
    Aug 2 18:24:13 racoon: INFO: initiate new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
    Aug 2 18:24:13 racoon: ERROR: none message must be encrypted
    Aug 2 18:24:33 last message repeated 2 times
    Aug 2 18:24:43 racoon: ERROR: CC.CC.CC.CC give up to get IPsec-SA due to time up to wait.

    Aug 2 18:25:20 racoon: INFO: respond new phase 1 negotiation: AA.AA.AA.AA[500]<=>CC.CC.CC.CC[500]
    Aug 2 18:25:20 racoon: INFO: begin Identity Protection mode.
    Aug 2 18:25:20 racoon: INFO: received Vendor ID: DPD
    Aug 2 18:25:21 racoon: INFO: ISAKMP-SA established AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:549f3b89283f92a3:ce235874b45c2300
    Aug 2 18:25:22 racoon: INFO: respond new phase 2 negotiation: AA.AA.AA.AA[0]<=>CC.CC.CC.CC[0]
    Aug 2 18:25:22 racoon: INFO: IPsec-SA established: ESP/Tunnel CC.CC.CC.CC[0]->AA.AA.AA.AA[0] spi=105454316(0x6491aec)
    Aug 2 18:25:22 racoon: INFO: IPsec-SA established: ESP/Tunnel AA.AA.AA.AA[0]->CC.CC.CC.CC[0] spi=130184044(0x7c2736c)
    Aug 2 19:03:05 racoon: INFO: ISAKMP-SA expired AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:74bc2e25ebc635f7:2350f4d786c4462d
    Aug 2 19:03:06 racoon: INFO: ISAKMP-SA deleted AA.AA.AA.AA[500]-CC.CC.CC.CC[500] spi:74bc2e25ebc635f7:2350f4d786c4462d



  • What are the specs of this system?

    And btw, update to RC2 please.



  • Both FIrewalls are overkill PCs.. Pentium IV, 512 RAM, CF/IDE adapter.. realtek/intel 10/100/1000 NICs.
    Both brand new.

    Oh, I will reflash both ends, just need to jump in my car and drive for 190km to the other end of VPN :)
    Will let you know…

    Have you done some improvements on IPSEC / RACOON in the RC2 ?

    Best regards
    Preatorian



  • We did some IPSEC improvements in RC2 but they shouldn't affect establishing of a tunnel. I just wondered what your specs are as we had some funny effects with 64 MB RAM hardware at the hackathon where racoon exited too due to full memory but that shouldn't be the case with your boxes then.


Locked