Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Issue - dnswatch core dump

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      loki
      last edited by

      Hello all, having a odd issue with getting IPSEC running between two pfsense boxes.

      running a fresh install of the pfSense-1.2.3-20090804-1244.iso

      if I set:

      "Remote gateway" or "My identifier" to the hostname.domain.name  format i see the following errors in the log files and the vpn session and the will not link up.

      
	kernel: pid 745 (dnswatch), uid 0: exited on signal 11 (core dumped)

      ipsec vpn log

      
racoon: ERROR: phase1 negotiation failed due to time up. e330c84aea4b37e7:0000000000000000
racoon: INFO: delete phase 2 handler.
racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP REMOTEEXTERNALIP[0]->MYEXTERNALIP[0]
racoon: INFO: begin Aggressive mode.
racoon: []: INFO: initiate new phase 1 negotiation: MYEXTERNALIP[500]<=>REMOTEEXTERNALIP[500]
racoon: []: INFO: IPsec-SA request for REMOTEEXTERNALIP queued due to no phase1 found.
racoon: INFO: INTERNALIP[500] used for NAT-T
racoon: [Self]: INFO: INTERNALIP[500] used as isakmp port (fd=16)

      running dnswatch from the command line will always core dump

      
 Segmentation fault (core dumped)

      Setting the "Remote gateway" and "My identifier" to use the "ip address"  on both the IPSEC client/server was my limited work around.

      Has anyone run into this before?

      -loki

      1 Reply Last reply Reply Quote 0
      • D
        databeestje
        last edited by

        This is new, does the hostname actually resolve?

        I use remote gateway with a hostname and as the identifier My IP address.

        That's the way it's supposed to work.

        1 Reply Last reply Reply Quote 0
        • L
          loki
          last edited by

          seems the dnswatch command from the Aug 04 build is bad. Pulled a copy from a older build i was testing (July 31) and the older version works fine.

          With the Aug 4th version of dnswatch

          
Aug 13 16:18:44 rt php: : The command '/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config' returned exit code '1', the output was '' 
Aug 13 16:18:45 rt kernel: pid 722 (dnswatch), uid 0: exited on signal 11 (core dumped)

          With the July 31 version of dnswatch

          
Aug 13 16:46:20 rt php: /vpn_ipsec.php: IPSEC: Send a reload signal to the IPsec process
Aug 13 16:46:20 rt php: /vpn_ipsec.php: The command '/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config' returned exit code '1', the output was '' 
Aug 13 16:46:21 rt check_reload_status: reloading filter

          A quick ps show the process is running now

          
ps -efxww | grep -i dns
ps: Process environment requires procfs(5)
 6118  ??  Ss     0:00.00  /usr/local/sbin/dnswatch /var/run/dnswatch-ipsec.pid 60 /etc/rc.newipsecdns /var/etc/dnswatch-ipsec.hosts
          • loki
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.