IPSEC Issue - dnswatch core dump



  • Hello all, having a odd issue with getting IPSEC running between two pfsense boxes.

    running a fresh install of the pfSense-1.2.3-20090804-1244.iso

    if I set:

    "Remote gateway" or "My identifier" to the hostname.domain.name  format i see the following errors in the log files and the vpn session and the will not link up.

    
    	kernel: pid 745 (dnswatch), uid 0: exited on signal 11 (core dumped)
    
    

    ipsec vpn log

    
    racoon: ERROR: phase1 negotiation failed due to time up. e330c84aea4b37e7:0000000000000000
    racoon: INFO: delete phase 2 handler.
    racoon: []: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP REMOTEEXTERNALIP[0]->MYEXTERNALIP[0]
    racoon: INFO: begin Aggressive mode.
    racoon: []: INFO: initiate new phase 1 negotiation: MYEXTERNALIP[500]<=>REMOTEEXTERNALIP[500]
    racoon: []: INFO: IPsec-SA request for REMOTEEXTERNALIP queued due to no phase1 found.
    racoon: INFO: INTERNALIP[500] used for NAT-T
    racoon: [Self]: INFO: INTERNALIP[500] used as isakmp port (fd=16)
    
    

    running dnswatch from the command line will always core dump

    
     Segmentation fault (core dumped)
    
    

    Setting the "Remote gateway" and "My identifier" to use the "ip address"  on both the IPSEC client/server was my limited work around.

    Has anyone run into this before?

    -loki



  • This is new, does the hostname actually resolve?

    I use remote gateway with a hostname and as the identifier My IP address.

    That's the way it's supposed to work.



  • seems the dnswatch command from the Aug 04 build is bad. Pulled a copy from a older build i was testing (July 31) and the older version works fine.

    With the Aug 4th version of dnswatch

    
    Aug 13 16:18:44 rt php: : The command '/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config' returned exit code '1', the output was '' 
    Aug 13 16:18:45 rt kernel: pid 722 (dnswatch), uid 0: exited on signal 11 (core dumped)
    
    

    With the July 31 version of dnswatch

    
    Aug 13 16:46:20 rt php: /vpn_ipsec.php: IPSEC: Send a reload signal to the IPsec process
    Aug 13 16:46:20 rt php: /vpn_ipsec.php: The command '/usr/local/sbin/racoonctl -s /var/db/racoon/racoon.sock reload-config' returned exit code '1', the output was '' 
    Aug 13 16:46:21 rt check_reload_status: reloading filter
    
    

    A quick ps show the process is running now

    
    ps -efxww | grep -i dns
    ps: Process environment requires procfs(5)
     6118  ??  Ss     0:00.00  /usr/local/sbin/dnswatch /var/run/dnswatch-ipsec.pid 60 /etc/rc.newipsecdns /var/etc/dnswatch-ipsec.hosts
    
    
    • loki

Log in to reply