IPSec tunel fails!!!

dochy · Jan 9, 2023, 7:18 AM

Hello i have ipsec VPN tunel between two pfsense version 2.6.0, about 5 month they worked perfect but nowadays tunel started failing after they work about 1-2 days. After fail they will not work until i reset the firewall state table. What it can be? i didnt any serious changes and i havent snort package.

Jan 9 11:38:14	charon	9940	11[IKE] <con4|23> activating new tasks
Jan 9 11:38:14	charon	9940	11[IKE] <con4|23> activating ISAKMP_DPD task
Jan 9 11:38:14	charon	9940	11[ENC] <con4|23> generating INFORMATIONAL_V1 request 3025513881 [ HASH N(DPD) ]
Jan 9 11:38:14	charon	9940	11[NET] <con4|23> sending packet: from PFSENSEIP1[500] to PFSENSEIP2[500] (92 bytes)
Jan 9 11:38:14	charon	9940	11[IKE] <con4|23> activating new tasks
Jan 9 11:38:14	charon	9940	11[IKE] <con4|23> nothing to initiate
Jan 9 11:38:14	charon	9940	04[NET] error writing to socket: Permission denied
Jan 9 11:38:24	charon	9940	11[IKE] <con-mobile|25> giving up after 5 retransmits
Jan 9 11:38:24	charon	9940	14[IKE] <con4|23> sending DPD request
Jan 9 11:38:24	charon	9940	14[IKE] <con4|23> queueing ISAKMP_DPD task
Jan 9 11:38:24	charon	9940	11[IKE] <con-mobile|25> establishing IKE_SA failed, peer not responding
Jan 9 11:38:24	charon	9940	14[IKE] <con4|23> activating new tasks
Jan 9 11:38:24	charon	9940	11[IKE] <con-mobile|25> IKE_SA con-mobile[25] state change: CONNECTING => DESTROYING
Jan 9 11:38:24	charon	9940	14[IKE] <con4|23> activating ISAKMP_DPD task
Jan 9 11:38:24	charon	9940	14[ENC] <con4|23> generating INFORMATIONAL_V1 request 3578472808 [ HASH N(DPD) ]
Jan 9 11:38:24	charon	9940	14[NET] <con4|23> sending packet: from PFSENSEIP1[500] to PFSENSEIP2[500] (92 bytes)
Jan 9 11:38:24	charon	9940	14[IKE] <con4|23> activating new tasks
Jan 9 11:38:24	charon	9940	14[IKE] <con4|23> nothing to initiate
Jan 9 11:38:24	charon	9940	04[NET] error writing to socket: Permission denied
Jan 9 11:38:32	charon	9940	14[JOB] <con4|23> DPD check timed out, enforcing DPD action
Jan 9 11:38:32	charon	9940	14[CFG] <con4|23> updating already routed CHILD_SA 'con4_4'
Jan 9 11:38:32	charon	9940	14[CFG] <con4|23> configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Jan 9 11:38:32	charon	9940	14[CHD] <con4|23> CHILD_SA con4_4{75} state change: CREATED => ROUTED
Jan 9 11:38:32	charon	9940	14[CHD] <con4|23> CHILD_SA con4_4{2} state change: ROUTED => DESTROYING
Jan 9 11:38:32	charon	9940	14[IKE] <con4|23> IKE_SA con4[23] state change: ESTABLISHED => DESTROYING
Jan 9 11:38:32	charon	9940	14[CHD] <con4|23> CHILD_SA con4_4{66} state change: INSTALLED => DESTROYING
Jan 9 11:38:32	charon	9940	11[KNL] creating acquire job for policy PFSENSEIP1/32|/0 === PFSENSEIP2/32|/0 with reqid {2}
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> queueing ISAKMP_VENDOR task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> queueing ISAKMP_CERT_PRE task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> queueing MAIN_MODE task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> queueing ISAKMP_CERT_POST task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> queueing ISAKMP_NATD task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> queueing QUICK_MODE task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> activating new tasks
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> activating ISAKMP_VENDOR task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> activating ISAKMP_CERT_PRE task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> activating MAIN_MODE task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> activating ISAKMP_CERT_POST task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> activating ISAKMP_NATD task
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> sending XAuth vendor ID
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> sending DPD vendor ID
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> sending FRAGMENTATION vendor ID
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> sending NAT-T (RFC 3947) vendor ID
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> initiating Main Mode IKE_SA con4[37] to PFSENSEIP2
Jan 9 11:38:32	charon	9940	11[IKE] <con4|37> IKE_SA con4[37] state change: CREATED => CONNECTING
Jan 9 11:38:32	charon	9940	11[CFG] <con4|37> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Jan 9 11:38:32	charon	9940	11[ENC] <con4|37> generating ID_PROT request 0 [ SA V V V V V ]
Jan 9 11:38:32	charon	9940	11[NET] <con4|37> sending packet: from PFSENSEIP1[500] to PFSENSEIP2[500] (176 bytes)
Jan 9 11:38:32	charon	9940	04[NET] error writing to socket: Permission denied
Jan 9 11:38:35	charon	9940	11[KNL] creating acquire job for policy PFSENSEIP1/32|/0 === PFSENSEIP2/32|/0 with reqid {2}
Jan 9 11:38:35	charon	9940	11[CFG] ignoring acquire, connection attempt pending
Jan 9 11:38:37	charon	9940	11[IKE] <con4|37> sending retransmit 1 of request message ID 0, seq 1
Jan 9 11:38:37	charon	9940	11[NET] <con4|37> sending packet: from PFSENSEIP1[500] to PFSENSEIP2[500] (176 bytes)
Jan 9 11:38:37	charon	9940	04[NET] error writing to socket: Permission denied
Jan 9 11:38:38	charon	9940	11[KNL] creating acquire job for policy PFSENSEIP1/32|/0 === PFSENSEIP2/32|/0 with reqid {2}
Jan 9 11:38:38	charon	9940	11[CFG] ignoring acquire, connection attempt pending
Jan 9 11:38:39	charon	9940	14[KNL] creating acquire job for policy PFSENSEIP1/32|/0 === PFSENSEIP2/32|/0 with reqid {2}
Jan 9 11:38:39	charon	9940	14[CFG] ignoring acquire, connection attempt pending

marcfunk · Nov 4, 2024, 1:35 PM

@dochy
Hey! Have you a solution for this problem? We have currently the same..."error writing to socket"