Drop tunnel problems

IPsec
Log in to reply
  • B

    Hi, i have a central pfsense serving many tunnels to several branches, the tunnels drop at random times, i see a lot of errors like this when i restart racoon:

    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.4.0/24[0] proto=any dir=out
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.2.0/24[0] proto=any dir=out
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.1/32[0] 192.168.0.0/24[0] proto=any dir=out
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.0.1/32[0] proto=any dir=in

    the central pfsense is 1.2-release, the others are 1.2-release, 1.2-RC4, and the one that fails the mosst is 1.2.2

    this is the configurations in central:

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    remote 200.13.173.98 {
            exchange_mode aggressive;
            my_identifier user_fqdn "central@staelena1";

    peers_identifier address 200.13.173.98;
            initial_contact on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
            lifetime time 28800 secs;
    }

    sainfo address 192.168.0.0/24 any address 192.168.1.0/24 any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 3600 secs;
    }

    remote 200.13.173.102 {
            exchange_mode aggressive;
            my_identifier user_fqdn "central@staelena2";

    peers_identifier address 200.13.173.102;
            initial_contact on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
            lifetime time 28800 secs;
    }

    sainfo address 192.168.0.0/24 any address 192.168.2.0/24 any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 3600 secs;
    }

    remote 200.13.173.106 {
            exchange_mode aggressive;
            my_identifier user_fqdn "central@opico";

    peers_identifier address 200.13.173.106;
            initial_contact on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
            lifetime time 28800 secs;
    }

    sainfo address 192.168.0.0/24 any address 192.168.4.0/24 any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 3600 secs;
    }

    and this a tipicla from branches:

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    remote 200.13.173.66 {
            exchange_mode aggressive;
            my_identifier user_fqdn "staelena2@central";

    peers_identifier address 200.13.173.66;
            initial_contact on;
            #dpd_delay 120;                  # DPD poll every 120 seconds
            ike_frag on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
            lifetime time 28800 secs;
    }

    sainfo address 192.168.2.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 3600 secs;
    }

    what should i check?

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy