Drop tunnel problems



  • Hi, i have a central pfsense serving many tunnels to several branches, the tunnels drop at random times, i see a lot of errors like this when i restart racoon:

    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.4.0/24[0] proto=any dir=out
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.2.0/24[0] proto=any dir=out
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.1/32[0] 192.168.0.0/24[0] proto=any dir=out
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
    Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.0.1/32[0] proto=any dir=in

    the central pfsense is 1.2-release, the others are 1.2-release, 1.2-RC4, and the one that fails the mosst is 1.2.2

    this is the configurations in central:

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    remote 200.13.173.98 {
            exchange_mode aggressive;
            my_identifier user_fqdn "central@staelena1";

    peers_identifier address 200.13.173.98;
            initial_contact on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
            lifetime time 28800 secs;
    }

    sainfo address 192.168.0.0/24 any address 192.168.1.0/24 any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 3600 secs;
    }

    remote 200.13.173.102 {
            exchange_mode aggressive;
            my_identifier user_fqdn "central@staelena2";

    peers_identifier address 200.13.173.102;
            initial_contact on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
            lifetime time 28800 secs;
    }

    sainfo address 192.168.0.0/24 any address 192.168.2.0/24 any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 3600 secs;
    }

    remote 200.13.173.106 {
            exchange_mode aggressive;
            my_identifier user_fqdn "central@opico";

    peers_identifier address 200.13.173.106;
            initial_contact on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
            lifetime time 28800 secs;
    }

    sainfo address 192.168.0.0/24 any address 192.168.4.0/24 any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 3600 secs;
    }

    and this a tipicla from branches:

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    remote 200.13.173.66 {
            exchange_mode aggressive;
            my_identifier user_fqdn "staelena2@central";

    peers_identifier address 200.13.173.66;
            initial_contact on;
            #dpd_delay 120;                  # DPD poll every 120 seconds
            ike_frag on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
            lifetime time 28800 secs;
    }

    sainfo address 192.168.2.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 3600 secs;
    }

    what should i check?


Log in to reply