Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Drop tunnel problems

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      b4nsh33
      last edited by

      Hi, i have a central pfsense serving many tunnels to several branches, the tunnels drop at random times, i see a lot of errors like this when i restart racoon:

      Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.4.0/24[0] proto=any dir=out
      Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.2.0/24[0] proto=any dir=out
      Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
      Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.1/32[0] 192.168.0.0/24[0] proto=any dir=out
      Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.0.0/24[0] proto=any dir=in
      Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.0.0/24[0] proto=any dir=in
      Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
      Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.0.1/32[0] proto=any dir=in

      the central pfsense is 1.2-release, the others are 1.2-release, 1.2-RC4, and the one that fails the mosst is 1.2.2

      this is the configurations in central:

      path pre_shared_key "/var/etc/psk.txt";

      path certificate  "/var/etc";

      remote 200.13.173.98 {
              exchange_mode aggressive;
              my_identifier user_fqdn "central@staelena1";

      peers_identifier address 200.13.173.98;
              initial_contact on;
              support_proxy on;
              proposal_check obey;

      proposal {
                      encryption_algorithm 3des;
                      hash_algorithm md5;
                      authentication_method pre_shared_key;
                      dh_group 2;
                      lifetime time 28800 secs;
              }
              lifetime time 28800 secs;
      }

      sainfo address 192.168.0.0/24 any address 192.168.1.0/24 any {
              encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
              authentication_algorithm hmac_sha1,hmac_md5;
              compression_algorithm deflate;
              lifetime time 3600 secs;
      }

      remote 200.13.173.102 {
              exchange_mode aggressive;
              my_identifier user_fqdn "central@staelena2";

      peers_identifier address 200.13.173.102;
              initial_contact on;
              support_proxy on;
              proposal_check obey;

      proposal {
                      encryption_algorithm 3des;
                      hash_algorithm md5;
                      authentication_method pre_shared_key;
                      dh_group 2;
                      lifetime time 28800 secs;
              }
              lifetime time 28800 secs;
      }

      sainfo address 192.168.0.0/24 any address 192.168.2.0/24 any {
              encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
              authentication_algorithm hmac_sha1,hmac_md5;
              compression_algorithm deflate;
              lifetime time 3600 secs;
      }

      remote 200.13.173.106 {
              exchange_mode aggressive;
              my_identifier user_fqdn "central@opico";

      peers_identifier address 200.13.173.106;
              initial_contact on;
              support_proxy on;
              proposal_check obey;

      proposal {
                      encryption_algorithm 3des;
                      hash_algorithm md5;
                      authentication_method pre_shared_key;
                      dh_group 2;
                      lifetime time 28800 secs;
              }
              lifetime time 28800 secs;
      }

      sainfo address 192.168.0.0/24 any address 192.168.4.0/24 any {
              encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
              authentication_algorithm hmac_sha1,hmac_md5;
              compression_algorithm deflate;
              lifetime time 3600 secs;
      }

      and this a tipicla from branches:

      path pre_shared_key "/var/etc/psk.txt";

      path certificate  "/var/etc";

      remote 200.13.173.66 {
              exchange_mode aggressive;
              my_identifier user_fqdn "staelena2@central";

      peers_identifier address 200.13.173.66;
              initial_contact on;
              #dpd_delay 120;                  # DPD poll every 120 seconds
              ike_frag on;
              support_proxy on;
              proposal_check obey;

      proposal {
                      encryption_algorithm 3des;
                      hash_algorithm md5;
                      authentication_method pre_shared_key;
                      dh_group 2;
                      lifetime time 28800 secs;
              }
              lifetime time 28800 secs;
      }

      sainfo address 192.168.2.0/24 any address 192.168.0.0/24 any {
              encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
              authentication_algorithm hmac_sha1,hmac_md5;
              compression_algorithm deflate;
              lifetime time 3600 secs;
      }

      what should i check?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.