Drop tunnel problems
-
Hi, i have a central pfsense serving many tunnels to several branches, the tunnels drop at random times, i see a lot of errors like this when i restart racoon:
Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.4.0/24[0] proto=any dir=out
Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.2.0/24[0] proto=any dir=out
Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.1/32[0] 192.168.0.0/24[0] proto=any dir=out
Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.0.0/24[0] proto=any dir=in
Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.0.0/24[0] proto=any dir=in
Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
Sep 10 12:21:33 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.0.1/32[0] proto=any dir=inthe central pfsense is 1.2-release, the others are 1.2-release, 1.2-RC4, and the one that fails the mosst is 1.2.2
this is the configurations in central:
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
remote 200.13.173.98 {
exchange_mode aggressive;
my_identifier user_fqdn "central@staelena1";peers_identifier address 200.13.173.98;
initial_contact on;
support_proxy on;
proposal_check obey;proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 28800 secs;
}
lifetime time 28800 secs;
}sainfo address 192.168.0.0/24 any address 192.168.1.0/24 any {
encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
lifetime time 3600 secs;
}remote 200.13.173.102 {
exchange_mode aggressive;
my_identifier user_fqdn "central@staelena2";peers_identifier address 200.13.173.102;
initial_contact on;
support_proxy on;
proposal_check obey;proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 28800 secs;
}
lifetime time 28800 secs;
}sainfo address 192.168.0.0/24 any address 192.168.2.0/24 any {
encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
lifetime time 3600 secs;
}remote 200.13.173.106 {
exchange_mode aggressive;
my_identifier user_fqdn "central@opico";peers_identifier address 200.13.173.106;
initial_contact on;
support_proxy on;
proposal_check obey;proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 28800 secs;
}
lifetime time 28800 secs;
}sainfo address 192.168.0.0/24 any address 192.168.4.0/24 any {
encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
lifetime time 3600 secs;
}and this a tipicla from branches:
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
remote 200.13.173.66 {
exchange_mode aggressive;
my_identifier user_fqdn "staelena2@central";peers_identifier address 200.13.173.66;
initial_contact on;
#dpd_delay 120; # DPD poll every 120 seconds
ike_frag on;
support_proxy on;
proposal_check obey;proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 28800 secs;
}
lifetime time 28800 secs;
}sainfo address 192.168.2.0/24 any address 192.168.0.0/24 any {
encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
lifetime time 3600 secs;
}what should i check?