IpSEC WOODOO PfSense RC2



  • After Updating (again) Pfsense to RC2, I get the same problem.. every, say hour/hour and a half (not time bound) IPsec falls (see log below). It goes down for few minutes and renegotiates, then comes up.. in this time, connections between remote locations fall down.
    For "normal" work it is ok, but we have ODBC drivers using database torugh IpSec tunnel and they fall every once in a while.

    I have changed all NIC cards - hoping I got DOEs, but NICs proved to be OK. Checked RAM, changed CF card, even removed (small ammount of) dust.. :) Motherboard is a generic, your average Asus motherboard with 512Mb RAM and CPU to run Vista on (pardon my French).

    Can it be on the Physical level - one side is on ADSL, other side is on a Cable Modem (CATV).

    I tried P1 config aggressive and main - both fail the sam way.. but using MAIN now
    using Identifyer - My IP address, pre shared key, 3DES, MD5 and lifetime of 86400 secs

    Phase 2
    ESP
    BLOWFISH, MD5 no PFS key group, 86400 sec lifetime
    Pinging a server on the remote lan/s.

    Best regards.
    Preatorian
    P.S: - getting desperate.. help..

    Sep 1 19:12:05 racoon: INFO: initiate new phase 2 negotiation:AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
    Sep 1 19:12:05 racoon: ERROR: none message must be encrypted
    Sep 1 19:12:25 last message repeated 2 times
    Sep 1 19:12:35 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.
    Sep 1 19:12:39 racoon: INFO: respond new phase 1 negotiation:AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
    Sep 1 19:12:39 racoon: INFO: begin Identity Protection mode.
    Sep 1 19:12:39 racoon: INFO: received Vendor ID: DPD
    Sep 1 19:12:39 racoon: INFO: ISAKMP-SA establishedAAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:2f80bccc25836309:9d0c477c68468c0e
    Sep 1 19:12:40 racoon: INFO: respond new phase 2 negotiation:AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
    Sep 1 19:12:40 racoon: INFO: IPsec-SA established: ESP/Tunnel BBB.BBB.BBB.BBB[0]->AAA.AAA.AAA.AAA[0] spi=255204687(0xf361d4f)
    Sep 1 19:12:40 racoon: INFO: IPsec-SA established: ESP/TunnelAAA.AAA.AAA.AAA[0]->BBB.BBB.BBB.BBB[0] spi=99032579(0x5e71e03)
    Sep 1 20:10:01 racoon: INFO: purged IPsec-SA proto_id=ESP spi=99032579.
    Sep 1 20:10:01 racoon: INFO: initiate new phase 2 negotiation:AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
    Sep 1 20:10:05 racoon: INFO: respond new phase 1 negotiation:AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
    Sep 1 20:10:05 racoon: INFO: begin Identity Protection mode.
    Sep 1 20:10:05 racoon: INFO: received Vendor ID: DPD
    Sep 1 20:10:05 racoon: INFO: ISAKMP-SA establishedAAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:062863f2eaea8d42:7fc90653abaf9128
    Sep 1 20:10:05 racoon: INFO: purging spi=255204687.
    Sep 1 20:10:06 racoon: INFO: respond new phase 2 negotiation:AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
    Sep 1 20:10:06 racoon: INFO: IPsec-SA established: ESP/Tunnel BBB.BBB.BBB.BBB[0]->AAA.AAA.AAA.AAA[0] spi=263864542(0xfba40de)
    Sep 1 20:10:06 racoon: INFO: IPsec-SA established: ESP/TunnelAAA.AAA.AAA.AAA[0]->BBB.BBB.BBB.BBB[0] spi=111304159(0x6a25ddf)
    Sep 1 20:10:11 racoon: ERROR: none message must be encrypted
    Sep 1 20:10:21 racoon: ERROR: none message must be encrypted
    Sep 1 20:10:31 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.
    Sep 1 21:00:00 racoon: INFO: purged IPsec-SA proto_id=ESP spi=111304159.
    Sep 1 21:00:01 racoon: INFO: initiate new phase 2 negotiation:AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
    Sep 1 21:00:04 racoon: INFO: respond new phase 1 negotiation:AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
    Sep 1 21:00:04 racoon: INFO: begin Identity Protection mode.
    Sep 1 21:00:04 racoon: INFO: received Vendor ID: DPD
    Sep 1 21:00:04 racoon: INFO: ISAKMP-SA establishedAAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:1514b34d1b110502:5fcdc07ecf844c3a
    Sep 1 21:00:05 racoon: INFO: purging spi=263864542.
    Sep 1 21:00:06 racoon: INFO: respond new phase 2 negotiation:AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
    Sep 1 21:00:06 racoon: INFO: IPsec-SA established: ESP/Tunnel BBB.BBB.BBB.BBB[0]->AAA.AAA.AAA.AAA[0] spi=79085919(0x4b6c15f)
    Sep 1 21:00:06 racoon: INFO: IPsec-SA established: ESP/TunnelAAA.AAA.AAA.AAA[0]->BBB.BBB.BBB.BBB[0] spi=76072411(0x488c5db)
    Sep 1 21:00:11 racoon: ERROR: none message must be encrypted
    Sep 1 21:00:21 racoon: ERROR: none message must be encrypted
    Sep 1 21:00:31 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.
    Sep 1 21:50:01 racoon: INFO: purged IPsec-SA proto_id=ESP spi=76072411.
    Sep 1 21:50:01 racoon: INFO: initiate new phase 2 negotiation:AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
    Sep 1 21:50:04 racoon: INFO: respond new phase 1 negotiation:AAA.AAA.AAA.AAA[500]<=>BBB.BBB.BBB.BBB[500]
    Sep 1 21:50:04 racoon: INFO: begin Identity Protection mode.
    Sep 1 21:50:04 racoon: INFO: received Vendor ID: DPD
    Sep 1 21:50:05 racoon: INFO: ISAKMP-SA establishedAAA.AAA.AAA.AAA[500]-BBB.BBB.BBB.BBB[500] spi:96eb3698b7476535:0f93768eb3662442
    Sep 1 21:50:05 racoon: INFO: purging spi=79085919.
    Sep 1 21:50:06 racoon: INFO: respond new phase 2 negotiation:AAA.AAA.AAA.AAA[0]<=>BBB.BBB.BBB.BBB[0]
    Sep 1 21:50:06 racoon: INFO: IPsec-SA established: ESP/Tunnel BBB.BBB.BBB.BBB[0]->AAA.AAA.AAA.AAA[0] spi=105284600(0x64683f8)
    Sep 1 21:50:06 racoon: INFO: IPsec-SA established: ESP/TunnelAAA.AAA.AAA.AAA[0]->BBB.BBB.BBB.BBB[0] spi=55754517(0x352bf15)
    Sep 1 21:50:11 racoon: ERROR: none message must be encrypted
    Sep 1 21:50:21 racoon: ERROR: none message must be encrypted
    Sep 1 21:50:31 racoon: ERROR: BBB.BBB.BBB.BBB give up to get IPsec-SA due to time up to wait.



  • Make sure you are on RC2h. This version has a newer racoon version. Also what is at the other end of the connection?



  • Ok, this will make it a third upgrade.. still I have to drive few 100miles to the other end of the VPN.

    On the other end.. if you follow my (now 3rd part saga) - I have two identical hardware configurations, identical CPU, RAM, MOBO, even identical enclosure for what it's worth.. So, we have TWO PFSENSE configurations having Ipsec woodoo (yes, both on the same version/patch level).

    Best regards
    P



  • BTW, Where can I find this new version ? On the mirrors I can only find RC2.. - oh and I use embeded.. CF card on the CD/IDE adapter.

    P



  • http://forum.pfsense.org/index.php/topic,1820.msg11242.html#msg11242

    Try to set both ends WAN mtu to something around 1300. There was someone at IRC who had some (slightly different) problems with IPSEC and this solved it for him as apperantly one of his WANs had some strange issues.



  • Yes, MTU was one of the first things I'v suspected, so I run MTU at 1300 almost from the start (when I installed the tunnel).
    I just don't know anymore.. but I will probably end up changing hardware all together just to rule out some "issues", but if this fails,
    it will left me clueless with a Dunce cap somewhere between the two peers. And belive you me - not a pretty picture.

    P


Locked