IPSEC TUNNEL give an error triying to use port UDP 500



  • Hi all, Im trying to establish an IPSEC tunnel between an 1.2.2 STable Pfsense and a WRV210 Cisco Router.

    The problem, in any config with any peer at the other side of the pfsense is that the pfsense appears to be unable to open the port, and give me an error message telling:

    racoon: [Unknown Gateway/Dynamic]: ERROR: failed to bind to address [IP Publica][500] (Address already in use).

    Anyone knows if this is a version Bug? At the packet capture utility I did not see any packet going out to try connection, It appears to be that the racoon service is unable to use the wan interface.
    Any help would be greatly appreciated.

    Thanks all.

    Kaneda


  • Rebel Alliance Developer Netgate

    Looks like there may be an existing racoon process stuck out there somewhere.

    Have you tried rebooting the box? Or stopping and starting the racoon service manually?



  • I had try to restart the racoon service several times with no changes.
    I wont be able to try a full reboot until tuesday, beacuse I had the software installed into a ML110G5 and It have a bug with the FreeBSD version of the pfsense and hangs when it going to halt or reboot, then you have to poweroff and power on manually.

    Anyway I think is a little strange have to reboot the full system to load firewall changes.

    I will tell you on tuesday what happends.

    Thanks


  • Rebel Alliance Developer Netgate

    Ok. That message means that some other process is already bound to the port racoon is attempting to use. This could be a stuck process of some kind, or some other daemon. Try stopping the racoon service, and then get the output from a these two commands.

    You can use the console or Diagnostics > Command:
    ps uxawww | grep racoon

    and
    sockstat | grep :500

    That should show you if there is another racoon process stuck out there, and if not, what process is actually using udp port 500.



  • Thanks Jimp, I tried to find why the port is in use but I just find one process:
    ps uxawww | grep racoon

    root      446  0.0  0.1  3484  1388  ??  S    12:41AM  0:00.00 sh -c ps uxawww | grep racoon
    root      448  0.0  0.1  3336  1140  ??  S    12:41AM  0:00.00 grep racoon
    root    25521  0.0  0.4  5720  3952  ??  Ss    9:30PM  0:00.63 /usr/local/sbin/racoon -f /var/etc/racoon.conf

    Listening on all interfaces:

    $ sockstat | grep :500
    root    racoon    25521 13 udp4  [Public ip on WAN]:500  :
    root    racoon    25521 14 udp4  127.0.0.1:500        :
    root    racoon    25521 15 udp4  172.26.0.10:500      :
    root    racoon    25521 16 udp4  10.0.0.1:500          :

    I have in use 3 Interefaces :
    172.26.0.10 (LAN)
    10.0.0.1 (DMZ)
    [PUBLIC IP] (WAN)

    I dont know why is listening to all interfaces beacuse I made only one tunnel endind on WAN.
    Is normal? Any ideas?



  • If I disable IPSEC no proccess is running on port 500 and racoon stops running.
    When I enable it and save, this error is sown at ipsec logs:

    racoon: [Unknown Gateway/Dynamic]: ERROR: failed to bind to address [Public IP][500] (Address already in use).

    Is like it try to run it twice, but I have review the racoon.conf file and it appears to be ok.


  • Rebel Alliance Developer Netgate

    When you checked for the running process, was the racoon service stopped under Status -> Services?



  • No, It was running.

    If i check with racoon service stooped it just show this lines:

    ps uxawww | grep racoon

    root      446  0.0  0.1  3484  1388  ??  S    12:41AM  0:00.00 sh -c ps uxawww | grep racoon
    root      448  0.0  0.1  3336  1140  ??  S    12:41AM  0:00.00 grep racoon

    and no output for $ sockstat | grep :500



  • I did not find the solution for the error but, it was not a problem to stablish the tunnel.
    VPN IPSEC works even with this error on logs.

    Even I found a way to communicate a LINKSYS WRV210 with pfsense, here is the detailed conf:

    http://sites.google.com/site/sinindex/networking/integracionipsecentrepfsenseylinksyswrv210

    Thanks all for the help.


Log in to reply