Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Failing Tunnel

    IPsec
    2
    7
    3246
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DWAyotte last edited by

      I am seeing some odd behavior with one of my tunnels.
      Both endpoints are pfSense 1.2.3
      Both are configured exactly matching.
      I have rebooted both firewalls, recreated tunnel a few times from scratch, restart racoon, delete spd and recreate, but nothing seems to help. I am not sure what is happening and so I turn to the masters.
      I wonder if it may be that ESP is being blocked by one of the ISPs, if any it would be the remote end and not my home pf, due to it having 10+ tunnels connected right now.
      Here are the errors I see in the log, not as easy to see what is going on as in a cisco debug, so I am not familiar with what they really mean.

      Jan 23 08:46:31 racoon: [Self]: INFO: 10.21.21.1[500] used as isakmp port (fd=16)
      Jan 23 08:46:31 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jan 23 08:46:31 racoon: [Self]: INFO: 71.x.x.x[500] used as isakmp port (fd=14)
      Jan 23 08:46:31 racoon: ERROR: such policy already exists. anyway replace it: 10.45.78.0/24[0] 10.21.21.0/24[0] proto=any dir=in
      Jan 23 08:46:31 racoon: ERROR: such policy already exists. anyway replace it: 10.21.21.0/24[0] 10.45.78.0/24[0] proto=any dir=out
      Jan 23 08:46:31 racoon: ERROR: such policy already exists. anyway replace it: 10.21.21.1/32[0] 10.21.21.0/24[0] proto=any dir=out
      Jan 23 08:46:31 racoon: ERROR: such policy already exists. anyway replace it: 10.21.21.0/24[0] 10.21.21.1/32[0] proto=any dir=in
      Jan 23 08:46:31 racoon: INFO: unsupported PF_KEY message REGISTER
      Jan 23 08:46:31 racoon: [Self]: INFO: 10.21.21.1[500] used as isakmp port (fd=16)
      Jan 23 08:46:31 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
      Jan 23 08:46:31 racoon: [Self]: INFO: 71.x.x.x[500] used as isakmp port (fd=14)
      Jan 23 08:46:31 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
      Jan 23 08:46:31 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
      Jan 23 08:46:31 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
      Jan 23 08:46:03 racoon: ERROR: phase1 negotiation failed due to time up. 14b88d2fe921170f:0000000000000000
      Jan 23 08:45:44 racoon: INFO: delete phase 2 handler.
      Jan 23 08:45:44 racoon: [DWAyotte]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 174.x.x.x[0]->71.x.x.x[0]
      Jan 23 08:45:13 racoon: INFO: begin Identity Protection mode.
      Jan 23 08:45:13 racoon: [DWAyotte]: INFO: initiate new phase 1 negotiation: 71.x.x.x[500]<=>174.x.x.x[500]
      Jan 23 08:45:13 racoon: [DWAyotte]: INFO: IPsec-SA request for 174.x.x.x queued due to no phase1 found.
      Jan 23 08:41:38 racoon: ERROR: phase1 negotiation failed due to time up. 7d5f628160c496d5:0000000000000000
      Jan 23 08:41:19 racoon: INFO: delete phase 2 handler.
      Jan 23 08:41:19 racoon: [DWAyotte]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 174.x.x.x[0]->71.x.x.x[0]
      Jan 23 08:40:48 racoon: INFO: begin Identity Protection mode.
      Jan 23 08:40:48 racoon: [DWAyotte]: INFO: initiate new phase 1 negotiation: 71.x.x.x[500]<=>174.x.x.x[500]
      Jan 23 08:40:48 racoon: [DWAyotte]: INFO: IPsec-SA request for 174.x.x.x queued due to no phase1 found.

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • X
        XIII last edited by

        it looks like 10.21.21.0/24 is connecting to 10.21.21.1/32 those two netmasks overlap and on top of that all networks must end in .0 so 10.21.21.1 is supposed to be 10.21.21.0

        1 Reply Last reply Reply Quote 0
        • D
          DWAyotte last edited by

          i can see what you mean, but i don't see anywhere in either firewall where that is actually the way it is configured. I assume it is probably getting that from the very last option of what device to ping for the keep alive.

          The SPD on both firewalls shows both subnets as /24. A bug perhaps?

          1 Reply Last reply Reply Quote 0
          • X
            XIII last edited by

            it gets it from the remote subnet option


            1 Reply Last reply Reply Quote 0
            • D
              DWAyotte last edited by

              i have it configured correctly, just as you are suggesting in your screen shot.

              1 Reply Last reply Reply Quote 0
              • X
                XIII last edited by

                did that fix it?

                1 Reply Last reply Reply Quote 0
                • D
                  DWAyotte last edited by

                  @XIII:

                  did that fix it?

                  nothing needed to be changed, it was configured correctly. so in short, no.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy