Failing Tunnel



  • I am seeing some odd behavior with one of my tunnels.
    Both endpoints are pfSense 1.2.3
    Both are configured exactly matching.
    I have rebooted both firewalls, recreated tunnel a few times from scratch, restart racoon, delete spd and recreate, but nothing seems to help. I am not sure what is happening and so I turn to the masters.
    I wonder if it may be that ESP is being blocked by one of the ISPs, if any it would be the remote end and not my home pf, due to it having 10+ tunnels connected right now.
    Here are the errors I see in the log, not as easy to see what is going on as in a cisco debug, so I am not familiar with what they really mean.

    Jan 23 08:46:31 racoon: [Self]: INFO: 10.21.21.1[500] used as isakmp port (fd=16)
    Jan 23 08:46:31 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Jan 23 08:46:31 racoon: [Self]: INFO: 71.x.x.x[500] used as isakmp port (fd=14)
    Jan 23 08:46:31 racoon: ERROR: such policy already exists. anyway replace it: 10.45.78.0/24[0] 10.21.21.0/24[0] proto=any dir=in
    Jan 23 08:46:31 racoon: ERROR: such policy already exists. anyway replace it: 10.21.21.0/24[0] 10.45.78.0/24[0] proto=any dir=out
    Jan 23 08:46:31 racoon: ERROR: such policy already exists. anyway replace it: 10.21.21.1/32[0] 10.21.21.0/24[0] proto=any dir=out
    Jan 23 08:46:31 racoon: ERROR: such policy already exists. anyway replace it: 10.21.21.0/24[0] 10.21.21.1/32[0] proto=any dir=in
    Jan 23 08:46:31 racoon: INFO: unsupported PF_KEY message REGISTER
    Jan 23 08:46:31 racoon: [Self]: INFO: 10.21.21.1[500] used as isakmp port (fd=16)
    Jan 23 08:46:31 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15)
    Jan 23 08:46:31 racoon: [Self]: INFO: 71.x.x.x[500] used as isakmp port (fd=14)
    Jan 23 08:46:31 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Jan 23 08:46:31 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/)
    Jan 23 08:46:31 racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
    Jan 23 08:46:03 racoon: ERROR: phase1 negotiation failed due to time up. 14b88d2fe921170f:0000000000000000
    Jan 23 08:45:44 racoon: INFO: delete phase 2 handler.
    Jan 23 08:45:44 racoon: [DWAyotte]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 174.x.x.x[0]->71.x.x.x[0]
    Jan 23 08:45:13 racoon: INFO: begin Identity Protection mode.
    Jan 23 08:45:13 racoon: [DWAyotte]: INFO: initiate new phase 1 negotiation: 71.x.x.x[500]<=>174.x.x.x[500]
    Jan 23 08:45:13 racoon: [DWAyotte]: INFO: IPsec-SA request for 174.x.x.x queued due to no phase1 found.
    Jan 23 08:41:38 racoon: ERROR: phase1 negotiation failed due to time up. 7d5f628160c496d5:0000000000000000
    Jan 23 08:41:19 racoon: INFO: delete phase 2 handler.
    Jan 23 08:41:19 racoon: [DWAyotte]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 174.x.x.x[0]->71.x.x.x[0]
    Jan 23 08:40:48 racoon: INFO: begin Identity Protection mode.
    Jan 23 08:40:48 racoon: [DWAyotte]: INFO: initiate new phase 1 negotiation: 71.x.x.x[500]<=>174.x.x.x[500]
    Jan 23 08:40:48 racoon: [DWAyotte]: INFO: IPsec-SA request for 174.x.x.x queued due to no phase1 found.

    Any ideas?



  • it looks like 10.21.21.0/24 is connecting to 10.21.21.1/32 those two netmasks overlap and on top of that all networks must end in .0 so 10.21.21.1 is supposed to be 10.21.21.0



  • i can see what you mean, but i don't see anywhere in either firewall where that is actually the way it is configured. I assume it is probably getting that from the very last option of what device to ping for the keep alive.

    The SPD on both firewalls shows both subnets as /24. A bug perhaps?



  • it gets it from the remote subnet option




  • i have it configured correctly, just as you are suggesting in your screen shot.



  • did that fix it?



  • @XIII:

    did that fix it?

    nothing needed to be changed, it was configured correctly. so in short, no.


Locked