IPsec SAD issue



  • I'm using pfSense 1.2.3 with many connected mobile IP clients. I have an issue (since upgrading to 1.2.3 form 1.2.2) that often my tunnels don't work, even everything looks fine with connections. For example, I'm giving you output from Systems Log -> IPsec VPN for one mobile client with that issue, where I switched pfSense's fixed public IP address with "fixedIP" and mobile client's IP address with "mobile IP".

    
    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP fixedIP[0]->mobileIP[0] spi=2265919317(0x870f2f55)
    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP mobileIP[0]->fixedIP[0] spi=129690832(0x7baecd0)
    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: fixedIP[0]<=>mobileIP[0]
    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established fixedIP[500]-mobileIP[500] spi:7a8151eef328f4ef:e4849e4aefe53e4e
    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: fixedIP[500]<=>mobileIP[500]
    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted fixedIP[500]-mobileIP[500] spi:8bad2208f0133aa9:536451d5ab5c00a6
    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired fixedIP[500]-mobileIP[500] spi:8bad2208f0133aa9:536451d5ab5c00a6
    
    

    I solve this kind of problem by finding entries of mobileIP in Status -> IPsec -> SAD and deleting all entries (around 10 of them) that have mobileIP. Than, my tunnel automatically goes up.

    Since I have many mobile IP clients and tunnels often go down, this problem solving procedure is killing me. Any ideas pls?


  • Rebel Alliance Developer Netgate

    Are multiple mobile users trying to use the same internal IP address set in their client?



  • Yes, mobile clients' LAN IP is always the same, only their WAN IP changes with every new PPPoE connection.


  • Rebel Alliance Developer Netgate

    The LAN IP doesn't matter quite so much as the IP you have set inside of the IPsec client. The client IP address that you setup inside of the IPsec client should be different on each client.



  • Sorry, I didn't understand your question at first, now I see what you have asked. Sure that every client has unique scope of inside IP addresses, they are unique for every client and thus they are fixed.



  • Solved the problem! I have checked the option System -> Advanced -> Miscellaneous -> IPsec SA preferral -> Prefer old IPsec SAs and tunnels seem not to fall down any more.


Log in to reply