VPN IPsec Remote gateway using DDNS doesn't update

jimp · Jan 31, 2011, 7:12 PM

Fixed now.

That should have been:

foreach ($filterdns_list as $hostname)

cyboc · Jan 31, 2011, 9:15 PM

Hi Jimp,

Thanks for your very quick response. I applied your changes locally, in advance of the next snapshots. The error messages are now gone from the system log and from the IPSec config page. However, when the IP address on the dynamic side of the tunnel changes, the tunnel does not come back up. The change is detected by filterdns (because the system log shows "php: : IPSEC: One or more IPSEC tunnel endpoints has changed IP. Refreshing.") but the tunnel just does not come back up.

Attached are a series of obfuscated screenshots from both the static side and the dynamic before and after the dyndns IP address change. The address of the dynamic side was changed from x.x.x.198 to x.x.x.195. The address of the static side is 216.x.x.x. The are a lot of screenshots so please pay close attention to the words "staticSide", "dynamicSide", "Before" and "After" in the file names to figure out which is which.

(the screenshots are spread out over the next couple of posts because of attachment limits in this forum)

It is interesting to note that after the address change, the racoon service on the static side stopped, as shown in the screenshot "staticSide-ServicesStatus-AfterDyndnsChange.PNG". To get the tunnel back up, I had to start the stopped racoon service on the static side and restart the running racoon service on the dynamic side.

cyboc · Jan 31, 2011, 9:16 PM

more screeshots

cyboc · Jan 31, 2011, 9:18 PM

even more screenshots

cyboc · Jan 31, 2011, 9:19 PM

Last set of screenshots. Phew!

cegner · Mar 7, 2011, 7:02 PM

I'm encountering the same problem. Did you find a solution for it?

Christof

cyboc · Mar 7, 2011, 7:04 PM

@cegner:

I'm encountering the same problem. Did you find a solution for it?

Christof

Did you try the latest firmware version?

cegner · Mar 7, 2011, 7:16 PM

Yes, but the problem still exists.

2.0-RC1 (i386)
built on Fri Mar 4 23:09:48 EST 2011

eri-- · Mar 7, 2011, 7:23 PM

Please post again te system logs and ipsec logs

cegner · Mar 7, 2011, 7:38 PM

Here you go.

At 04:00 the PPPoE connection was terminated. After the reconnect the IPSEC tunnel does not come up again (for hours) without a reload as the remote peer IP address has changed. It does not seem to lookup the hostname again.

Mar 7 03:20:37 fw racoon: INFO: initiate new phase 2 negotiation: X.X.219.99[500]<=>X.X.197.44[500]
Mar 7 03:20:37 fw racoon: INFO: IPsec-SA expired: ESP/Tunnel X.X.197.44[500]->X.X0.219.99[500] spi=143188784(0x888e330)
Mar 7 03:20:37 fw racoon: INFO: IPsec-SA established: ESP X.X.219.99[500]->X.X.197.44[500] spi=201427959(0xc018bf7)
Mar 7 03:20:37 fw racoon: INFO: IPsec-SA established: ESP X.X.219.99[500]->X.X.197.44[500] spi=13656620(0xd0622c)
Mar 7 04:00:13 fw racoon: INFO: caught signal 15
Mar 7 04:00:13 fw racoon: INFO: racoon process 30653 shutdown
Mar 7 04:00:20 fw racoon: INFO: @(#)ipsec-tools 0.8.0.RC (http://ipsec-tools.sourceforge.net)
Mar 7 04:00:20 fw racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Mar 7 04:00:20 fw racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Mar 7 04:00:20 fw racoon: INFO: X.X.200.246[4500] used for NAT-T
Mar 7 04:00:20 fw racoon: INFO: X.X.200.246[4500] used as isakmp port (fd=19)
Mar 7 04:00:20 fw racoon: INFO: X.X.200.246[500] used for NAT-T
Mar 7 04:00:20 fw racoon: INFO: X.X.200.246[500] used as isakmp port (fd=20)
Mar 7 04:00:20 fw racoon: INFO: unsupported PF_KEY message REGISTER
Mar 7 04:00:20 fw racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.254/32[0] 192.168.1.0/24[0] proto=any dir=out
Mar 7 04:00:20 fw racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.254/32[0] proto=any dir=in
Mar 7 04:00:20 fw racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.10.0/24[0] proto=any dir=out
Mar 7 04:00:20 fw racoon: ERROR: such policy already exists. anyway replace it: 192.168.10.0/24[0] 192.168.1.0/24[0] proto=any dir=in
Mar 7 04:00:29 fw racoon: INFO: IPsec-SA request for X.X.197.44 queued due to no phase1 found.
Mar 7 04:00:29 fw racoon: INFO: initiate new phase 1 negotiation: X.X.200.246[500]<=>X.X.197.44[500]
Mar 7 04:00:29 fw racoon: INFO: begin Aggressive mode.
Mar 7 04:01:01 fw racoon: [X.X.197.44] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP X.X.197.44[0]->X.X.200.246[0]
Mar 7 04:01:01 fw racoon: INFO: delete phase 2 handler.
Mar 7 04:01:19 fw racoon: ERROR: phase1 negotiation failed due to time up. 1f856cf72bf9c322:0000000000000000
Mar 7 04:04:55 fw racoon: INFO: IPsec-SA request for X.X.197.44 queued due to no phase1 found.
Mar 7 04:04:55 fw racoon: INFO: initiate new phase 1 negotiation: X.X.200.246[500]<=>X.X.197.44[500]
Mar 7 04:04:55 fw racoon: INFO: begin Aggressive mode.
Mar 7 04:05:26 fw racoon: [X.X.197.44] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP X.X.197.44[0]->X.X.200.246[0]