Update killed IPSec?



  • I had a working IPSec-tunnel from my iphone via pfSense.
    Today with updating to snap 2.0-BETA5 (i386) built on Tue Jan 25 06:07:53 EST 2011

    it ceased to work. My phone spits out a "server doesn't answer" after a long (something about 15-20sec) time.

    At the system-log this entry is confusing me:

    php: /vpn_ipsec.php: Error: Invalid certificate info for
    php: /vpn_ipsec.php: Could not determine VPN endpoint for 'fonie'
    

    So i started racoon in debug-mode and got this: (reverse order)

    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: 02070000 15000000 00000000 f04f0000 0a000e00 00000000 02008000 80000000 0300a000 a0000000 05000001 00010000 06008001 80010000 07000002 00020000 0800a000 a0000000 f9008000 80000000 fa00a000 a0000000 fb000800 00080000 09000f00 00000000 02084000 40000000 0308c000 c0000000 06082800 80000000 07082800 c0010000 0b040000 00080000 0c104000 00010000 16104000 00010000 f9085000 50000000
    Jan 25 19:27:35 racoon: [fonie]: DEBUG: pk_recv: retry[0] recv()
    Jan 25 19:27:35 racoon: [fonie]: INFO: 127.0.0.1[4500] used for NAT-T
    Jan 25 19:27:35 racoon: [fonie]: INFO: 78.35.x.x[4500] used for NAT-T
    Jan 25 19:27:35 racoon: [fonie]: NOTIFY: NAT-T is enabled, autoconfiguring ports
    Jan 25 19:27:35 racoon: [fonie]: DEBUG: evaluating sainfo: loc='10.0.4.1', rmt='10.0.5.4', peer='ANY', id=1
    Jan 25 19:27:35 racoon: [fonie]: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
    Jan 25 19:27:35 racoon: [fonie]: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
    Jan 25 19:27:35 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2:
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: XAuth pskey server(65002)
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: SHA(2)
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: AES-CBC(7)
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: encklen=256
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: lifetime = 28800
    Jan 25 19:27:35 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2:
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: pre-shared key(1)
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: MD5(1)
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: 3DES-CBC(5)
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: encklen=0
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:27:35 racoon: [fonie]: DEBUG2: lifetime = 3600
    Jan 25 19:27:35 racoon: [fonie]: DEBUG: reading config file /var/etc/racoon.conf
    Jan 25 19:25:59 racoon: [fonie]: INFO: unsupported PF_KEY message REGISTER
    Jan 25 19:25:59 racoon: [fonie]: DEBUG: pk_recv: retry[0] recv()
    Jan 25 19:25:59 racoon: [fonie]: INFO: 10.112.35.13[500] used for NAT-T
    Jan 25 19:25:59 racoon: [fonie]: INFO: 127.0.0.1[500] used as isakmp port (fd=11)
    Jan 25 19:25:59 racoon: [fonie]: INFO: 78.35.x.x[4500] used as isakmp port (fd=10)
    Jan 25 19:25:59 racoon: [fonie]: NOTIFY: NAT-T is enabled, autoconfiguring ports
    Jan 25 19:25:59 racoon: [fonie]: DEBUG: evaluating sainfo: loc='10.0.4.1', rmt='10.0.5.4', peer='ANY', id=1
    Jan 25 19:25:59 racoon: [fonie]: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
    Jan 25 19:25:59 racoon: [fonie]: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
    Jan 25 19:25:59 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2:
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: XAuth pskey server(65002)
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: SHA(2)
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: AES-CBC(7)
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: encklen=256
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: lifetime = 28800
    Jan 25 19:25:59 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2:
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: pre-shared key(1)
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: MD5(1)
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: 3DES-CBC(5)
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: encklen=0
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:25:59 racoon: [fonie]: DEBUG2: lifetime = 3600
    Jan 25 19:25:59 racoon: [fonie]: DEBUG: reading config file /var/etc/racoon.conf
    Jan 25 19:25:00 racoon: [fonie]: INFO: unsupported PF_KEY message REGISTER
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: 02070000 15000000 00000000 5c100000 0a000e00 00000000 02008000 80000000 0300a000 a0000000 05000001 00010000 06008001 80010000 07000002 00020000 0800a000 a0000000 f9008000 80000000 fa00a000 a0000000 fb000800 00080000 09000f00 00000000 02084000 40000000 0308c000 c0000000 06082800 80000000 07082800 c0010000 0b040000 00080000 0c104000 00010000 16104000 00010000 f9085000 50000000
    Jan 25 19:25:00 racoon: [fonie]: DEBUG: get pfkey REGISTER message
    Jan 25 19:25:00 racoon: [fonie]: DEBUG: pk_recv: retry[0] recv()
    Jan 25 19:25:00 racoon: [fonie]: INFO: 10.112.35.13[4500] used as isakmp port (fd=14)
    Jan 25 19:25:00 racoon: [fonie]: INFO: 127.0.0.1[500] used as isakmp port (fd=11)
    Jan 25 19:25:00 racoon: [fonie]: INFO: 10.0.4.1[500] used as isakmp port (fd=0)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG: my interface: 10.112.35.13 (em0)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=2
    Jan 25 19:25:00 racoon: [fonie]: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
    Jan 25 19:25:00 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2:
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: XAuth pskey server(65002)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: SHA(2)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: AES-CBC(7)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: encklen=256
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: lifetime = 28800
    Jan 25 19:25:00 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2:
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: pre-shared key(1)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: MD5(1)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: 3DES-CBC(5)
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: encklen=0
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:25:00 racoon: [fonie]: DEBUG2: lifetime = 3600
    Jan 25 19:25:00 racoon: [fonie]: DEBUG: reading config file /var/etc/racoon.conf
    Jan 25 19:24:07 racoon: [fonie]: DEBUG: get pfkey REGISTER message
    Jan 25 19:24:07 racoon: [fonie]: INFO: 10.112.35.13[4500] used as isakmp port (fd=14)
    Jan 25 19:24:07 racoon: [fonie]: INFO: 127.0.0.1[4500] used for NAT-T
    Jan 25 19:24:07 racoon: [fonie]: INFO: 78.35.x.x[4500] used for NAT-T
    Jan 25 19:24:07 racoon: [fonie]: INFO: 78.35.x.x[500] used as isakmp port (fd=9)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG: my interface: 10.0.4.1 (gre0)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG: evaluating sainfo: loc='10.0.4.1', rmt='10.0.5.4', peer='ANY', id=1
    Jan 25 19:24:07 racoon: [fonie]: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
    Jan 25 19:24:07 racoon: [fonie]: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
    Jan 25 19:24:07 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2:
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: XAuth pskey server(65002)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: SHA(2)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: AES-CBC(7)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: encklen=256
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: lifetime = 28800
    Jan 25 19:24:07 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2:
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: pre-shared key(1)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: MD5(1)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: 3DES-CBC(5)
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: encklen=0
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:24:07 racoon: [fonie]: DEBUG2: lifetime = 3600
    Jan 25 19:24:07 racoon: [fonie]: DEBUG: reading config file /var/etc/racoon.conf
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: sub:0xbfbfe554: 10.0.5.4/32[0] 10.0.4.1/32[0] proto=any dir=in
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: get pfkey X_SPDADD message
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: db :0x28748288: 10.112.35.0/27[0] 10.112.35.13/32[0] proto=any dir=in
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: sub:0xbfbfe554: 10.112.35.0/27[0] 10.112.35.13/32[0] proto=any dir=in
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: pk_recv: retry[0] recv()
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: get pfkey REGISTER message
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: pk_recv: retry[0] recv()
    Jan 25 19:23:45 racoon: [fonie]: INFO: 127.0.0.1[4500] used as isakmp port (fd=12)
    Jan 25 19:23:45 racoon: [fonie]: INFO: 78.35.x.x[4500] used for NAT-T
    Jan 25 19:23:45 racoon: [fonie]: NOTIFY: NAT-T is enabled, autoconfiguring ports
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: parse successed.
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=2
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2:
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: XAuth pskey server(65002)
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: SHA(2)
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: AES-CBC(7)
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: encklen=256
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: lifetime = 28800
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2:
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: pre-shared key(1)
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: MD5(1)
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: 3DES-CBC(5)
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: encklen=0
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:23:45 racoon: [fonie]: DEBUG2: lifetime = 3600
    Jan 25 19:23:45 racoon: [fonie]: DEBUG: reading config file /var/etc/racoon.conf
    Jan 25 19:19:27 racoon: [fonie]: DEBUG: pk_recv: retry[0] recv()
    Jan 25 19:19:27 racoon: [fonie]: INFO: 78.35.x.x[4500] used as isakmp port (fd=8)
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: parse successed.
    Jan 25 19:19:27 racoon: [fonie]: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=2
    Jan 25 19:19:27 racoon: [fonie]: DEBUG: getsainfo params: loc='10.0.4.1', rmt='10.0.5.4', peer='NULL', id=1
    Jan 25 19:19:27 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: SHA(2)
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: AES-CBC(7)
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:19:27 racoon: [fonie]: DEBUG: hmac(modp1024)
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2:
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: pre-shared key(1)
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: 1024-bit MODP group(2)
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: MD5(1)
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: 3DES-CBC(5)
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: p:1 t:1
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: encklen=0
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: lifebyte = 0
    Jan 25 19:19:27 racoon: [fonie]: DEBUG2: lifetime = 3600
    Jan 25 19:19:27 racoon: [fonie]: INFO: Resize address pool from 0 to 1
    Jan 25 19:19:27 racoon: [fonie]: DEBUG: reading config file /var/etc/racoon.conf
    Jan 25 19:19:27 racoon: [fonie]: DEBUG: call pfkey_send_register for IPCOMP
    Jan 25 19:19:27 racoon: [fonie]: DEBUG: call pfkey_send_register for ESP
    Jan 25 19:19:27 racoon: [fonie]: DEBUG: call pfkey_send_register for AH
    Jan 25 19:19:27 racoon: [fonie]: INFO: Reading configuration from "/var/etc/racoon.conf"
    Jan 25 19:19:27 racoon: [fonie]: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
    Jan 25 19:19:27 racoon: [fonie]: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
    
    

  • Rebel Alliance Developer Netgate

    If your IPsec setup was using certificates, check your certificate manager and make sure all your CAs and certs are still there.



  • No. I'm using only PSK. No certs used.


  • Rebel Alliance Developer Netgate

    A little odd that it printed 'invalid certificate info' then. Still might be worth looking at.



  • Thats what i did. Entered at all IPsec-pages, reviewed settings which were all the same, saved all pages, same thing. All this happened wit the mentioned update. Other thing is that disabling IPsec and enabling doesn't restart racoon. I have to boot the whole machine to get it running after any config-change. If not, it doesn't even react on connections from outside. Reboot helps to get a new connection which is seen by racoon



  • Tested again the whole config. No errors present nor seen by me.
    Updated today with latest snap. still no IPsec.

    Jan 26 14:21:34	php: /vpn_ipsec.php: Error: Invalid certificate info for
    Jan 26 14:21:34	php: /vpn_ipsec.php: Could not determine VPN endpoint for 'fonie'
    

    Yes, the line "Invalid cert…" ends just like you see.

    here is my racoon.conf. No cert-entries.

    # This file is automatically generated. Do not edit
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    listen
    {
    	adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    	isakmp 78.35.x.x [500];
    	isakmp_natt 78.35.x.x [4500];
    }
    
    mode_cfg
    {
    	auth_source system;
    	group_source system;
    	pool_size 1;
    	network4 10.112.36.1;
    	netmask4 255.255.255.252;
    	dns4 10.112.35.13;
    	default_domain "hier.local";
    	split_dns "hier.local";
    	save_passwd on;
    }
    
    remote 87.y.y.y                                            ---> remote fixed IP
    
    {
    	ph1id 1;
    	exchange_mode aggressive;
    	my_identifier address 78.35.x.x;              ---> actual WAN-IP
    	peers_identifier address 87.y.y.y;             ---> remote fixed IP
    	ike_frag on;
    	generate_policy = off;
    	initial_contact = on;
    	nat_traversal = on;
    
    	support_proxy on;
    	proposal_check claim;
    
    	proposal
    	{
    		authentication_method pre_shared_key;
    		encryption_algorithm 3des;
    		hash_algorithm md5;
    		dh_group 2;
    		lifetime time 3600 secs;
    	}
    }
    
    remote anonymous
    {
    	ph1id 2;
    	exchange_mode aggressive;
    	my_identifier address 78.35.x.x;   ---> actual WAN-IP
    	peers_identifier fqdn "zuhus";
    	ike_frag on;
    	generate_policy = unique;
    	initial_contact = off;
    	nat_traversal = on;
    
    	dpd_delay = 60;
    	dpd_maxfail = 5;
    	support_proxy on;
    	proposal_check claim;
    
    	proposal
    	{
    		authentication_method xauth_psk_server;
    		encryption_algorithm aes 256;
    		hash_algorithm sha1;
    		dh_group 2;
    		lifetime time 28800 secs;
    	}
    }
    
    sainfo address 10.0.4.1 any address 10.0.5.4 any
    {
    	remoteid 1;
    	encryption_algorithm 3des;
    	authentication_algorithm hmac_sha1;
    	pfs_group 2;
    	lifetime time 3600 secs;
    	compression_algorithm deflate;
    }
    
    sainfo   anonymous
    {
    	remoteid 2;
    	encryption_algorithm aes 256, aes 192, aes 128;
    	authentication_algorithm hmac_sha1;
    
    	lifetime time 3600 secs;
    	compression_algorithm deflate;
    }
    
    

    I think i will downgrade to the snap from 01/22 and see if it works again.

    Thats really strange!


Locked