IPSEC works only one time after activating it?!
-
I'm not sure, but it seems strange that my_identifier is an IP address. As it is a dyn_dns id, it must be a FQDN eg. mysite.mydomain.com, isn't it?
-
First, it looks strange for me too. But the IP was the actual IP i had at this time synced with my DynDNS Account. But something is going wrong in this special case cause i got the errormessage in log.
But, as i wrote: it hade made no problems without the setting "Dynamic DNS" over a year using "Domain Name" before on other machine than the wrap.
-
Well, using 'Domain name' is the only option for me to get it working. Dunno why.
I can connect since I reinstalled pfSense last night and setup the tunnel from scratch.
But "user@FQDN" or "IP address" as identifiers respond with 'parse error' in the logs. I think I can enter an eMail address or an IP on both sides without accidents, though. 8)One other thing caught my attention:
I have allow rules with logging for ESP, AH and UDP500 on the WAN IF. No TCP500.
On connection the log shows an accept from TCP500 stating the above UDP500 rule as trigger.
ESP is logged fine (and I don't use AH).Any ideas?
-
Another wild guess:
Did you check that you did not swap static and dynamic ends when creating the rule set?
This would work as long as the connection is up but gets lost after 24h DSL-hiccups.This might happen easily when working on both ends simultaneously as they look pretty similar… (been there, done that)
-
Hi,
thx jahonix for your reply … after beeing a while away i'd made now some tests with a laptop. I used the live cd and had made a installation on hd.:
Well, using 'Domain name' is the only option for me to get it working. Dunno why.
Same for me. "Dynamic DNS" as option in VPN seems to be buggy … only "Domain name" is working!
Did you check that you did not swap static and dynamic ends when creating the rule set?
No this is also definitely impossible. I saved my configuration from the wrap box, adjustet the interface names for wan and lan, and restored it on the test laptop. Without a change it works immediately there!?!?
Now i can disconnect and connect, the Tunnel comes up as expectet - as many times i tried it. Also after a reboot its no problem anymore!
Does anybody know if there are any known bugs with the embedded image?
-
Try reflashing the wrap with the latest snapshot and upload the working config. I use lots of wraps, also with ipsec. Haven not seen these problems before.
-
Unfortunaly i have not the hardware at home to reflash and as i read in the forum it's sadly not possible to reflash using the GUI. But i think now i know the reason why its not working:
I have a Soekris VPN 1411 (hifn 7955 based chipset) MiniPCI card in my wrap. If i dismount it, it works fine as everybody would except it - reboots and ip changes are no problems anymore! I have also the same hardware running on different co-locations (dynamic) in a m0n0/freebsd4 environment, where the 1411 under freebsd4 is also recogniced as a crypto hardware and they all can also connect to the headquarter running a pc with pfsense (static).
I think something is missing/wrong with the implementation in the way how pfsense initializes or handles the VPN crypto hardware after the ip changes or after i reboot the wrap … cause if i only disable/enable IPSEC, the tunnel comes up and all is running till the next ip change! So if the same things would happen on reboot or ip change, this would may be the solution for my problem.
-
Endorsement: I buyed me a Cardreader and flashed the 1.0.1-SNAPSHOT-02-02-2007 built on Sat Feb 3 06:12:22 EST 2007 on my CF and restored the working config. Also there i got the same problems …
-
After it is certain that the error occurs only in combination with the VPN Crypto Card is there a chance to get a statement from the devs what could i do now? As i wrote the Crypto Card inherently works in a BSD4 Environment, so i think reason is not the card itself …
-
Sounds like a freebsd bug then. Search the appropriate lists for similiar problems or statements on this.