Some VPN (IPSec) not reconnect
-
I just updated to the latest snapshot (2.0-BEAT5 (i386) built on Wed Feb 16 02:41:43 EST 2011).
After rebooted, 2 of my site-to-site IPSec VPNs didn't connect. I checked the log. There are some weird log entries.
Such as:
racoon: [xxx.xxx.xxx.xxx] ERROR: can't start the quick mode, there is no ISAKMP-SA, …
racoon: [xxx.xxx.xxx.xxx] ERROR: unknown Informational exchange received.And most weird is:
pfSense responded to remote site
racoon: [XXX]: INFO: respond new phase 1 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx.xxx.xxx.xxx[500]
and IPsec-SA was established
but after about 10 seconds:
racoon: [xxx.xxx.xxx.xxx] INFO: DPD: remote (ISAKMP-SA spi=fe77c7d6d61d335c:bf3ad9a69dda15e3) seems to be dead.
and then ISAKMP-SA was deletedThe remote site is a SonicWall NAS240. But all my other VPNs haven't got this problem.
Another weird thing is that if the VPN is "initiated" from my site (i.e. from pfSense), the link established without problem:
racoon: [XXX]: INFO: initiate new phase 1 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx.xxx.xxx.xxx[500]-Raylund
-
The same with snapshot 2.0-BETA5 (i386) built on Wed Feb 16 14:46:23 EST 2011
Here is a VPN connection log shown:
respond new phase 1 negotiation
ISAKMP-SA established
respond new phase 2 negotiation
IPsec-SA established
18 seconds later
DPD: remote (ISAKMP-SA spi=1cbd27f7ec9e0bc7:3c6cf2db85454670) seems to be dead
purging ISAKMP-SA
purged IPsec-SA
purged ISAKMP-SA
ISAKMP-SA deletedAnd I'm getting this on other 2 VPN connections:
ERROR: can't start the quick mode, there is no ISAKMP-SAI should manually click on the "connect VPN" button on pfSense to establish them.
All of them are SonicWall; NAS240, TZ100 and TZ170. Nothing changed on remote sites, only pfSense was updated.
-Raylund
-
If you fill in the keep-alive IP, it will cause the tunnel to be initiated from your side periodically, and keep the tunnel up.
There have been some changes in the version of ipsec-tools in use on pfSense over the past few weeks, but I haven't heard of anyone else having a similar issue.
What snapshot date were you on previously?
-
I don't think the keep-alive IP works. I'm now having one of the problematic VPNs disconnected although I already set it to automatically ping host, the remote site SonicWall LAN IP.
I think my previous snapshot is Jan 26.
-Raylund
-
More information. (I've updated to the latest again 2.0-BETA5 (i386) built on Fri Feb 18 06:31:46 EST 2011)
I'm still getting:
ERROR: can't start the quick mode, there is no ISAKMP-SAHere are the logs from the remote site SonicWall NSA240:
Warning VPN IKE Received unencrypted packet in crypto active state
Info VPN IKE Received notify: INVALID_COOKIESAfter I disabled the VPN on remote site's SonicWall, I got this on my pfSense (which I think it's normal):
ERROR: unknown Informational exchange receivedI then re-enabled the VPN on remote site's SonicWall, I got this sequence of events on my pfSense:
INFO: respond new phase 1 negotiation
(a lot of transactions)
INFO: ISAKMP-SA established
INFO: respond new phase 2 negotiation
INFO: IPsec-SA established
INFO: IPsec-SA established
(35 seconds later)
INFO: DPD: remote (ISAKMP-SA spi=3fd652be49324ed5:360a5981b545c374) seems to be dead
INFO: purging ISAKMP-SA
INFO: purged IPsec-SA
INFO: purged IPsec-SA
INFO: purged ISAKMP-SA
INFO: ISAKMP-SA deletedOn the remote site's SonicWall logged (after the succesful connection):
Error VPN IKE Payload processing failed
(5 of the above and no more logs about the VPN)I then initiate the VPN from my pfSense. Everything seems working.
-Raylund
-
Still on the latest snaphot.
After I initiated the 2 problematic VPNs from my pfSense and they worked for some time, these 2 VPN connections are disconnected now.
The logs are filled with:
ERROR: can't start the quick mode, there is no ISAKMP-SAI've already set automatically ping host. Although I seldom have activities between these links, they never disconnected before.
May be I should try to reverse back to previous snapshot to see.
-Raylund
-
OK. I revered back to snapshot 2.0-BETA5 (i386) built on Wed Jan 26 09:44:03 EST 2011
The 2 problematic VPN links still not connect after the firmware downgrade. The logs still filled with:
ERROR: can't start the quick mode, there is no ISAKMP-SAThe remote site (SonicWall NSA240) still get this logs:
Warning VPN IKE Received unencrypted packet in crypto active state
Info VPN IKE Received notify: INVALID_COOKIESSo, I disabled the VPN link on SonicWall. As expected, my pfSense got:
ERROR: unknown Informational exchange receivedThen I enabled the VPN link on SonicWall. The link established and is solid. No more "DPD: remote seems to be dead" nor "ISAKMP-SA deleted". No need to initiate the link from my pfSense in order to establish the link.
-Raylund
-
Just updated to the latest snapshot 2.0-BETA5 (i386) built on Fri Feb 25 07:12:23 EST 2011
The same problem still there.
Now, I disabled DPD on the VPN configurations. I need to manually initiate the links from pfSense, the links established (the same as before that it works always if initiated from pfSense).
But I rebooted my pfSense, all the VPN links automatically reconnected. It's been running solid for 20 minutes now.
I think DPD is the culprit.
-Raylund
-
Alternatively you can try the prefer old ipsec sa knob on the advanced tabs.
-
I checked.
In the GUI System: Advanced: Miscellaneous, "Prefer older IPsec SAs" is checked.
In config.xml, there is entries:
<ipsec><preferoldsa>But in the racoon.conf, there is nothing on prefer older ipsec sa:This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp 99.237.xxx.xxx [500];
isakmp_natt 99.237.xxx.xxx [4500];
}I tried to un-check "Prefer older IPsec SAs" save and then re-checked "Prefer older IPsec SAs". Funny thing happened.
Although in the GUI, "Prefer older IPsec SAs" is checked now, but the <preferoldsa>is missed in the <ipsec>section on config.xml
There still nothing related to prefer older ipsec sa in racoon.conf
It seems the "Prefer older IPsec SAs" option is broken.
-Raylund</ipsec></preferoldsa></preferoldsa></ipsec>
-
The <preferoldsa>is what is used now, there used to be an older tag (<preferredoldsa>) but it was moved quite some time ago.
It works for me though, the first two lines are with the checkbox off, second two are with the checkbox on:
[2.0-RC1][root@pfsense.localdomain]/root(3): grep prefer /conf/config.xml [2.0-RC1][root@pfsense.localdomain]/root(4): sysctl net.key.preferred_oldsa net.key.preferred_oldsa: 0 [2.0-RC1][root@pfsense.localdomain]/root(5): grep prefer /conf/config.xml <preferoldsa> [2.0-RC1][root@pfsense.localdomain]/root(6): sysctl net.key.preferred_oldsa net.key.preferred_oldsa: -30</preferoldsa> ```</preferredoldsa></preferoldsa>