BUG: IPSEC tunnels not coming up with CARP (edited)



  • i posted this under another similar other thread that somebody else started because i was getting similar errors, but i figured that there were enough differences with my configuration to warrant its own thread…

    –-------------------------
    **_EDIT: I found out that when I changed the interface back to WAN (from the CARP iP addresses) then the tunnels came right up
    –-------------------------
    i am using the latest x64 build (02/24/2011) and i actually have a mix of main and aggressive tunnels because some are static ip's and some are dynamic.

    my pfsense is on statis ip's and was R1.2.3 with 6 remote sites connected using IPSEC. all the remote sites are using Linksys RV802/402 routers.
    i have 2 main subnets at my main site
    all the the Linksys routers only really support one apeice so we had to setup 2 tunnels on each router connecting to pfsense one for LAN & one for VOIP.

    Here's the setup:
    Main Site pfSense 2.0-BETA5 (amd64) built on Thu Feb 24 18:23:48 EST 2011
    On an intel PT1000 dual LAN nic setup for 802.3ad (LACP) LAG (em0 + em1):
    LAN (192.168.10.0/24) VLAN10 (lan interface)
    VOIP (172.16.10.0/24) VLAN500 (opt9 interface)
    other irrelevant & test vlans on the same LAG

    The WAN links are setup on a third intel interface em2
    WAN1 = T1 (VLAN4001) IPSEC tunnels connect to this
    WAN2-4 = (VLAN4002-4004) Gateway group for internet traffic

    pfsync (10.254.254.0/24) on dedicated interface re0
    i have carp interfaces setup per the tutorial and everything appears to be working
    the second pfsense firewall has not yet been added (but will be)

    so the Remote sites are:
    Linksys/Cisco RV802
    192.168.100.0/24 | tunnel1 => 192.168.10.0/24 | tunnel2 => 172.16.10.0/24
    Linksys/Cisco RV402
    192.168.101.0/24 | tunnel1 => 192.168.10.0/24 | tunnel2 => 172.16.10.0/24
    Linksys/Cisco RV402
    192.168.102.0/24 | tunnel1 => 192.168.10.0/24 | tunnel2 => 172.16.10.0/24
    Linksys/Cisco RV402
    192.168.103.0/24 | tunnel1 => 192.168.10.0/24 | tunnel2 => 172.16.10.0/24
    Linksys/Cisco RV402
    192.168.104.0/24 | tunnel1 => 192.168.10.0/24 | tunnel2 => 172.16.10.0/24
    Linksys/Cisco RV402
    192.168.105.0/24 | tunnel1 => 192.168.10.0/24 | tunnel2 => 172.16.10.0/24

    On pfsense 1.2.3 i had to setup 2 tunnels per site and all was working well

    decided to "upgrade" to 2.0 (i know not production so thats why we're testing). main things we wanted to do was carp redundancy (for 2 pfsense firewalls) along with LAG (lacp).

    had to setup the IPsec differently, because of multiple phase2's to each phase 1 (i LOVE that btw) and 2.0 won't let me setup more than 1 phase1 per remote endpoint. had to setup the endpoint IP to the CARP address (of course).
    now the wierd thing is that some tunnels come up fine AND if a site comes up, BOTH Phase 2's come up fine. No rhyme of reason either because some of the working ones are MAIN and some are AGGRESSIVE.

    I'm thinking its could be the multi phase 2's that are screwing things up since the Linksys RV's don't support multiple phase2's per phase1. SO i took one of the problem sites and WIPED the phase one from BOTH the pfsense and the Linksys and created a new phase1 with only a single phase2 and only ONE tunnel on the Linksys.

    i noticed some phase1 PSK errors in the VPNlog so i created some Pre-shared keys the old way in the preshared key tab. interesting thing is that without ANY keys in the preshared key tab i had 8 tunnels UP AND RUNNING.

    Still doesn't come up and is giving several messages in the log
    NOTIFY: the packet is retransmitted by {REMOTEIP}[500] (1).
    racoon: ERROR: phase1 negotiation failed due to time up. 15be5a31877243b6:60dcd2d5d19df3ea
    racoon: [REMOTEIP] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP {REMOTEIP}[0]->{LOCALIP}[0]

    wierd thing is that i check the logs on the remote routers that are failing and i get:
    Feb 26 10:35:10 2011     VPN Log    Initiating Main Mode  
    Feb 26 10:35:10 2011     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet  
    Feb 26 10:35:10 2011     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet  
    Feb 26 10:48:19 2011     VPN Log    Initiating Main Mode to replace #978  
    Feb 26 10:48:19 2011     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet  
    Feb 26 11:01:29 2011     VPN Log    Initiating Main Mode to replace #979  
    Feb 26 11:01:29 2011     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet  
    Feb 26 11:01:29 2011     VPN Log    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet

    the failing tunnels never seem to get a response from pfsense.

    i had 8 of 12 tunnels working at one point in time which seemed pretty good although i couldn't get the last 2 sites up. the wierd thing is that the 2 problem site were static IP's with main mode tunnels! i tried restarting the remote routers and that didn't resolve anything. so instead i decide to restart pfsense and now only 4 tunnels come up! TWO are to a static ip and 2 are to a dynamic IP.

    there appears to be no rhyme or reason as to why some tunnels work and some don't. the other thing that puzzles me is that the failing VPN remote endpoints don't receive ANY response from pfsense. there isn't even any consistency between the ones that fail as well as the types of ones that fail.
    keep in mind this setup was working fine with pfsense 1.2.3_**



  • BUMP: discovered the source of the issue

    however cannot get a carp failover working with ipsec as a result of this "issue"


Log in to reply