IPSec Mobile Client, 2nd time connecting, no net connectivity.
-
Good afternoon all. First off, yeah yeah I know - I should be using OpenVPN. But hey, these are devices that only have an IPSec VPN client built into them - so I have no choice but to use IPSec. ;)
OK, so this device is an IP phone with the VPN client built in. It establishes the tunnel and everything works properly. Now, lets say I pull the power on the phone, or I have an internet hiccup (nooooo, that almost never happens). All future attempts to connect to the VPN server on PFSense acts like its fine, but there is no network connectivity. From the logs it looks like the phone isn't responding back to a request the firewall put out right at Phase 2. However, what ALWAYS fixes it is rebooting the firewall - I just tested and also stopping/starting the IPSec service fixes it too. Once that happens, I'm good for 1 more connection attempt (and it works) - any loss of that session and I'm screwed until I bounce the service or firewall again. I've tried using DPD, and made it extremely sensitive (no response in 10 seconds, 2 attempts before drop) - no affect - I've also tried disabling it. :(
To do some additional experimentation, I lowered the key lifetime for both phases to 60 seconds. Turns out, on the good connection, once it expires, it can't refresh. My good connection was dropped with several of the following errors:
Sep 5 18:29:36 racoon: ERROR: failed to begin ipsec sa negotication.
Sep 5 18:29:36 racoon: ERROR: no configuration found for 174.103.158.42 (my IP phone's public address).So, I then made the Phase 1 a 28800 lifetime (leaving P2 at 60 seconds). Now the connection lasts longer than 60 seconds, but the original problem exists (bouncing the peer makes it think it connected but with no passing of data)
Attached are logs of both a good connection and a failed repeat connection.
Anyone have any thoughts? We've been anxiously awaiting the release of PFSense 2.0, specifically for this need (it supported XAUTH and MODE CONFIG which I haven't found in any other decent firewall software (are there any other decent ones - I think not). ;)
I'm leaning towards this being a bug, but am not exactly sure how to go about reporting it, and what data is needed, as I'm relatively new to both the forum and the product.
Thx.
-
What is your ipsec Policy generation setting?
Does it work if you set it to unique?
-
@ermal:
What is your ipsec Policy generation setting?
Does it work if you set it to unique?It was on DEFAULT. I've now switched it to Unique and will test. What would that setting be for? And if it would normally be Unique, wouldn't that be the default? ;)
As a side-note, I've also noticed that when that mobile connection is in use, the status shows disconnected. Not sure if its supposed to indicate that someone is using the mobile VPN policy or not, but thought I'd pass that along.
Thx.
-
@ermal:
What is your ipsec Policy generation setting?
Does it work if you set it to unique?It was on DEFAULT. I've now switched it to Unique and will test. What would that setting be for? And if it would normally be Unique, wouldn't that be the default? ;)
As a side-note, I've also noticed that when that mobile connection is in use, the status shows disconnected. Not sure if its supposed to indicate that someone is using the mobile VPN policy or not, but thought I'd pass that along.
OK, I've tested (as best I can from remote - I've bounced the phone several times). Phone tunnels right back in. Seems to be working great. You're AWESOME!!!!!
So, now I am even more curious on the nature of that setting.
Thx.
-
So, can someone shed some light on that setting - what's its value (as I would think you'd always want Unique - thus I would have expected that to be the default).
Thx.