Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec problem

    Scheduled Pinned Locked Moved
    IPv6
    2
    4
    4.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MageMinds
      last edited by

      I run the sept9 NanoBSD 2g image.

      My IPSec tunnels (IPv4) doesn't work until I kill racoon from the WebGUI and start it manually in ssh with the following command :  racoon -d -v -f /var/etc/racoon.conf

      Also there is the ntpd service that doesn't start.

      Thanks for that dev release. I can post any test you'd like to help you narrow down the ipsec problem and the ntpd service not starting too.

      I now have a ipv6 tunnel working with full assisted dhcpv6. Before I had a tunnel through a Linux box I had running in a VM on a server (not ideal) but I never been able to make dhcpv6 to serve my dns server ipv6 address… Now with pfSense 2.1-DEV I test 10/10 on the ipv6-test!

      1 Reply Last reply Reply Quote 0
      • D
        databeestje
        last edited by

        racoon should really just work. Not sure what's wrong.

        1 Reply Last reply Reply Quote 0
        • M
          MageMinds
          last edited by

          I'll try to reboot after work and post logs of the problem. Is there any command you'd like me to execute to get the state of racoon when in problem?

          I'm using a config file that was done from scratch using 2.0-Beta when it came out.

          MageMinds

          1 Reply Last reply Reply Quote 0
          • M
            MageMinds
            last edited by

            Here is the log of racoon not working…

            Sep 13 09:00:29 	racoon: [VPN1]: [205.xx.xx.115] ERROR: can't start the quick mode, there is no ISAKMP-SA, a5ae34896d5cf232:2e28fa92fa0948f8:000086d1
Sep 13 09:00:16 	racoon: ERROR: failed to start post getspi.
Sep 13 09:00:16 	racoon: ERROR: encryption 7 failed.
Sep 13 09:00:16 	racoon: ERROR: OpenSSL function failed
Sep 13 09:00:16 	racoon: [VPN2]: INFO: initiate new phase 2 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500]
Sep 13 09:00:16 	racoon: [VPN2]: INFO: ISAKMP-SA established 24.xx.xx.7[500]-24.xx.xx.69[500] spi:ab349cae70c29beb:47be8288014e0c1b
Sep 13 09:00:16 	racoon: ERROR: encryption 7 failed.
Sep 13 09:00:16 	racoon: ERROR: OpenSSL function failed
Sep 13 09:00:16 	racoon: [VPN2]: [24.xx.xx.69] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Sep 13 09:00:15 	racoon: INFO: begin Aggressive mode.
Sep 13 09:00:15 	racoon: [VPN2]: INFO: initiate new phase 1 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500]
Sep 13 09:00:15 	racoon: [VPN2]: INFO: IPsec-SA request for 24.xx.xx.69 queued due to no phase1 found.
Sep 13 09:00:12 	racoon: ERROR: such policy already exists. anyway replace it: 10.69.7.0/24[0] 10.77.2.0/24[0] proto=any dir=in
Sep 13 09:00:12 	racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.69.7.0/24[0] proto=any dir=out
Sep 13 09:00:12 	racoon: ERROR: such policy already exists. anyway replace it: 10.9.143.0/24[0] 10.77.2.0/24[0] proto=any dir=in
Sep 13 09:00:12 	racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.9.143.0/24[0] proto=any dir=out
Sep 13 09:00:12 	racoon: ERROR: such policy already exists. anyway replace it: 10.0.0.0/24[0] 10.77.2.0/24[0] proto=any dir=in
Sep 13 09:00:12 	racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.0.0.0/24[0] proto=any dir=out
Sep 13 09:00:12 	racoon: ERROR: such policy already exists. anyway replace it: 2001:470:xx:dcb::/64[0] 2001:470:xx:dcb::1/128[0] proto=any dir=in
Sep 13 09:00:12 	racoon: ERROR: such policy already exists. anyway replace it: 2001:470:xx:dcb::1/128[0] 2001:470:xx:dcb::/64[0] proto=any dir=out
Sep 13 09:00:12 	racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.0/24[0] 10.77.2.1/32[0] proto=any dir=in
Sep 13 09:00:12 	racoon: ERROR: such policy already exists. anyway replace it: 10.77.2.1/32[0] 10.77.2.0/24[0] proto=any dir=out
Sep 13 09:00:12 	racoon: INFO: unsupported PF_KEY message REGISTER
Sep 13 09:00:12 	racoon: [Self]: INFO: 24.xx.xx.7[500] used as isakmp port (fd=15)
Sep 13 09:00:12 	racoon: [Self]: INFO: 24.xx.xx.7[500] used for NAT-T
Sep 13 09:00:12 	racoon: [Self]: INFO: 24.xx.xx.7[4500] used as isakmp port (fd=14)
Sep 13 09:00:12 	racoon: [Self]: INFO: 24.xx.xx.7[4500] used for NAT-T
Sep 13 09:00:12 	racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Sep 13 09:00:12 	racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Sep 13 09:00:12 	racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Sep 13 09:00:06 	racoon: INFO: racoon process 25694 shutdown
Sep 13 09:00:06 	racoon: ERROR: encryption 7 failed.
Sep 13 09:00:06 	racoon: ERROR: OpenSSL function failed
Sep 13 09:00:06 	racoon: INFO: caught signal 15
Sep 13 09:00:04 	racoon: ERROR: failed to start post getspi.
Sep 13 09:00:04 	racoon: ERROR: encryption 7 failed.
Sep 13 09:00:04 	racoon: ERROR: OpenSSL function failed
Sep 13 09:00:04 	racoon: [VPN2]: INFO: initiate new phase 2 negotiation: 24.xx.xx.7[500]<=>24.xx.xx.69[500]

            Here is the result of ps

            # ps -A|grep racoon
28441  ??  Ss     0:00.02 /usr/local/sbin/racoon -f /var/etc/racoon.conf
29993   0  R+     0:00.00 grep racoon

            When I use the exact same command from a ssh shell it works.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post