Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense 2.0 IPSEC wont route until RACOON is restarted

    IPsec
    8
    13
    5579
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      srit last edited by

      From time to time, my IPSEC RoadWarrior VPN tunnel will not route from the VPN to the internal network until the RACOON service is restarted. The only thing the IPSEC log shows is:
      Nov 1 12:23:28 racoon: ERROR: failed to begin ipsec sa negotication. Nov 1 12:23:28 racoon: ERROR: no configuration found for x.x.x.x. Nov 1 12:23:06 racoon: ERROR: failed to begin ipsec sa negotication. Nov 1 12:23:06 racoon: ERROR: no configuration found for x.x.x.x.
      I am using Shrewsoft as the VPN client.
      Once RACOON is restarted all is well again…for a while, i have no exact time frame for when it breaks.

      1 Reply Last reply Reply Quote 0
      • P
        podilarius last edited by

        What other packages do you have installed and running?

        Are you using version 2.0?

        1 Reply Last reply Reply Quote 0
        • B
          binkt last edited by

          Yes, this is the same behavior that I am experiencing too, with the same setup. My MTU in shrewsoft was set to 1280 which may have been too small. I noticed in the shrewsoft VPN trace utility that under the IPSEC service tab, the last SPI packet recv'd was 1288 bytes long, and after that there was no more routing. I changed the MTU back to 1380 and things have been OK so far, but I have yet to connect from another client. I'll try that now.

          1 Reply Last reply Reply Quote 0
          • S
            srit last edited by

            yes i am using version 2.0. the packages i have installed are:
            country block
            open-vm-tools
            siproxd
            snort

            1 Reply Last reply Reply Quote 0
            • L
              limecat last edited by

              I believe this may be the same issue I am having.  Can you force this issue to occur, and if so, how?

              For me, the two sure-fire triggers I have seen are:
              *Connecting, even once, with a Cisco VPN client, and then disconnecting (after which noone can connect)
              *Connecting with eg ShrewSoft, and then having the connected computer go into standby / hibernate

              Please let me know, Id love to see this fixed and it looks like racoon has several issues going around.  It would probably help the devs if we can isolate which issues are related and which are not.

              1 Reply Last reply Reply Quote 0
              • D
                dhatz last edited by

                You might also want to check http://ipsec-tools.sourceforge.net/ for similar reports.

                E.g. discussion and proposed patch at http://sourceforge.net/mailarchive/forum.php?thread_name=20111026130911.GA26984%40zeninc.net&forum_name=ipsec-tools-devel

                1 Reply Last reply Reply Quote 0
                • S
                  srit last edited by

                  limecat, i cannot verify that it happens with a cisco vpn client. but when i tried putting the computer to sleep while the vpn connection was live with shrewsoft (as you mentioned,) Snort raised an alert and blocked me. once i released the block, shrewsoft connected and routed with no problem. so i cannot force the issue to re-occur. it is random as far as i can tell.

                  on another note, i would like to thank everyone who has taken the time to respond to my post.

                  1 Reply Last reply Reply Quote 0
                  • S
                    srit last edited by

                    dhatz, i read through the link you posted. correct me if i am wrong, but they are talking about creating new tunnels. my issue is not the tunnel creation, it is the routing after the tunnel is already up.

                    1 Reply Last reply Reply Quote 0
                    • P
                      podilarius last edited by

                      try turning off snort. I had to disable snort on my firewall because it was doing the same thing. Course with mine, I have only a single core proc and under full bandwidth (50mbit+) the CPU would go to 100% and start killing other procs. Turns out is was packet processing through snort that was killing ipsec.

                      1 Reply Last reply Reply Quote 0
                      • S
                        srit last edited by

                        i tried that already, it didn't change anything.

                        1 Reply Last reply Reply Quote 0
                        • B
                          borsoock last edited by

                          I can confirm I've got same problem with mobile Clients using ShrewSoft on 2 routers in different locations (ver 2.0 final, No additional packages are installed.) :

                          Its most likely: http://redmine.pfsense.org/issues/1351

                          1 Reply Last reply Reply Quote 0
                          • T
                            tubular031 last edited by

                            Just had this same issue and it seems to be better by going to ipsec - phase1 of moble client - policy generation set to unique and propsal checking set to obey

                            http://forum.pfsense.org/index.php/topic,34646.msg197636.html#msg197636

                            Worked for me.

                            1 Reply Last reply Reply Quote 0
                            • R
                              regis last edited by

                              same problem here with mobile Clients using ShrewSoft on ver 2.0 final nanobsd, no additional packages installed

                              tunnel works well once then the tunnel establishes but nothing flows through it;  i need to restart racoon to get it working again

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post

                              Products

                              • Platform Overview
                              • TNSR
                              • pfSense
                              • Appliances

                              Services

                              • Training
                              • Professional Services

                              Support

                              • Subscription Plans
                              • Contact Support
                              • Product Lifecycle
                              • Documentation

                              News

                              • Media Coverage
                              • Press
                              • Events

                              Resources

                              • Blog
                              • FAQ
                              • Find a Partner
                              • Resource Library
                              • Security Information

                              Company

                              • About Us
                              • Careers
                              • Partners
                              • Contact Us
                              • Legal
                              Our Mission

                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                              Subscribe to our Newsletter

                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                              © 2021 Rubicon Communications, LLC | Privacy Policy