Pfsense 2.0 IPSEC wont route until RACOON is restarted



  • From time to time, my IPSEC RoadWarrior VPN tunnel will not route from the VPN to the internal network until the RACOON service is restarted. The only thing the IPSEC log shows is:
    Nov 1 12:23:28 racoon: ERROR: failed to begin ipsec sa negotication. Nov 1 12:23:28 racoon: ERROR: no configuration found for x.x.x.x. Nov 1 12:23:06 racoon: ERROR: failed to begin ipsec sa negotication. Nov 1 12:23:06 racoon: ERROR: no configuration found for x.x.x.x.
    I am using Shrewsoft as the VPN client.
    Once RACOON is restarted all is well again…for a while, i have no exact time frame for when it breaks.



  • What other packages do you have installed and running?

    Are you using version 2.0?



  • Yes, this is the same behavior that I am experiencing too, with the same setup. My MTU in shrewsoft was set to 1280 which may have been too small. I noticed in the shrewsoft VPN trace utility that under the IPSEC service tab, the last SPI packet recv'd was 1288 bytes long, and after that there was no more routing. I changed the MTU back to 1380 and things have been OK so far, but I have yet to connect from another client. I'll try that now.



  • yes i am using version 2.0. the packages i have installed are:
    country block
    open-vm-tools
    siproxd
    snort



  • I believe this may be the same issue I am having.  Can you force this issue to occur, and if so, how?

    For me, the two sure-fire triggers I have seen are:
    *Connecting, even once, with a Cisco VPN client, and then disconnecting (after which noone can connect)
    *Connecting with eg ShrewSoft, and then having the connected computer go into standby / hibernate

    Please let me know, Id love to see this fixed and it looks like racoon has several issues going around.  It would probably help the devs if we can isolate which issues are related and which are not.





  • limecat, i cannot verify that it happens with a cisco vpn client. but when i tried putting the computer to sleep while the vpn connection was live with shrewsoft (as you mentioned,) Snort raised an alert and blocked me. once i released the block, shrewsoft connected and routed with no problem. so i cannot force the issue to re-occur. it is random as far as i can tell.

    on another note, i would like to thank everyone who has taken the time to respond to my post.



  • dhatz, i read through the link you posted. correct me if i am wrong, but they are talking about creating new tunnels. my issue is not the tunnel creation, it is the routing after the tunnel is already up.



  • try turning off snort. I had to disable snort on my firewall because it was doing the same thing. Course with mine, I have only a single core proc and under full bandwidth (50mbit+) the CPU would go to 100% and start killing other procs. Turns out is was packet processing through snort that was killing ipsec.



  • i tried that already, it didn't change anything.



  • I can confirm I've got same problem with mobile Clients using ShrewSoft on 2 routers in different locations (ver 2.0 final, No additional packages are installed.) :

    Its most likely: http://redmine.pfsense.org/issues/1351



  • Just had this same issue and it seems to be better by going to ipsec - phase1 of moble client - policy generation set to unique and propsal checking set to obey

    http://forum.pfsense.org/index.php/topic,34646.msg197636.html#msg197636

    Worked for me.



  • same problem here with mobile Clients using ShrewSoft on ver 2.0 final nanobsd, no additional packages installed

    tunnel works well once then the tunnel establishes but nothing flows through it;  i need to restart racoon to get it working again


Log in to reply