IPsec tunnels died and don't come up anymore



  • Hi all,
    I have a pretty strange problem, I have 1 office with 4 branches connected via IPsec.
    All locations run the same pfSense 1.2.3, only difference is that in "Office" runs a Dell Poweredge R210 server and in All the branches a simple IBM P4 desktop.
    Confuguration on both sides is the same.
    After worked for a pretty long time good, all of a sudden all pfSense boxes stopped talking with eachother and no way to come back. Weird in this, is that from my home I still can connect via IPsec to all, but I use M0n0wall.
    Here is the log from the OFFICE side when I send a ping via the LAN side:

    Feb 6 21:51:38 racoon: ERROR: HASH mismatched
    Feb 6 21:51:38 racoon: WARNING: No ID match.
    Feb 6 21:51:38 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:38 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:38 racoon: ERROR: HASH mismatched
    Feb 6 21:51:38 racoon: WARNING: No ID match.
    Feb 6 21:51:38 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:38 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:28 racoon: ERROR: HASH mismatched
    Feb 6 21:51:28 racoon: WARNING: No ID match.
    Feb 6 21:51:28 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:28 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:28 racoon: ERROR: HASH mismatched
    Feb 6 21:51:28 racoon: WARNING: No ID match.
    Feb 6 21:51:28 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:28 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:18 racoon: ERROR: HASH mismatched
    Feb 6 21:51:18 racoon: WARNING: No ID match.
    Feb 6 21:51:18 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:18 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:18 racoon: INFO: begin Aggressive mode.
    Feb 6 21:51:18 racoon: [NAME BRANCH]: INFO: initiate new phase 1 negotiation: 1xx.xx.xx.xx[500]<=>2xx.xx.xx.xx[500]
    Feb 6 21:51:18 racoon: [NAME BRANCH]: INFO: IPsec-SA request for 2xx.xx.xx.xx queued due to no phase1 found.

    And here the log on the BRANCH side:
    Feb 6 21:52:08 racoon: ERROR: phase1 negotiation failed due to time up. 585c756a76df580f:dd4d18b48e8db9fc
    Feb 6 21:51:58 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:58 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:58 racoon: [Porto Novo Vila Velha VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[[500] (1).
    Feb 6 21:51:48 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:48 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:48 racoon: [Porto Novo Vila Velha VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[[500] (1).
    Feb 6 21:51:38 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:38 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:38 racoon: [NAME BRANCH VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[500] (1).
    Feb 6 21:51:28 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:28 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:28 racoon: [NAME BRANCH VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[500] (1).
    Feb 6 21:51:18 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:18 racoon: WARNING: No ID match.
    Feb 6 21:51:18 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:18 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:18 racoon: INFO: begin Aggressive mode.
    Feb 6 21:51:18 racoon: [NAME BRANCH VPN]: INFO: respond new phase 1 negotiation: 2xx.xx.xx.xx[500]<=>1xx.xx.xx.xx[500]

    I saved on both sides of course the tunnels and passphrases again, all is correctly  in the config.
    As said, via my m0n0wall box I can connect to both, but OFFICE can't connect to to BRANCHE anymore and viceversa.
    As said also, the tunnel was working for a while correctly, nobody else then me has access to the boxes.

    Does anyone have an idea?  ??? I will soon upgrade all to 2.0.1, but would like to resolve this first.

    Thanx in advance!


Log in to reply