4. IPsec tunnels died and don't come up anymore

IPsec tunnels died and don't come up anymore

  • H

    Hi all,
    I have a pretty strange problem, I have 1 office with 4 branches connected via IPsec.
    All locations run the same pfSense 1.2.3, only difference is that in "Office" runs a Dell Poweredge R210 server and in All the branches a simple IBM P4 desktop.
    Confuguration on both sides is the same.
    After worked for a pretty long time good, all of a sudden all pfSense boxes stopped talking with eachother and no way to come back. Weird in this, is that from my home I still can connect via IPsec to all, but I use M0n0wall.
    Here is the log from the OFFICE side when I send a ping via the LAN side:

    Feb 6 21:51:38 racoon: ERROR: HASH mismatched
    Feb 6 21:51:38 racoon: WARNING: No ID match.
    Feb 6 21:51:38 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:38 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:38 racoon: ERROR: HASH mismatched
    Feb 6 21:51:38 racoon: WARNING: No ID match.
    Feb 6 21:51:38 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:38 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:28 racoon: ERROR: HASH mismatched
    Feb 6 21:51:28 racoon: WARNING: No ID match.
    Feb 6 21:51:28 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:28 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:28 racoon: ERROR: HASH mismatched
    Feb 6 21:51:28 racoon: WARNING: No ID match.
    Feb 6 21:51:28 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:28 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:18 racoon: ERROR: HASH mismatched
    Feb 6 21:51:18 racoon: WARNING: No ID match.
    Feb 6 21:51:18 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:18 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:18 racoon: INFO: begin Aggressive mode.
    Feb 6 21:51:18 racoon: [NAME BRANCH]: INFO: initiate new phase 1 negotiation: 1xx.xx.xx.xx[500]<=>2xx.xx.xx.xx[500]
    Feb 6 21:51:18 racoon: [NAME BRANCH]: INFO: IPsec-SA request for 2xx.xx.xx.xx queued due to no phase1 found.

    And here the log on the BRANCH side:
    Feb 6 21:52:08 racoon: ERROR: phase1 negotiation failed due to time up. 585c756a76df580f:dd4d18b48e8db9fc
    Feb 6 21:51:58 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:58 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:58 racoon: [Porto Novo Vila Velha VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[[500] (1).
    Feb 6 21:51:48 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:48 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:48 racoon: [Porto Novo Vila Velha VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[[500] (1).
    Feb 6 21:51:38 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:38 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:38 racoon: [NAME BRANCH VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[500] (1).
    Feb 6 21:51:28 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:28 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:28 racoon: [NAME BRANCH VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[500] (1).
    Feb 6 21:51:18 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
    Feb 6 21:51:18 racoon: WARNING: No ID match.
    Feb 6 21:51:18 racoon: INFO: received Vendor ID: DPD
    Feb 6 21:51:18 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 6 21:51:18 racoon: INFO: begin Aggressive mode.
    Feb 6 21:51:18 racoon: [NAME BRANCH VPN]: INFO: respond new phase 1 negotiation: 2xx.xx.xx.xx[500]<=>1xx.xx.xx.xx[500]

    I saved on both sides of course the tunnels and passphrases again, all is correctly  in the config.
    As said, via my m0n0wall box I can connect to both, but OFFICE can't connect to to BRANCHE anymore and viceversa.
    As said also, the tunnel was working for a while correctly, nobody else then me has access to the boxes.

    Does anyone have an idea?  ??? I will soon upgrade all to 2.0.1, but would like to resolve this first.

    Thanx in advance!

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy