BLOODY unstable VPN



  • I have 2 WatchGuard (x700 and x1000) on which I installed pfSense 2.0.1-RELEASE (i386).
    they are connected on two sites using the same isp and with 2 static IP addresses on the WAN and public
    for example 100.100.100.100 (x1000) and 70.70.70.70 (x700)

    I wanted to take advantage of SafeNet SafeXcel-1141 present in the firebox, but using the AES encryption algorithm supported by SafeNet SafeXcel-1141 after a short time that the VPN was up and running the firebox is blocked.

    I decided to use the Blowfish (Algorithm NOT supported by SafeNet SafeXcel-1141) and no longer block the firebox. Unfortunately the VPN continues to be unstable after a few days of using the tunnel falls.

    configurations seem to be ok (otherwise the VPN would not work ever, I think)

    after the tunnel drops, there's no way that off again by itself, the problem seems to be in authentication (Phase1)
    to rebuild the tunnel many times I've simply changed the Pre-Shared Key in both firewall and the VPN work again after a short time.

    Today this trick would not work. then I disabled the DPD.

    VPN is now up ! but for how long?

    can you help me understand what's wrong?

    I am attaching the file contents racoon.conf

    –----------X700-------------------------

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    listen
    {
    adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    isakmp 70.70.70.70 [500];
    isakmp_natt 70.70.70.70 [4500];
    }

    remote 100.100.100.100
    {
    ph1id 1;
    exchange_mode aggressive;
    my_identifier address 70.70.70.70;
    peers_identifier address 100.100.100.100;
    ike_frag on;
    generate_policy = off;
    initial_contact = on;
    nat_traversal = off;

    support_proxy on;
    proposal_check claim;

    proposal
    {
    authentication_method pre_shared_key;
    encryption_algorithm blowfish 256;
    hash_algorithm sha1;
    dh_group 2;
    lifetime time 28800 secs;
    }
    }

    sainfo subnet 192.168.70.0/24 any subnet 192.168.100.0/24 any
    {
    remoteid 1;
    encryption_algorithm blowfish 256, blowfish 248, blowfish 240, blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200, blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160, blowfish 152, blowfish 144, blowfish 136, blowfish 128;
    authentication_algorithm hmac_sha1;
    pfs_group 2;
    lifetime time 43200 secs;
    compression_algorithm deflate;
    }
    –------end----x700------------
    ---------x1000-----------------

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    listen
    {
    adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
    isakmp 100.100.100.100 [500];
    isakmp_natt 100.100.100.100 [4500];
    }

    remote 70.70.70.70
    {
    ph1id 1;
    exchange_mode aggressive;
    my_identifier address 100.100.100.100;
    peers_identifier address 70.70.70.70;
    ike_frag on;
    generate_policy = off;
    initial_contact = on;
    nat_traversal = off;

    support_proxy on;
    proposal_check claim;

    proposal
    {
    authentication_method pre_shared_key;
    encryption_algorithm blowfish 256;
    hash_algorithm sha1;
    dh_group 2;
    lifetime time 28800 secs;
    }
    }

    sainfo subnet 192.168.100.0/24 any subnet 192.168.70.0/24 any
    {
    remoteid 1;
    encryption_algorithm blowfish 256, blowfish 248, blowfish 240, blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200, blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160, blowfish 152, blowfish 144, blowfish 136, blowfish 128;
    authentication_algorithm hmac_sha1;
    pfs_group 2;
    lifetime time 43200 secs;
    compression_algorithm deflate;
    }
    –-----------end---------x1000-------------



  • these are the errors I find in log of the x1000 in an effort to reactivate the tunnel
    –------

    racoon: ERROR: phase1 negotiation failed due to time up. b1a757a816605b88:0000000000000000
    racoon: [Roxor-TE]: [70.70.70.70] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 70.70.70.70[0]->100.100.100.100[0]



  • these are ALL of the logs' x700 since the fall of the tunnel when it was reactivated
    –----------

    Feb 20 23:21:17 racoon: INFO: purged ISAKMP-SA spi=73b650ca897e36d6:ca4ea3fd334d76d5.
    Feb 20 23:21:17 racoon: [Peak-aq]: INFO: ISAKMP-SA deleted 70.70.70.70[500]-100.100.100.100[500] spi:73b650ca897e36d6:ca4ea3fd334d76d5
    Feb 21 00:55:21 racoon: [Peak-aq]: INFO: ISAKMP-SA expired 70.70.70.70[500]-100.100.100.100[500] spi:771d8df0192bfec7:99b14b7207a92545
    Feb 21 00:55:21 racoon: [Peak-aq]: INFO: ISAKMP-SA deleted 70.70.70.70[500]-100.100.100.100[500] spi:771d8df0192bfec7:99b14b7207a92545
    Feb 21 11:18:27 racoon: INFO: unsupported PF_KEY message REGISTER
    Feb 21 11:18:27 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.70.0/24[0] proto=any dir=in
    Feb 21 11:18:27 racoon: ERROR: such policy already exists. anyway replace it: 192.168.70.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Feb 21 11:18:27 racoon: INFO: unsupported PF_KEY message REGISTER
    Feb 21 11:18:48 racoon: INFO: caught signal 15
    Feb 21 11:18:48 racoon: INFO: racoon process 14615 shutdown
    Feb 21 11:18:54 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
    Feb 21 11:18:54 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
    Feb 21 11:18:54 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Feb 21 11:18:54 racoon: [Self]: INFO: 70.70.70.70[4500] used for NAT-T
    Feb 21 11:18:54 racoon: [Self]: INFO: 70.70.70.70[4500] used as isakmp port (fd=14)
    Feb 21 11:18:54 racoon: [Self]: INFO: 70.70.70.70[500] used for NAT-T
    Feb 21 11:18:54 racoon: [Self]: INFO: 70.70.70.70[500] used as isakmp port (fd=15)
    Feb 21 11:18:54 racoon: INFO: unsupported PF_KEY message REGISTER
    Feb 21 11:18:54 racoon: ERROR: such policy already exists. anyway replace it: 192.168.70.70/32[0] 192.168.70.0/24[0] proto=any dir=out
    Feb 21 11:18:54 racoon: ERROR: such policy already exists. anyway replace it: 192.168.70.0/24[0] 192.168.70.70/32[0] proto=any dir=in
    Feb 21 11:18:54 racoon: ERROR: such policy already exists. anyway replace it: 192.168.70.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Feb 21 11:18:54 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.70.0/24[0] proto=any dir=in
    Feb 21 11:30:25 racoon: INFO: unsupported PF_KEY message REGISTER
    Feb 21 11:30:25 racoon: INFO: unsupported PF_KEY message REGISTER
    Feb 21 11:33:09 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
    Feb 21 11:33:09 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
    Feb 21 11:33:09 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Feb 21 11:33:09 racoon: [Self]: INFO: 70.70.70.70[4500] used for NAT-T
    Feb 21 11:33:09 racoon: [Self]: INFO: 70.70.70.70[4500] used as isakmp port (fd=14)
    Feb 21 11:33:09 racoon: [Self]: INFO: 70.70.70.70[500] used for NAT-T
    Feb 21 11:33:09 racoon: [Self]: INFO: 70.70.70.70[500] used as isakmp port (fd=15)
    Feb 21 11:33:09 racoon: INFO: unsupported PF_KEY message REGISTER
    Feb 21 11:33:09 racoon: ERROR: such policy already exists. anyway replace it: 192.168.70.70/32[0] 192.168.70.0/24[0] proto=any dir=out
    Feb 21 11:33:09 racoon: ERROR: such policy already exists. anyway replace it: 192.168.70.0/24[0] 192.168.70.70/32[0] proto=any dir=in
    Feb 21 11:33:09 racoon: ERROR: such policy already exists. anyway replace it: 192.168.70.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Feb 21 11:33:09 racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 192.168.70.0/24[0] proto=any dir=in
    Feb 21 11:41:47 racoon: [Peak-aq]: INFO: IPsec-SA request for 100.100.100.100 queued due to no phase1 found.
    Feb 21 11:41:47 racoon: [Peak-aq]: INFO: initiate new phase 1 negotiation: 70.70.70.70[500]<=>100.100.100.100[500]
    Feb 21 11:41:47 racoon: INFO: begin Aggressive mode.
    Feb 21 11:41:47 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 21 11:41:47 racoon: INFO: received Vendor ID: DPD
    Feb 21 11:41:47 racoon: [Peak-aq]: [100.100.100.100] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Feb 21 11:41:47 racoon: [Peak-aq]: INFO: ISAKMP-SA established 70.70.70.70[500]-100.100.100.100[500] spi:cb5b3431c41fcfa1:d48f55efdebc1178
    Feb 21 11:41:47 racoon: [Peak-aq]: [100.100.100.100] INFO: received INITIAL-CONTACT
    Feb 21 11:41:48 racoon: [Peak-aq]: INFO: initiate new phase 2 negotiation: 70.70.70.70[500]<=>100.100.100.100[500]
    Feb 21 11:41:48 racoon: [Peak-aq]: INFO: respond new phase 2 negotiation: 70.70.70.70[500]<=>100.100.100.100[500]
    Feb 21 11:41:48 racoon: [Peak-aq]: INFO: IPsec-SA established: ESP 70.70.70.70[500]->100.100.100.100[500] spi=203031334(0xc1a0326)
    Feb 21 11:41:48 racoon: [Peak-aq]: INFO: IPsec-SA established: ESP 70.70.70.70[500]->100.100.100.100[500] spi=224209190(0xd5d2926)
    Feb 21 11:41:48 racoon: [Peak-aq]: INFO: IPsec-SA established: ESP 70.70.70.70[500]->100.100.100.100[500] spi=112887010(0x6ba84e2)
    Feb 21 11:41:48 racoon: [Peak-aq]: INFO: IPsec-SA established: ESP 70.70.70.70[500]->100.100.100.100[500] spi=207316147(0xc5b64b3)



  • Try this!!!
    I sort of had a simular problem…

    Change Negotiation mode: Aggressive
    Disable NAT Traversal
    And make sure Dead Peer Detection is left on.

    Also another cool thing which Pfsense do is OpenVPN, to create a secure and reliable tunnel.

    Hope this helps! Best of luck.


Log in to reply