Racoon failure after boot with hifn
This is embedded version PFSense 1.0.1 on a WRAP wrap1e203 with 128 M memory and a Soekris VPN 1401 (autoconfigures as hifn0).
After boot (cold or warm), racoon puts up the error:
racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
And it proceeds to fail. If I open a shell and stop/start racoon, it works fine. (Using the IPSec configurator screen and simply clicking "Save" and then "Apply" on the next screen also will restart racoon to good effect.)
If I take the Hi/Fn card out, the problem disappears.
Both /var/etc/racoon.conf and /var/etc/psk.txt exist (by the time I can get a shell in). It also appears that racoon is reading racoon.conf because the SPD's are in place.
The racoon process and the 2 files all have identical creation times within a minute. (How do you get ctime out of a file as seconds? or for a process start time?)
Is it the case that the contents of /var/etc are created at boot?
Does racoon read psk.txt only once at startup?
Is it possible that psk.txt either doesn't exist or is not completely populated when racoon is started?
Is there any way that adding/removing the encryption card would effect start up times?
Thanks for your time.
Please try 1.2-BETA-1.
Behavior is different with pfSense-1.2-BETA-1-Embedded-128-MB.img.gz, but still has difficulties.
No problem without the Hi/Fn card.
With the card, the behavior is complicated and, unfortunately, inconsistent.
The data here represents approximately 15 power-cycle iterations.
Sometimes racoon is restarted. Not entirely clear about the timing. Consistently racoon and a working tunnel is available immediately after the console message
Configuring IPsec VPN... done
appears. However, sometimes racoon is restarted a second time. It is not clear under what circumstances but 3 times (out of 15) the console never finished loading. Twice the last message on the console was:
Once it got a little further but still hung at:
Bootup complete FreeBSD/i386 (staff1.vineyardtransit.com) (console) *** Welcome to pfSense 1.2-BETA-1-embedded on staff1 ***
Once the console finished loading; but shortly after it was done, racoon was restarted. Another time racoon restarted almost 5 minutes after boot was 'complete.'
At all 5 of these occasions racoon reports that it received a signal 15 and a few seconds later it is restarted. Prior to this second start-up the IPSec tunnel is fine. After this second start-up phase 2 negotiation fails even tho a phase 1 SA is achieved. As before, if I stop/start racoon manually (ssh works fine), all is well.
Since the Generating RRD Graphs section takes almost 4 minutes to load, this means that the IPSec is established and working for an appreciable period before it breaks.
Interestingly, without the Hi/Fn card, racoon is still restarted; however, it works when it comes back up.
Sorry this report is so chaotic.