IPSEC does not work with more than one Tunnel



  • I am writing background code for my pfsense box, so that the user need not enter any details.

    I have 3 machines. Site1, Site2 and Site3.

    When I configure Site1 to Site2 VPN - It works fine.

    When I configure Site1 to Site3 VPN, It works fine and Site1 to Site2 goes off. Open VPN page in Site2, click on save… everything is fine now. Site1 to Site2 is Okay, Site1 to Site3 is also Ok.

    Now with both Tunnels up and running, If I make changes in one site, then I am forced to reboot the other machines.... Why ?

    Is it enough to call vpn_ipsec_configure() or should I call something more....

    P1 Lifetime = P2 Lifetime = 288000

    The Log file is as follows

    Jun 4 06:00:05 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.99/32[0] 192.168.1.0/24[0] proto=any dir=out
    Jun 4 06:00:05 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
    Jun 4 06:00:05 racoon: INFO: IPsec-SA request for 172.16.10.168 queued due to no phase1 found.
    Jun 4 06:00:05 racoon: INFO: initiate new phase 1 negotiation: 172.16.10.171[500]<=>172.16.10.168[500]
    Jun 4 06:00:05 racoon: INFO: begin Aggressive mode.
    Jun 4 06:00:07 racoon: INFO: IPsec-SA request for 172.16.10.172 queued due to no phase1 found.
    Jun 4 06:00:07 racoon: INFO: initiate new phase 1 negotiation: 172.16.10.171[500]<=>172.16.10.172[500]
    Jun 4 06:00:07 racoon: INFO: begin Aggressive mode.
    Jun 4 06:00:17 racoon: INFO: respond new phase 1 negotiation: 172.16.10.171[500]<=>172.16.10.168[500]
    Jun 4 06:00:17 racoon: INFO: begin Aggressive mode.
    Jun 4 06:00:17 racoon: INFO: received Vendor ID: DPD
    Jun 4 06:00:17 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Jun 4 06:00:17 racoon: INFO: ISAKMP-SA established 172.16.10.171[500]-172.16.10.168[500] spi:678fef7ed669b4e4:3eb1553576a3c4de
    Jun 4 06:00:18 racoon: INFO: respond new phase 2 negotiation: 172.16.10.171[500]<=>172.16.10.168[500]
    Jun 4 06:00:18 racoon: INFO: initiate new phase 2 negotiation: 172.16.10.171[500]<=>172.16.10.168[500]
    Jun 4 06:00:18 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.16.10.168[0]->172.16.10.171[0] spi=6575745(0x645681)
    Jun 4 06:00:18 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.16.10.171[0]->172.16.10.168[0] spi=106017731(0x651b3c3)
    Jun 4 06:00:18 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.16.10.168[0]->172.16.10.171[0] spi=150148462(0x8f3156e)
    Jun 4 06:00:18 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.16.10.171[0]->172.16.10.168[0] spi=65561386(0x3e8632a)
    Jun 4 06:00:25 racoon: INFO: received Vendor ID: DPD
    Jun 4 06:00:25 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Jun 4 06:00:25 racoon: INFO: ISAKMP-SA established 172.16.10.171[500]-172.16.10.168[500] spi:f3ed2a250c3855ba:ed8130594559277c
    Jun 4 06:00:27 racoon: ERROR: pfkey DELETE received: ESP 172.16.10.171[0]->172.16.10.168[0] spi=106017731(0x651b3c3)
    Jun 4 06:00:38 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 172.16.10.172[500]->172.16.10.171[500]
    Jun 4 06:00:38 racoon: INFO: delete phase 2 handler.
    Jun 4 06:00:52 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jun 4 06:01:07 racoon: ERROR: phase1 negotiation failed due to time up. c69eb6d5597ee7b6:0000000000000000
    Jun 4 06:01:24 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 172.16.10.172[500]->172.16.10.171[500]
    Jun 4 06:01:24 racoon: INFO: delete phase 2 handler.
    Jun 4 06:01:24 racoon: INFO: IPsec-SA request for 172.16.10.172 queued due to no phase1 found.
    Jun 4 06:01:24 racoon: INFO: initiate new phase 1 negotiation: 172.16.10.171[500]<=>172.16.10.172[500]
    Jun 4 06:01:24 racoon: INFO: begin Aggressive mode

    As you can see 172.16.10.171 - 172.16.10.168 got established and 172.16.10.171 - 172.16.10.172 failed.
    If I restart / click save button in ipsec page of 172.16.10.172, then it will start working.
    Strange enough, but …. I'm lost.

    please help help help help



  • Done. It was problem with SAD entries…. it was not getting refreshed. So, manually deleted the entries between the two boxes. In the next negotiation, it got the new entries and connection is Bingo.... Parsed the output of /sbin/setkey -D and used /sbin/setkey -c with delete commands [delete src dest protocol sip;]..




Log in to reply