Tunnel troubles



  • I replaced a SonicWall at another site with pfsense.

    I have checked and double checked that my configuration matches the remote site and the problem only exists when using pfsense. The tunnel goes down and doesn't come up for sometimes 5 mins, sometimes hours.

    One thing I'm not sure if makes any difference is the remote site does not allow pings so I pfsenses keepalive won't work?

    Here is what I see in the logs. Any suggestions where to start? Thanks!

    Jun 7 07:35:02 racoon: INFO: respond new phase 1 negotiation: MY_EXT_IP[500]<=>REMOTE_EXT_IP[500]
    Jun 7 07:35:02 racoon: INFO: begin Identity Protection mode.
    Jun 7 07:35:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jun 7 07:35:02 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jun 7 07:35:02 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Jun 7 07:35:02 racoon: NOTIFY: the packet is retransmitted by REMOTE_EXT_IP[500].
    Jun 7 07:35:02 racoon: WARNING: the packet retransmitted in a short time from REMOTE_EXT_IP[500]
    Jun 7 07:35:02 racoon: NOTIFY: the packet is retransmitted by REMOTE_EXT_IP[500].
    Jun 7 07:35:02 racoon: WARNING: the packet retransmitted in a short time from REMOTE_EXT_IP[500]
    Jun 7 07:35:02 racoon: NOTIFY: the packet is retransmitted by REMOTE_EXT_IP[500].
    Jun 7 07:35:02 racoon: ERROR: unknown Informational exchange received.
    Jun 7 07:35:02 racoon: ERROR: unknown Informational exchange received.
    Jun 7 07:38:24 racoon: INFO: respond new phase 1 negotiation: MY_EXT_IP[500]<=>REMOTE_EXT_IP[500]
    Jun 7 07:38:24 racoon: INFO: begin Identity Protection mode.
    Jun 7 07:38:24 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jun 7 07:38:24 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jun 7 07:38:24 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Jun 7 07:38:24 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jun 7 07:38:24 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jun 7 07:38:24 racoon: INFO: received Vendor ID: DPD
    Jun 7 07:38:24 racoon: INFO: ISAKMP-SA established MY_EXT_IP[500]-REMOTE_EXT_IP[500] spi:0ec3962ea0561765:b0ff2ac71a7114b1
    Jun 7 07:38:25 racoon: INFO: respond new phase 2 negotiation: MY_EXT_IP[500]<=>REMOTE_EXT_IP[500]
    Jun 7 07:38:25 racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
    Jun 7 07:38:25 racoon: INFO: IPsec-SA established: ESP/Tunnel REMOTE_EXT_IP[0]->MY_EXT_IP[0] spi=165231887(0x9d93d0f)



  • i have the same problems with the snapshot 1.2 beta from 04-06-2007 after the checkins from tuesday!



  • I am using 1.0/1.0.1… I had the remote end allow pings to an endpoint and will know by tomorrow if that helped.



  • No, that´s not the problem, maybe a bug



  • Then it would have to be a bug existing pre 1.2b.

    Heiko do your tunnels eventually come back by themselves without your intervention? Mine do but sometimes it is minutes and sometimes hours… doesn't seem to be any rhyme or reason. If I at least had settings for my customer on the otherside to try...or I could suggest they get rid of their cisco equipment and replace with pfsense :P



  • It is not a bug.  I run IPSEC all over the place and have no issues.



  • Sorry Scott, maybe a feature… ;) I don´t know...

    after the update from the snapshot 04-06-2007 the problems coming back. Before this update all ipsec tunnels worked fine. (Snapshot  2007-06-03 nighlty build)

    After the update two tunnels came back only with intervention!! Another tunnel comes back after a few minutes.....
    For me the "ipsec" is working like the snapshot before you made the changes in the cvs (2007-06-02 -ipsec-racoon etc.)

    Sorry
    Heiko



  • Are all tunnels running the same version?  If not, you might try upgrading them all to 1.2-BETA-1 or a newer snapshot.



  • No, not all the tunnels are on the same version, the problems are on tunnels from openswan  to pfsense.
    Although this tunnels worked fine before i upgraded to the  snapshot from 2007-06-04…...



  • cheech

    Do you fixed your tunnel problems?



  • @sullrich:

    It is not a bug.  I run IPSEC all over the place and have no issues.

    Cheech it is probably the Cisco that is the problem.



  • I think, now i have a stable config between pfsense carp <–> pfsense carp and also pfsense carp <--> openswan ipsec. I will make another  test tommorrow, but currently the tunnels are all up and running great....

    I need two rules on the wan , ESP permit and UDP 500 permit to the wan carp, then it runs as it should...
    greetings
    heiko



  • I had a similar problem and the exact same solution. It looks like pfsense isn't adding the rules to allow the carp address just the wan address

    I guess I wasn't being stupid after all  ;D



  • Yes, for me it works only with the additional rules…...



  • I have found interoperability issues between pfsense and non-pfsense routers when using IPSEC. I might be wrong but I think pfsense is intended primarily for pfsense <> pfsense. Unfortunately it is not always possible /practical to convince the other side to switch to pfsense. I have seen problems with connectivity between pfsense to Dlink, Linksys and Cisco VPN products. Sometimes simply solved by deleting the SPD.



  • @ssbean:

    I have found interoperability issues between pfsense and non-pfsense routers when using IPSEC. I might be wrong but I think pfsense is intended primarily for pfsense <> pfsense. Unfortunately it is not always possible /practical to convince the other side to switch to pfsense. I have seen problems with connectivity between pfsense to Dlink, Linksys and Cisco VPN products. Sometimes simply solved by deleting the SPD.

    IPsec is IPsec. If you have it properly configured on both ends it'll work fine. If you have to delete SPD's, you probably have mismatched lifetimes, and/or a data transfer-based lifetime (i.e. expire after X KB) configured, the latter of which you can't configure on the pfsense side so you cannot use.

    It can be difficult to properly configure IPsec to match what pfsense allows you to configure, especially on devices as flexible (and hence complex) as Cisco. pfsense to pfsense or m0n0wall is dead simple because the config options are simple to get matched properly.

    As for Dlink and Linksys, I haven't worked with Dlink IPsec, or heard of others who have, but Linksys IPsec is widely known to be a joke. Maybe their more recent equipment and/or firmware is better, but when it has come up on the m0n0wall list several times in the past, numerous people have stated those things never work reliably for them regardless of what they're connecting to.



  • well… i have about 40 linksys befvp41 and 10 netgear fvs318v3 connected to pfsense box. besides minor missconfiguration problems everything work fine.



  • Today all tunnels are up and runs fine, between carp pfsense <–> carp pfsense and carp pfsense <--> Openswan ipsec. The Openswan config is a little bit tricky....but it runs  :D  :D  :D

    This is the working ipsec.conf here:

    left=xxx
    leftnexthop=%defaultroute
    leftsubnet=192.168.10.0/255.255.255.0
    right=219.6.85.88
    rightsubnet=192.168.11.0/255.255.255.0
    rightnexthop=%defaultroute
            ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
            esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
            ikelifetime=1h
            keylife=8h
            dpddelay=30
            dpdtimeout=120
            dpdaction=hold
            pfs=yes
            authby=secret
            auto=start

    Have fun.., but do not forget the rules on the wan at this time (ESP and UDP500 to the WAN CARP)
    cmb have opened a ticket for this szenario http://cvstrac.pfsense.org/tktview?tn=1349
    Greetings from Germany



  • @covex:

    well… i have about 40 linksys befvp41 and 10 netgear fvs318v3 connected to pfsense box. besides minor missconfiguration problems everything work fine.

    Wow, so they're actually stable? I cringe at the thought of supporting 40 Linksys VPN boxes.  ;D  I've tried the BEFVP41, granted it was probably 5 years ago, but at the time it didn't work reliably at all no matter what I connected it to.

    I think I still have it on a shelf around here somewhere, maybe it's time to give it another shot if for nothing other than the sake of documenting the proper way to configure one to connect to pfsense.


Log in to reply