Problematic IPSec connection dies and doesn't reconnect.
-
Hi,
I have a problem with a IPSec site-2-site connection.The situation:
Pfsense in main office.
A few connections for road warriors (not used at this time).
Two branch offices connected over site-2-site VPNs, both have a Fritzbox installed.VPN to one branch works fine, this Fritzbox is connected directly to the internet.
The second Fritzbox is a problem.The main problem is that the second Fritzbox. We rent a room in an office and we do not have our own internet connection. So, the Fritzbox is behind a firewall. The owner has a IPSec connection himself, so we do not get the port 500 and 4500 forwarded.
BUT: I created the connections on pfSense and on the Fritzbox. When I try to ping an IP address on the other site of the VPN the connection is not established. (I think I understand the problem here: the VPN device of the office owner answers the connection from pfSense and rejectes it, because it is not known.)
But when I ping from behind the fritzbox an IP address behind pfSense and click on "connect VPN" in the IPSec Status at the same time the VPN tunnel is established.After one hour the VPN dies and ist not reestablished. I changed the lifetime of phase2 to 86400 seconds (24 hours), but the connection is still killed after exactly one hour (this could be a problem of the Fritzbox, I was not able to change the lifetime there).
When I try to reconnect with the "connect VPN" button and ping from the other site it does not work again.
What helped was to reboot pfSense or disabling of the VPN connection (both P1 and P2) and enabling it again. After this I was again to connect with the button-ping trick.Here is the log from pfSense:
Feb 8 13:02:21 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 13:02:17 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 13:02:15 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 13:02:01 racoon: ERROR: 212.XXX.XXX.XXX give up to get IPsec-SA due to time up to wait. Feb 8 13:01:54 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 13:01:46 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 13:01:42 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 13:01:40 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 13:01:31 racoon: [Branch2 VPN]: INFO: initiate new phase 2 negotiation: 92.YYY.YYY.YYY[500]<=>212.XXX.XXX.XXX[500] Feb 8 13:01:21 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. ... repeat x10 ... Feb 8 12:59:55 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 12:59:33 racoon: ERROR: 212.XXX.XXX.XXX give up to get IPsec-SA due to time up to wait. Feb 8 12:59:26 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 12:59:18 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 12:59:14 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 12:59:12 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 12:59:03 racoon: [Branch2 VPN]: INFO: initiate new phase 2 negotiation: 92.YYY.YYY.YYY[500]<=>212.XXX.XXX.XXX[500] Feb 8 12:56:04 racoon: ERROR: 212.XXX.XXX.XXX give up to get IPsec-SA due to time up to wait. Feb 8 12:55:34 racoon: [Branch2 VPN]: INFO: initiate new phase 2 negotiation: 92.YYY.YYY.YYY[500]<=>212.XXX.XXX.XXX[500] Feb 8 12:55:14 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 12:55:06 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. Feb 8 12:55:02 racoon: [Branch2 VPN]: [212.XXX.XXX.XXX] ERROR: exchange Identity Protection not allowed in any applicable rmconf. ... Feb 8 12:43:23 racoon: [Branch2 VPN]: INFO: initiate new phase 2 negotiation: 92.YYY.YYY.YYY[500]<=>212.XXX.XXX.XXX[500] Feb 8 12:43:23 racoon: [Branch2 VPN]: INFO: IPsec-SA expired: ESP/Tunnel 212.XXX.XXX.XXX[500]->92.YYY.YYY.YYY[500] spi=6... Feb 8 12:43:22 racoon: [Branch2 VPN]: INFO: IPsec-SA expired: ESP/Tunnel 212.XXX.XXX.XXX[500]->92.YYY.YYY.YYY[500] spi=7... Feb 8 12:43:22 racoon: [Branch2 VPN]: INFO: IPsec-SA expired: ESP 92.YYY.YYY.YYY[500]->212.XXX.XXX.XXX[500] spi=3...So, what is the point? In my opinion could it be a problem with the firewall or with a IPSec whatever buffer overflow, or, or, or.
The connections are set to AES 256bit both P1 and P2 (like the first (working) Fritzbox). Could it help to change it doe 3DES or something else? ( Why would it? )
Thanks,
Jaroslaw
EDIT 1:
It seems like the Fritzbox has a fixed lifetime of 3600 sec. I changed the pfSense config to this value on both P1 and P2.
I also activated DPD. Is there a possiblity to tell pfSense to restart / reconnect the connection on detected dead peer?EDIT 2:
Ok, DPD deactivated again. VPN was disconnected after a few minutes. So, 3600 sec. is better than this :)
-
Is there a way to change the default ports for IPSec (500 and 4500) in pfSense?
Primarily only the ports that pfSense uses for sending requests, not for listining as I am not sure if I can change the ports in the Fritzbox.
Can I route, for example, incoming port 4501 with the NAT rules to internal port 4500? Can I route outgoing port 4500 to e.g. 4501?EDIT
Ohh, the installed version is 2.0.2-RELEASE (i386) BTW :D