IPSEC - RC1 and RC2



  • Just wondering if something changed between RC1 and RC2?  When I was running RC1 I could ping either way from the customer site to my site and from mysite to the customer.  With the lastest verison of RC2 I can ping to the customer but the customer can't ping back to me.  I was wondering wht minght have changed?  and if I have to create a rule to allow traffic from that network back to mine now.
    RC



  • you need to create a firewall rule to allow traffic.
    firewall –> rules --> ipsec tab



  • I will give it a try when I get home, thanks.
    RC



  • I am using the build that was create on Aug 20.  I enable the IPSEC rules and as soon as I did that, the firewall started every 10 to 15 mintutes.  I disabled the rules and the server has been been up and running for over a hour.

    any thoughs?
    RC



  • @fastcon68:

    I am using the build that was create on Aug 20.  I enable the IPSEC rules and as soon as I did that, the firewall started every 10 to 15 mintutes.  I disabled the rules and the server has been been up and running for over a hour.

    Mine is not restarting but when client connects there is no sign of connection in SAD and SPD and no traffic is going trough (Firewall is set to allow all). RC1 works OK. I have tried this on 3 different computers - same result.





  • @heiko:

    try the newest snapshot
    http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/updates/pfSense-Full-And-Embedded-Update-1.2-RC2.tgz
    and test it again

    It is working now. Now there is only one error on Overview page: Warning: Invalid argument supplied for foreach() in /usr/local/www/diag_ipsec.php on line 103 but SAD and SPD view are OK.



  • fastcon68: Can you still replicate the problem where it starts rebooting when you add ipsec rules? If so, it's panic'ing and I'd like to have you get us a backtrace.

    ssbaksa:  Can you post a screenshot of that error?



  • I can second what ssbaksa observed.
    After upgrading pfSense at my office to current snapshot:  1.2-RC2 built on Mon Sep 24 06:37:23 EDT 2007
    the IPsec tunnel between home and office will not come up, instead I have these messages in the Diagnostics: System logs: IPSEC VPN:

    Last 500 IPSEC log entries
    Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.100.0/24[0] 192.168.2.0/24[0] proto=any dir=out"
    Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.2.0/24[0] 192.168.100.0/24[0] proto=any dir=in"
    Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 217.x.y.z[0]->62.a.b.c[0] spi=223941049(0xd5911b9)
    Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 62.a.b.c[0]->217.x.y.z[0] spi=234153441(0xdf4e5e1)
    Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.2.0/24[0] 192.168.100.0/24[0] proto=any dir=in
    Sep 24 15:35:11 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 217.x.y.z[0]<=>62.a.b.c[0]
    Sep 24 15:35:10 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 217.x.y.z[500]-62.a.b.c[500] spi:8bb2affd47f2274b:42ee99b4ee3f2066
    Sep 24 15:35:10 racoon: INFO: received Vendor ID: DPD
    Sep 24 15:35:10 racoon: INFO: begin Aggressive mode.
    Sep 24 15:35:10 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 217.x.y.z[500]<=>62.a.b.c[500]
    Sep 24 15:24:03 racoon: INFO: unsupported PF_KEY message REGISTER
    Sep 24 15:24:03 racoon: INFO: fe80::…%fxp0[500] used as isakmp port (fd=24)
    Sep 24 15:24:03 racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=23)
    Sep 24 15:24:03 racoon: INFO: fe80::…%xl0[500] used as isakmp port (fd=22)
    Sep 24 15:24:03 racoon: [Self]: INFO: 192.168.100.99[500] used as isakmp port (fd=21)
    Sep 24 15:24:03 racoon: INFO: fe80::…%fxp1[500] used as isakmp port (fd=20)

    Actually, it worked before - had just used it and saw the same message as SSBAKSA on the newly created IPsec tab: Overview.
    Since the tunnel doesn't come up there is no entry to show any more.
    It was right underneath the 'Overview' tab on top of the following table header.



  • @cmb:

    ssbaksa:  Can you post a screenshot of that error?

    No luck there. Only one thing but that is GUI, tabs on IPSec log page change to BIG font and only on that tab - table is unafected.



  • you are right, i can duplicate…...

    but the tunnel is up...., strange




  • Yeah, mine is up again as well but still shows those errors.
    Took about half an hour or so with pfSense on both ends. Dunno why.



  • @cmb:

    Can you post a screenshot of that error?

    Since no one posted this screenshot and the problem still exists in recent builds here we go:

    ![pfSense IPsec overview error.png](/public/imported_attachments/1/pfSense IPsec overview error.png)
    ![pfSense IPsec overview error.png_thumb](/public/imported_attachments/1/pfSense IPsec overview error.png_thumb)



  • I have my pfsense firewall offline due to two issues.

    1.  If I enable the rule for IPSEC the firewall reboots every 5 minutes.
    2.  IPSEC passthrough quit.

    Let me know what I can due to give you all any information.  I will even let you in the firewall remotely so that you can pull logs or any information.

    RC



  • Problem still exist in RC3. I really like the new IPsec connection status symbols and the IPsec highlighting in the log files. It would be great if the mobile clients could be shown also.



Log in to reply