Address mismatched log flood



  • Hello everybody,

    I've a working IPSec tunnel, but the log is flooded with this:

    Jan 28 10:51:30 racoon: [vpn1]: [x.x.x.229] WARNING: remote address mismatched. db=x.x.x.229[4500], act=x.x.x.229[10012] 
    Jan 28 10:51:35 racoon: [vpn1]: [x.x.x.229] WARNING: remote address mismatched. db=x.x.x.229[4500], act=x.x.x.229[10012] 
    Jan 28 10:51:46 racoon: [vpn1]: [x.x.x.229] WARNING: remote address mismatched. db=x.x.x.229[4500], act=x.x.x.229[10012] 
    Jan 28 10:51:51 racoon: [vpn1]: [x.x.x.229] WARNING: remote address mismatched. db=x.x.x.229[4500], act=x.x.x.229[10012] 
    

    Look like a NAT-T issue. Network setup is:

    pfSense <–> Wireless link (PPPoE) <--> Internet <--> Adsl router (NAT) <--> Fortigate

    I've other tunnels with similar configuration which does not show issues.

    Any idea?

    Regards,
      Corrado



  • The issue seemed to go away yesterday when I restarted racoon, but today is back again.

    I wuold like to put racoon in debug mode, but I'm concerned about leaving debug mode on for a day or longer on a box with a dozen active tunnels.

    Is it possible to set debug mode on a single tunnel?

    Regards,
      Corrado



  • **FIXED **

    I got the issue on 2 tunnels out of a dozen.
    Apart log flood, the tunnels get stuck after a few weeks.
    The affected tunnels originated from the same ISP.

    I fixed the issue disabiling NAT-T.
    UDP encapsulation of IPSEC (NAT-T) kicks in as soon as NAT is detected, despite many SOHO routers can forward ESP when properly configured.

    I suggest to always try IPSEC without NAT-T first.
    If it works you save 8 bytes / packet (no extra UDP header) and lower the chances to get packets fragmentations (seems IPSEC MTU is not adjusted subtracting 8 bytes when using NAT-T).

    Regards,
      Corrado


Log in to reply