Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Security policy deleted just after establishing SA's

    IPsec
    1
    3
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      itsol
      last edited by

      Hi all!

      I'm trying to set up a connection between PfSense 2.1 (static IP) and a Fritzbox 2170 (dynamic IP)

      The tunnel initially establishes fine, but after a disconnect and change of the Fritzboxes public IP-Adress the Tunnel doesn't rebuild properly.

      Phase 1 happens, Phase 2 happens, SA's are generated. Tunnel up for seconds. Then within seconds a new Phase 2 is initiated by Racoon, new SA's are built and added and then I get: "deleting a generated Policy". Over and out. Thats it. Tunnel won't reconnect automatically anymore. No Security Policy there, it got deleted as racoon tells me. Afterwards for at least 30 minutes nothing happens. No Log-Entries.

      Restarting Racoon leads to the same behaviour. Only stopping Racoon, deleting the SA's manually (on the PfSense Source Side there is always 0 B traffic) and then restarting Racoon works. Tunnel is up, Traffic is flowing, Rekeying is smooth, no issues. Until the Public IP of the Fritzbox has changed again. (For testing purposes I tried restarting the Fritzbox as well as pulling the DSL Cable as I can't find no other way in getting a new IP, but sure I waited for the automatic disconnect at night too.

      The Dynamic Hostname used in the config is always well updated and I can see in the logs the new IP Adress.

      What does this mean? why is Racoon establishing two Phase 2's within 5 seconds? First responding second initiating. And then deletes the just generated correct SP without even generating a new one? Still a bug? I've tried to read everything on similar issues I could find, there have been bugs with reconnecting, but they all seem to be fixed by now. (?)

      I've checked the configs on both sides, tried every possible setting systematically, deleted the Settings, generated them again, rechecked them and so on. I'm stuck. Although I hear it is possible to connect the Fritzbox to PfSense it won't work for me.

      The Logfile:

      |
      Jan 30 21:30:42 racoon: INFO: purged IPsec-SA proto_id=ESP spi=377696948.
      Jan 30 21:30:42 racoon: INFO: deleting a generated policy.
      Jan 30 21:30:41 racoon: [fritze]: INFO: IPsec-SA established: ESP my static ip[500]->my dynamic ip[500] spi=2336167132(0x8b3f14dc)
      Jan 30 21:30:41 racoon: [fritze]: INFO: IPsec-SA established: ESP my static ip[500]->my dynamic ip[500] spi=114445326(0x6d24c0e)
      Jan 30 21:30:41 racoon: WARNING: attribute has been modified.
      Jan 30 21:30:41 racoon: [fritze]: INFO: initiate new phase 2 negotiation: my static ip[500]<=>my dynamic ip[500]
      Jan 30 21:30:19 racoon: [fritze]: INFO: IPsec-SA established: ESP my static ip[500]->my dynamic ip[500] spi=563254625(0x21929561)
      Jan 30 21:30:19 racoon: [fritze]: INFO: IPsec-SA established: ESP my static ip[500]->my dynamic ip[500] spi=222644338(0xd454872)
      Jan 30 21:30:19 racoon: WARNING: attribute has been modified.
      Jan 30 21:30:19 racoon: [fritze]: INFO: initiate new phase 2 negotiation: my static ip[500]<=>my dynamic ip[500]
      Jan 30 21:30:19 racoon: [fritze]: INFO: IPsec-SA established: ESP my static ip[500]->my dynamic ip[500] spi=377696948(0x168332b4)
      Jan 30 21:30:19 racoon: [fritze]: INFO: IPsec-SA established: ESP my static ip[500]->my dynamic ip[500] spi=260905455(0xf8d19ef)
      Jan 30 21:30:18 racoon: INFO: Update the generated policy : 192.168.3.0/24[0] 192.168.1.0/24[0] proto=any dir=in
      Jan 30 21:30:18 racoon: [fritze]: INFO: respond new phase 2 negotiation: my static ip[500]<=>my dynamic ip[500]
      Jan 30 21:30:18 racoon: [fritze]: INFO: ISAKMP-SA established my static ip[500]-my dynamic ip[500] spi:4f68c401b355ab8a:fcef2c8ea1c4b31d
      Jan 30 21:30:18 racoon: [fritze]: [85.180.149.189] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
      Jan 30 21:30:18 racoon: INFO: Adding xauth VID payload.
      Jan 30 21:30:18 racoon: INFO: received Vendor ID: DPD
      Jan 30 21:30:18 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Jan 30 21:30:18 racoon: INFO: begin Aggressive mode.
      Jan 30 21:30:18 racoon: [fritze]: INFO: respond new phase 1 negotiation: my static ip[500]<=>my dynamic ip[500]
      Jan 30 21:30:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.99/32[0] proto=any dir=in
      Jan 30 21:30:17 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.99/32[0] 192.168.1.0/24[0] proto=any dir=out
      Jan 30 21:30:17 racoon: INFO: unsupported PF_KEY message REGISTER
      Jan 30 21:30:17 racoon: [Self]: INFO: my static ip[500] used as isakmp port (fd=10)
      Jan 30 21:30:17 racoon: [Self]: INFO: my static ip[500] used for NAT-T
      Jan 30 21:30:17 racoon: [Self]: INFO: my static ip[4500] used as isakmp port (fd=9)
      Jan 30 21:30:17 racoon: [Self]: INFO: my static ip [4500] used for NAT-T
      Jan 30 21:30:17 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
      Jan 30 21:30:17 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
      Jan 30 21:30:17 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)

      |

      My Settings: Phase 1 mutual psk - aggressive - unique - obey (strict makes no difference) - 3des - sha1 - keygroup 1 - lifetime 3600 - nat -disabled - dpd enabled

      Phase 2: networks as above - esp - 3des - sha1 - keygroup 1 - lifetime 3600 - ping host internal fritzbox adress.

      This is confirmed as a (the only) working configuration between PfSense and Fritzbox.

      Anyone any idea?

      I wanted to set up another PfSense tonight for replacing the Fritz and do some testing but they used Torx screws for the case and my screwdriver is the wrong size… arghhhh....

      Tell me I'm not alone as there are similar but not same problems posted on the resources I could find. ;-)

      Thanks in advance for every input.

      itsol

      Edit:

      Forgot to mention, maybe of some importance. Although Pfsense shows the Tunnel with the yellow cross as inactive the Fritzbox believes it is up. Maybe due to traffic flowing from there to PfSense as can be seen under SAD Tab. 0 B Source PfSense, increasing value Source Fritzbox (constant Ping that's lost in some Black Hole in PfSense) ;-)

      1 Reply Last reply Reply Quote 0
      • I
        itsol
        last edited by

        Alright. I just set up a second PfSense replacing the Fritzbox.

        Changed behaviour: Generating Phase 2 SA's every minute. No traffic. No connection.
        Even the procedure of deleting SA's and restarting Racoon doesn't work anymore. No matter what side. (Fritz was obviously great dealing with errors)

        May the installation of the "static" box be just "broken"? The new box on 2.1 embedded should be alright.

        Ain't there any way to track down the problem without just reinstalling PfSense? Is it safe to reimport the configuration and alongside packages or is it likely to reimport the error?

        Is it likely to get response after more than 24 hours? There are some threads here with similar problems without any answer and no update of the TO out of frustration I think…

        I'd really appreciate some response...

        itsol

        1 Reply Last reply Reply Quote 0
        • I
          itsol
          last edited by

          Me responding to myself again. ;-)

          Could please someone give me an answer why I didn't get any response? Stupid Question? (I don't think so)

          Not enough information given?

          Everyone assuming me to be unable to check for similar entries on both sides of the tunnel?

          I assume noone had any idea. Well I was hoping for advice of some experienced users / admins here….

          Nonetheless I fixed it finally by reinstalling one PfSense Box (the "Static" one) after it gave me an error every time i tried to save the Phase 1 Settings. (Acknowledge All Notices -Date- [ pfSense is restoring the configuration /cf/conf/backup/config-1391473112.xml] )

          Restoring my backed-up configuration led to the same error, so I installed again from scratch. ;-) (Hope no neighbour heard me…)

          Turned out that the "restoring configuration" error at saving the Phase 1 settings seems to be a reproduceble bug, when a german umlaut (ß, ü, ä ...) is used in the PSK.  https://redmine.pfsense.org/issues/3401 (NOT used initially, just used later to have an "easy to type key")

          The 2 PfSenses are working together now with the settings Fritzbox needs. Still the reconnecting issue though, which seems to be fixed in 2.1.1 prerelease. https://redmine.pfsense.org/issues/3321

          I don't expect any errors connecting the Fritzbox tomorrow.

          Conclusion:

          1.: There must have been a bug in the installation / configuration that produced the initial problem without any errors in the logfiles and was resolved by reinstalling. Restoring the configuration should have worked, it just restored the faulty characters too. ;-)
          2.: If there is a bug in any Software I use, I,ll run into it. Karma.
          3.: Don't try to get help in Internet Forums, if the solution is not already posted.

          CU

          itsol

          1 Reply Last reply Reply Quote 0
          • First post
            Last post