1.2-RC4 IPSec Tunnel problem



  • Hi all,

    I finally ready to put pfsense to the test, and what I'm trying to accomplish is setting up a site to site IPSec VPN  tunnel between two office locations. I'm using the latest snapshot (1.2-RC4) of the pfsense image, and I'm able to setup the tunnel following the tutorial "configuring IPsec-tunnels with 2 pfSense-systems between static IP and dynamic IP". I use this tutorial as my guide because I have Static IP at one end and Dynamic at the other end. After the tunnel was setup, I started to ping an ip address of a computer in Static location from Dynamic location. I saw the IPSec tunnel got established a connection under IPSec Status, however, when I check the IPSec connection log I see all kind of errors

    Static site error log:

    racoon: [Unknown Gateway/Dynamic]INFO:ISAKMP-SA deleted 62.251.x.x[500]-24.17.x.x[500]
    racoon: [Unknown Gateway/Dynamic]INFO:ISAKMP-SA expired 62.251.x.x[500]-24.17.x.x[500]
    racoon: INFO: received Vendor ID: DPD
    racoon: INFO: begin Aggressive mode.

    The list goes on…....

    Dynamic site error log:

    racoon: INFO: unsupported PF_KEY message REGISTER
    racoon: INFO: fe80::...%fxp0[500] used as isakmp port (fd=24)
    racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=23)
    racoon: INFO: fe80::…%xl0[500] used as isakmp port (fd=22)
    racoon: [Self]: INFO: 192.168.100.99[500] used as isakmp port (fd=21)
    racoon: INFO: fe80::…%fxp1[500] used as isakmp port (fd=20

    The list goes on…....

    At the console of the pfsense box where it says "Enter an option:", I got this error "WARNING: pseudo random number generator used for IPSec processing"

    As I search the forum looking for the answer for this problem, I've read some of the previous posts mentioned about this problem however there is no solution to this problem yet.

    I wonder that I did something wrong or there is still a bug in the latest snapshot. Thanks



  • This is an update to my previous post.

    As I mentioned in my previous post that I couldn't ping hosts on the opposite sites, I started to add any to any rule under the IPSec tab on both sides of my pfsense box and I could ping hosts on the opposite site now. However, I still got those error logs below

    Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
    Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
    Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=223333855(0xd4fcddf)
    Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=101796693(0x6114b55)
    Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
    Jan 29 18:20:42 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]
    Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=76670812(0x491e75c)
    Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=258166286(0xf634e0e)
    Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 63.252.x.x[500]-24.17.x.x[500] spi:57bbe8e812127d61:4ffe248e9b35525e
    Jan 29 18:20:41 racoon: INFO: received Vendor ID: DPD
    Jan 29 18:20:41 racoon: INFO: begin Aggressive mode.
    Jan 29 18:20:41 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 63.252.x.x[500]<=>24.17.x.x[500]
    Jan 29 18:07:39 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
    Jan 29 18:07:38 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
    Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=27709746(0x1a6d132)
    Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=156434038(0x952fe76)
    Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
    Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
    Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=258166286(0xf634e0e)
    Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=76670812(0x491e75c)
    Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
    Jan 29 18:03:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]
    Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
    Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
    Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=156434038(0x952fe76)
    Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=27709746(0x1a6d132)
    Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
    Jan 29 17:45:59 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252..x.x[0]<=>24.17.x.x[0]
    Jan 29 17:45:58 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
    Jan 29 17:45:58 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=93807457(0x5976361)
    Jan 29 17:45:58 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=194346263(0xb957d17)
    Jan 29 17:45:58 racoon: INFO: received Vendor ID: DPD
    Jan 29 17:45:58 racoon: INFO: begin Aggressive mode.
    Jan 29 17:45:58 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 63.252.x.x[500]<=>24.17.x.x[500]
    Jan 29 17:32:55 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 63.252.x.x[500]-24.17.x.x[500] spi:35655904c9dd2b82:fe13b72433648a8c
    Jan 29 17:32:54 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 63.252.x.x[500]-24.17.x.x[500] spi:35655904c9dd2b82:fe13b72433648a8c
    Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
    Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
    Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=194346263(0xb957d17)
    Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=93807457(0x5976361)
    Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=251122055(0xef7d187)
    Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=146921658(0x8c1d8ba)
    Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
    Jan 29 17:28:37 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]
    Jan 29 17:11:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
    Jan 29 17:11:16 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
    Jan 29 17:11:16 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=146921658(0x8c1d8ba)
    Jan 29 17:11:16 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=251122055(0xef7d187)
    Jan 29 17:11:15 racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
    Jan 29 17:11:15 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]

    Please let me know if there is a fix for this yet, or can some one let me know that you setup IPSec tunnel with the lastest snapshot successfully. Thanks



  • with 1.2rc4 ipsec runs fine and stable, also with two static endpoints XOR and one dynamic and one static. Please doublecheck your config.



  • Hi heiko and thank you very much for replying to my post. It's great to hear that you got your IPSec tunnel up and running.

    Can you please describe a little about how you config your IPSec tunnel? I follow the tutorial "configuring IPsec-tunnels with 2 pfSense-systems between static IP and dynamic IP", but there is something I didnt' do right I guess.

    By looking at the error log, can you tell what were that errors all about? Thanks once again.



  • Please post the screenshots of your webgui-tunnel



  • heiko, I've decided to tear down the box and rebuilt it, and if I run into this problem again I will post a screenshots for you. Thank you very much



  • Ok, you have my attention



  • I had similar problem with 1.2r3.  It was odd I only had a problem after the upgrade.  I ended up rebuilding after I save my configuration and printed it out so i could rebuild.  That is not a option now.  My  configuration is too complex now.

    i only upgrade when I run into a werid issue.  I have one issue now which I can't access the admin tool from https, from the wan side.  I have production to be concerned with and it cost too much to have it down.

    RC



  • Hi fastcon68,

    The weirdest part is even I'm having those error logs, my IPSec tunnel is still up and running and I can transmit data back and forth between my sites.



  • I will check my log files to see if I am getting the same errors.  I post in a few mintes.  I am waiting for the site to come up.
    RC



  • @jle2005:

    Hi fastcon68,

    The weirdest part is even I'm having those error logs, my IPSec tunnel is still up and running and I can transmit data back and forth between my sites.

    Fine



  • Hi heiko,

    Is it really fine? does it effect the IPSec tunnel performance at all with those error logs?



  • @jle2005:

    Hi heiko,

    Is it really fine? does it effect the IPSec tunnel performance at all with those error logs?

    I think you have the tunnel up and running! Which error logs do you mean?



  • heiko,

    I think you have the tunnel up and running! Which error logs do you mean?

    The error logs below and those in my previous posts.

    Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
    Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
    Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=223333855(0xd4fcddf)
    Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=101796693(0x6114b55)
    Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
    Jan 29 18:20:42    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]
    Jan 29 18:20:41    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=76670812(0x491e75c)
    Jan 29 18:20:41    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=258166286(0xf634e0e)
    Jan 29 18:20:41    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 63.252.x.x[500]-24.17.x.x[500] spi:57bbe8e812127d61:4ffe248e9b35525e
    Jan 29 18:20:41    racoon: INFO: received Vendor ID: DPD
    Jan 29 18:20:41    racoon: INFO: begin Aggressive mode.
    Jan 29 18:20:41    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 63.252.x.x[500]<=>24.17.x.x[500]
    Jan 29 18:07:39    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
    Jan 29 18:07:38    racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 63.252.x.x[500]-24.17.x.x[500] spi:f5a70c73dbf7f17a:baa137939e863faa
    Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=27709746(0x1a6d132)
    Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA expired: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=156434038(0x952fe76)
    Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.1.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
    Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in"
    Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 63.252.x.x[0]->24.17.x.x[0] spi=258166286(0xf634e0e)
    Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 24.17.x.x[0]->63.252.x.x[0] spi=76670812(0x491e75c)
    Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated policy : 192.168.1.0/24[0] 172.16.1.0/24[0] proto=any dir=in
    Jan 29 18:03:20    racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 63.252.x.x[0]<=>24.17.x.x[0]



  • The error messages about policy's not already existing is not a error.

    This is normal. This does not affect the operation the tunnel.

    Kind regards,

    Seth



  • Thanks for letting me know that Seth.


Locked