IPSEC Issue after release Canidate 5



  • I have only ran into 1 issue.  IPSEC perfect secuirty setting for type 2 reset to the wrong type after the update.  I quickly reset them to the right type and no issue.  It's actually alot fast that other releases.

    I noiced that the tunnels reconnect alot fast and they seem to be really stable.
    RC



  • Yes, IPSEC is working a lot better.

    BUT, I can not parse your bug report.  Perhaps you can take a screenshot so I know what you mean?



  • Today i have tested rc 5 with the ipsec-tools 0.7 and it make me crazy….

    I have issues with mobile connectiones with pfsense dynamic to pfsense static.....

    Feb 10 22:49:17 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 5212ec2953c107ea:ed27fa3f24051a1a:0000c586
    Feb 10 22:48:33 last message repeated 2 times
    Feb 10 22:48:10 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 5212ec2953c107ea:ed27fa3f24051a1a:00009eec
    Feb 10 22:46:12 last message repeated 2 times
    Feb 10 22:45:53 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 5212ec2953c107ea:ed27fa3f24051a1a:0000fd98

    and this one static to static

    Feb 10 21:04:29 racoon: [OSNXtoLONX]: INFO: phase2 sa expired 62.8.158.118-217.6.55.4
    Feb 10 21:04:18 racoon: ERROR: phase1 negotiation failed due to send error. 6b3fb8b20f48f798:0000000000000000
    Feb 10 21:04:18 racoon: ERROR: sendfromto failed

    and this one…

    racoon: INFO: begin Identity Protection mode.
    Feb 10 21:06:26 racoon: [OSNXtoLONX]: INFO: initiate new phase 1 negotiation: 62.8.158.118[500]<=>217.6.55.4[500]
    Feb 10 21:06:26 racoon: [OSNXtoLONX]: INFO: IPsec-SA request for 217.6.55.4 queued due to no phase1 found.
    Feb 10 21:06:26 racoon: ERROR: execve("^H") failed: No such file or directory
    Feb 10 21:06:26 racoon: [OSNXtoLONX]: INFO: ISAKMP-SA deleted 62.8.158.118[500]-217.6.55.4[500] spi:bedc3f1ad10de7df:0000000000000000

    rc5 and ipsec isn´t OK at the moment.

    heiko

    P.s.: this config above worked as it should with rc4 and seth and timo should look into this….



  • This is very interesting, I can not replicate this yet. I also have a dynamic ipsec to static ipsec and it appears to be still working.

    What really confuses me is the racoon execve error. I have no idea where that is coming from.
    This makes me think the snapshot is corrupt. Can you download it again and try?

    The "failed due to send error" error makes me think the firewall can not communicate to the outside world. Is this VPN connection using a 2nd WAN connection or a OPT interface?

    The Phase 2 timeout and can not start quick mode point are probably a VPN tunnel that is not connecting because one of the firewalls think the VPN tunnel is still active.

    Did this VPN tunnel come up after the Phase1 and Phase2 timeouts expired?



  • I have 4 static vpn tunnels.  Only the phase 2  PFS key group change from 2 (1024 bit) to 1 (768 bit) all other settings stayed intact.

    RC



  • @databeestje:

    This is very interesting, I can not replicate this yet. I also have a dynamic ipsec to static ipsec and it appears to be still working.

    What really confuses me is the racoon execve error. I have no idea where that is coming from.
    This makes me think the snapshot is corrupt. Can you download it again and try?

    The "failed due to send error" error makes me think the firewall can not communicate to the outside world. Is this VPN connection using a 2nd WAN connection or a OPT interface?

    The Phase 2 timeout and can not start quick mode point are probably a VPN tunnel that is not connecting because one of the firewalls think the VPN tunnel is still active.

    Did this VPN tunnel come up after the Phase1 and Phase2 timeouts expired?

    I have made a downgrade to rc4 and it seems that all of the tunnels works.. i don´t know what happens with rc5, maybe a broken snapshot… OPT interface is in use but only for DMZ not IPSEC from the OPT Interface. Thanks for your help. Heiko



  • I'll look into this at work. I will reinstall my machine with a current snapshot at work.

    I have no idea why you PFS does not work anymore. I currently use PFS with DH group 2 for my static-static vpn connections and without PFS for my mobile connections.

    All of them work normally. So I can not really explain it yet. I will try a fresh install and see if that is the problem.

    Kind regards,

    Seth



  • Thanks for your test Seth!

    I will also duplicate my downgraded-rc4 Machine-config and imports it in a clean fresh rc5-Installation. Give me two or 3 days and we will see what happens.



  • I reinstalled my machine at work with the mobile ipsec tunnels by doing a clean install from CD with the existing config.

    I see no errors in the log files. All tunnels came up without intervention after installation.
    I cna not replicate this here.

    Can you give me the used settings for the mobile ipsec client and the settings as configured on the server side?
    My mobile ipsec configuration has PFS disabled for mobile clients. Maybe this is the reason why all my tunnels work?

    Kind regards,

    Seth Mos



  • Hello Seth,
    i´m sick at the moment, so i can test it soonest monday next week. Can you give this time for testing?

    Are your static to static tunnels also stable as the mobile connections?

    Greetings
    Heiko



  • @heiko:

    Are your static to static tunnels also stable as the mobile connections?

    Yes they are. Both the static tunnels and the dynamic tunnels are stable.



  • Hello,

    i have tested the ipsec inoffcial rc5 ( Build 2008/02/15) today.
    I have run various tests with different builds of 1.2 beta/rcx.:

    Here are my results:

    1. inofficial rc5 – static - main -->  1.2 rc3 – static -- carp-cluster = OK and stable
    2. inofficial rc5 – static - main -->  1.2-TESTING-SNAPSHOT-07-21-2007  –static -- carp-cluster = OK and stable
    3. inofficial rc5 – static - main -->  1.2 rc2 – static  = OK and stable
    3. inofficial rc5 – static - main -->  1.2 rc5 –static = OK and stable
    4. inofficial rc5 – static - main -->  1.2 beta 3 –static -- carp-cluster = OK and stable
    5. inofficial rc5 – aggressive -- mobile -- pfs-on --> inofficial rc5 – mobile-pfsense-server -- pfs-on = OK and stable
    6. inofficial rc5 – aggressive -- mobile -- pfs--off --> inofficial rc5 –mobile-pfsense-server --pfs-off = OK and stable

    Ok, the actually rc5(inofficial) ipsec was fast and stable…....

    Good Job!
    Greetings
    Heiko


Locked