Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Issue after release Canidate 5

    Scheduled Pinned Locked Moved IPsec
    12 Posts 4 Posters 9.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fastcon68
      last edited by

      I have only ran into 1 issue.  IPSEC perfect secuirty setting for type 2 reset to the wrong type after the update.  I quickly reset them to the right type and no issue.  It's actually alot fast that other releases.

      I noiced that the tunnels reconnect alot fast and they seem to be really stable.
      RC

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Yes, IPSEC is working a lot better.

        BUT, I can not parse your bug report.  Perhaps you can take a screenshot so I know what you mean?

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          Today i have tested rc 5 with the ipsec-tools 0.7 and it make me crazy….

          I have issues with mobile connectiones with pfsense dynamic to pfsense static.....

          Feb 10 22:49:17 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 5212ec2953c107ea:ed27fa3f24051a1a:0000c586
          Feb 10 22:48:33 last message repeated 2 times
          Feb 10 22:48:10 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 5212ec2953c107ea:ed27fa3f24051a1a:00009eec
          Feb 10 22:46:12 last message repeated 2 times
          Feb 10 22:45:53 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 5212ec2953c107ea:ed27fa3f24051a1a:0000fd98

          and this one static to static

          Feb 10 21:04:29 racoon: [OSNXtoLONX]: INFO: phase2 sa expired 62.8.158.118-217.6.55.4
          Feb 10 21:04:18 racoon: ERROR: phase1 negotiation failed due to send error. 6b3fb8b20f48f798:0000000000000000
          Feb 10 21:04:18 racoon: ERROR: sendfromto failed

          and this one…

          racoon: INFO: begin Identity Protection mode.
          Feb 10 21:06:26 racoon: [OSNXtoLONX]: INFO: initiate new phase 1 negotiation: 62.8.158.118[500]<=>217.6.55.4[500]
          Feb 10 21:06:26 racoon: [OSNXtoLONX]: INFO: IPsec-SA request for 217.6.55.4 queued due to no phase1 found.
          Feb 10 21:06:26 racoon: ERROR: execve("^H") failed: No such file or directory
          Feb 10 21:06:26 racoon: [OSNXtoLONX]: INFO: ISAKMP-SA deleted 62.8.158.118[500]-217.6.55.4[500] spi:bedc3f1ad10de7df:0000000000000000

          rc5 and ipsec isn´t OK at the moment.

          heiko

          P.s.: this config above worked as it should with rc4 and seth and timo should look into this….

          1 Reply Last reply Reply Quote 0
          • D
            databeestje
            last edited by

            This is very interesting, I can not replicate this yet. I also have a dynamic ipsec to static ipsec and it appears to be still working.

            What really confuses me is the racoon execve error. I have no idea where that is coming from.
            This makes me think the snapshot is corrupt. Can you download it again and try?

            The "failed due to send error" error makes me think the firewall can not communicate to the outside world. Is this VPN connection using a 2nd WAN connection or a OPT interface?

            The Phase 2 timeout and can not start quick mode point are probably a VPN tunnel that is not connecting because one of the firewalls think the VPN tunnel is still active.

            Did this VPN tunnel come up after the Phase1 and Phase2 timeouts expired?

            1 Reply Last reply Reply Quote 0
            • F
              fastcon68
              last edited by

              I have 4 static vpn tunnels.  Only the phase 2  PFS key group change from 2 (1024 bit) to 1 (768 bit) all other settings stayed intact.

              RC

              1 Reply Last reply Reply Quote 0
              • H
                heiko
                last edited by

                @databeestje:

                This is very interesting, I can not replicate this yet. I also have a dynamic ipsec to static ipsec and it appears to be still working.

                What really confuses me is the racoon execve error. I have no idea where that is coming from.
                This makes me think the snapshot is corrupt. Can you download it again and try?

                The "failed due to send error" error makes me think the firewall can not communicate to the outside world. Is this VPN connection using a 2nd WAN connection or a OPT interface?

                The Phase 2 timeout and can not start quick mode point are probably a VPN tunnel that is not connecting because one of the firewalls think the VPN tunnel is still active.

                Did this VPN tunnel come up after the Phase1 and Phase2 timeouts expired?

                I have made a downgrade to rc4 and it seems that all of the tunnels works.. i don´t know what happens with rc5, maybe a broken snapshot… OPT interface is in use but only for DMZ not IPSEC from the OPT Interface. Thanks for your help. Heiko

                1 Reply Last reply Reply Quote 0
                • D
                  databeestje
                  last edited by

                  I'll look into this at work. I will reinstall my machine with a current snapshot at work.

                  I have no idea why you PFS does not work anymore. I currently use PFS with DH group 2 for my static-static vpn connections and without PFS for my mobile connections.

                  All of them work normally. So I can not really explain it yet. I will try a fresh install and see if that is the problem.

                  Kind regards,

                  Seth

                  1 Reply Last reply Reply Quote 0
                  • H
                    heiko
                    last edited by

                    Thanks for your test Seth!

                    I will also duplicate my downgraded-rc4 Machine-config and imports it in a clean fresh rc5-Installation. Give me two or 3 days and we will see what happens.

                    1 Reply Last reply Reply Quote 0
                    • D
                      databeestje
                      last edited by

                      I reinstalled my machine at work with the mobile ipsec tunnels by doing a clean install from CD with the existing config.

                      I see no errors in the log files. All tunnels came up without intervention after installation.
                      I cna not replicate this here.

                      Can you give me the used settings for the mobile ipsec client and the settings as configured on the server side?
                      My mobile ipsec configuration has PFS disabled for mobile clients. Maybe this is the reason why all my tunnels work?

                      Kind regards,

                      Seth Mos

                      1 Reply Last reply Reply Quote 0
                      • H
                        heiko
                        last edited by

                        Hello Seth,
                        i´m sick at the moment, so i can test it soonest monday next week. Can you give this time for testing?

                        Are your static to static tunnels also stable as the mobile connections?

                        Greetings
                        Heiko

                        1 Reply Last reply Reply Quote 0
                        • D
                          databeestje
                          last edited by

                          @heiko:

                          Are your static to static tunnels also stable as the mobile connections?

                          Yes they are. Both the static tunnels and the dynamic tunnels are stable.

                          1 Reply Last reply Reply Quote 0
                          • H
                            heiko
                            last edited by

                            Hello,

                            i have tested the ipsec inoffcial rc5 ( Build 2008/02/15) today.
                            I have run various tests with different builds of 1.2 beta/rcx.:

                            Here are my results:

                            1. inofficial rc5 – static - main -->  1.2 rc3 – static -- carp-cluster = OK and stable
                            2. inofficial rc5 – static - main -->  1.2-TESTING-SNAPSHOT-07-21-2007  –static -- carp-cluster = OK and stable
                            3. inofficial rc5 – static - main -->  1.2 rc2 – static  = OK and stable
                            3. inofficial rc5 – static - main -->  1.2 rc5 –static = OK and stable
                            4. inofficial rc5 – static - main -->  1.2 beta 3 –static -- carp-cluster = OK and stable
                            5. inofficial rc5 – aggressive -- mobile -- pfs-on --> inofficial rc5 – mobile-pfsense-server -- pfs-on = OK and stable
                            6. inofficial rc5 – aggressive -- mobile -- pfs--off --> inofficial rc5 –mobile-pfsense-server --pfs-off = OK and stable

                            Ok, the actually rc5(inofficial) ipsec was fast and stable…....

                            Good Job!
                            Greetings
                            Heiko

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.