IPSEC binds to private ip address after cable modem resets

loki

Hello all

Last night the cable modem lost access to its upstream connection for a few minutes. Once the connection was restored my ipsec server seemed to get stuck with a private 192.168.100.10 address, all other services are working fine on the firewall.

Restarting the ipsec service didn't fix the issue, only a reboot seemed to get me working again.

Anyone know of another work around to this issue?

Any help will be much appreciated.

ipsec log

Nov 20 11:55:31 	racoon: ERROR: failed to begin ipsec sa negotication.
Nov 20 11:55:31 	racoon: ERROR: phase1 negotiation failed due to send error. c2254f580d7b8ef7:0000000000000000
Nov 20 11:55:31 	racoon: INFO: begin Identity Protection mode.
Nov 20 11:55:31 	racoon: [vpn02]: INFO: initiate new phase 1 negotiation: 192.168.100.10[500]<=>32.216.31.xx [500]
Nov 20 11:55:31 	racoon: [vpn02]: INFO: IPsec-SA request for 32.216.31.xx queued due to no phase1 found.
Nov 20 11:54:12 	racoon: ERROR: failed to begin ipsec sa negotication.
Nov 20 11:54:12 	racoon: ERROR: phase1 negotiation failed due to send error. 2488591703bb237c:0000000000000000
Nov 20 11:54:12 	racoon: INFO: begin Identity Protection mode.
Nov 20 11:54:12 	racoon: [vpn02]: INFO: initiate new phase 1 negotiation: 192.168.100.10[500]<=>32.216.31.xx [500]
Nov 20 11:54:12 	racoon: [vpn02]: INFO: IPsec-SA request for 32.216.31.xx queued due to no phase1 found.

ifconfig -a shows the correct ipaddress info

(wan)
re0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
        options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 14:da:e9:67:xx:yy
        inet 68.191.49.xx netmask 0xfffffe00 broadcast 255.255.255.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

(lan)
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:1b:78:57:aa:bb
        inet 192.168.200.1 netmask 0xffffff00 broadcast 192.168.200.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
enc0: flags=41 <up,running>metric 0 mtu 1536

pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128 syncok: 1

lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
        options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000

pflog0: flags=100 <promisc>metric 0 mtu 33144</promisc></rxcsum,txcsum></up,loopback,running,multicast></up,running></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast> 

netstat shows ipsec lisening to the correct wan ip adddress

netstat -an | grep -i 500

udp4       0      0 68.191.49.xx.500      *.*
udp4       0      0 68.191.49.xx.4500     *.*

/var/etc/ipsec/* doesnt show any reference to the 192.168.100.x network or ip
/var/etc/ipsec/racoon.conf looks correct

pfctl (-sa/-sn/-ss) | grep -i 192.168.100  Doesn't show any reference 192.168.100 network or ip

charliem

On WAN interface tab, have you already entered your cable modem IP into the 'Reject Leases From' box?  Most likely would be 192.168.100.1

Not sure that will help IPSEC though.  It means IPSEC is requesting a DHCP address before the pfSense DHCP server is up, while the cable modem interim DHCP server is up.  You may be able to turn off that interim DHCP server on your cable modem, but there's no way to do that on the motorola units I've seen.