IPSEC binds to private ip address after cable modem resets



  • Hello all

    Last night the cable modem lost access to its upstream connection for a few minutes. Once the connection was restored my ipsec server seemed to get stuck with a private 192.168.100.10 address, all other services are working fine on the firewall.

    Restarting the ipsec service didn't fix the issue, only a reboot seemed to get me working again.

    Anyone know of another work around to this issue?

    Any help will be much appreciated.

    ipsec log

    
    Nov 20 11:55:31 	racoon: ERROR: failed to begin ipsec sa negotication.
    Nov 20 11:55:31 	racoon: ERROR: phase1 negotiation failed due to send error. c2254f580d7b8ef7:0000000000000000
    Nov 20 11:55:31 	racoon: INFO: begin Identity Protection mode.
    Nov 20 11:55:31 	racoon: [vpn02]: INFO: initiate new phase 1 negotiation: 192.168.100.10[500]<=>32.216.31.xx [500]
    Nov 20 11:55:31 	racoon: [vpn02]: INFO: IPsec-SA request for 32.216.31.xx queued due to no phase1 found.
    Nov 20 11:54:12 	racoon: ERROR: failed to begin ipsec sa negotication.
    Nov 20 11:54:12 	racoon: ERROR: phase1 negotiation failed due to send error. 2488591703bb237c:0000000000000000
    Nov 20 11:54:12 	racoon: INFO: begin Identity Protection mode.
    Nov 20 11:54:12 	racoon: [vpn02]: INFO: initiate new phase 1 negotiation: 192.168.100.10[500]<=>32.216.31.xx [500]
    Nov 20 11:54:12 	racoon: [vpn02]: INFO: IPsec-SA request for 32.216.31.xx queued due to no phase1 found.
    
    

    ifconfig -a shows the correct ipaddress info

    
    (wan)
    re0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
            options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 14:da:e9:67:xx:yy
            inet 68.191.49.xx netmask 0xfffffe00 broadcast 255.255.255.255
            media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    
    (lan)
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:1b:78:57:aa:bb
            inet 192.168.200.1 netmask 0xffffff00 broadcast 192.168.200.255
            media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    enc0: flags=41 <up,running>metric 0 mtu 1536
    
    pfsync0: flags=0<> metric 0 mtu 1460
            syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
    
    pflog0: flags=100 <promisc>metric 0 mtu 33144</promisc></rxcsum,txcsum></up,loopback,running,multicast></up,running></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast> 
    

    netstat shows ipsec lisening to the correct wan ip adddress

    
    netstat -an | grep -i 500
    
    udp4       0      0 68.191.49.xx.500      *.*
    udp4       0      0 68.191.49.xx.4500     *.*
    
    

    /var/etc/ipsec/* doesnt show any reference to the 192.168.100.x network or ip
    /var/etc/ipsec/racoon.conf looks correct

    pfctl (-sa/-sn/-ss) | grep -i 192.168.100  Doesn't show any reference 192.168.100 network or ip



  • On WAN interface tab, have you already entered your cable modem IP into the 'Reject Leases From' box?  Most likely would be 192.168.100.1

    Not sure that will help IPSEC though.  It means IPSEC is requesting a DHCP address before the pfSense DHCP server is up, while the cable modem interim DHCP server is up.  You may be able to turn off that interim DHCP server on your cable modem, but there's no way to do that on the motorola units I've seen.