Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC binds to private ip address after cable modem resets

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 890 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      loki
      last edited by

      Hello all

      Last night the cable modem lost access to its upstream connection for a few minutes. Once the connection was restored my ipsec server seemed to get stuck with a private 192.168.100.10 address, all other services are working fine on the firewall.

      Restarting the ipsec service didn't fix the issue, only a reboot seemed to get me working again.

      Anyone know of another work around to this issue?

      Any help will be much appreciated.

      ipsec log

      
      Nov 20 11:55:31 	racoon: ERROR: failed to begin ipsec sa negotication.
      Nov 20 11:55:31 	racoon: ERROR: phase1 negotiation failed due to send error. c2254f580d7b8ef7:0000000000000000
      Nov 20 11:55:31 	racoon: INFO: begin Identity Protection mode.
      Nov 20 11:55:31 	racoon: [vpn02]: INFO: initiate new phase 1 negotiation: 192.168.100.10[500]<=>32.216.31.xx [500]
      Nov 20 11:55:31 	racoon: [vpn02]: INFO: IPsec-SA request for 32.216.31.xx queued due to no phase1 found.
      Nov 20 11:54:12 	racoon: ERROR: failed to begin ipsec sa negotication.
      Nov 20 11:54:12 	racoon: ERROR: phase1 negotiation failed due to send error. 2488591703bb237c:0000000000000000
      Nov 20 11:54:12 	racoon: INFO: begin Identity Protection mode.
      Nov 20 11:54:12 	racoon: [vpn02]: INFO: initiate new phase 1 negotiation: 192.168.100.10[500]<=>32.216.31.xx [500]
      Nov 20 11:54:12 	racoon: [vpn02]: INFO: IPsec-SA request for 32.216.31.xx queued due to no phase1 found.
      
      

      ifconfig -a shows the correct ipaddress info

      
      (wan)
      re0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
              options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 14:da:e9:67:xx:yy
              inet 68.191.49.xx netmask 0xfffffe00 broadcast 255.255.255.255
              media: Ethernet autoselect (1000baseT <full-duplex>)
              status: active
      
      (lan)
      em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
              options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:1b:78:57:aa:bb
              inet 192.168.200.1 netmask 0xffffff00 broadcast 192.168.200.255
              media: Ethernet autoselect (1000baseT <full-duplex>)
              status: active
      enc0: flags=41 <up,running>metric 0 mtu 1536
      
      pfsync0: flags=0<> metric 0 mtu 1460
              syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
      
      lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
              options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
      
      pflog0: flags=100 <promisc>metric 0 mtu 33144</promisc></rxcsum,txcsum></up,loopback,running,multicast></up,running></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast> 
      

      netstat shows ipsec lisening to the correct wan ip adddress

      
      netstat -an | grep -i 500
      
      udp4       0      0 68.191.49.xx.500      *.*
      udp4       0      0 68.191.49.xx.4500     *.*
      
      

      /var/etc/ipsec/* doesnt show any reference to the 192.168.100.x network or ip
      /var/etc/ipsec/racoon.conf looks correct

      pfctl (-sa/-sn/-ss) | grep -i 192.168.100  Doesn't show any reference 192.168.100 network or ip

      1 Reply Last reply Reply Quote 0
      • C
        charliem
        last edited by

        On WAN interface tab, have you already entered your cable modem IP into the 'Reject Leases From' box?  Most likely would be 192.168.100.1

        Not sure that will help IPSEC though.  It means IPSEC is requesting a DHCP address before the pfSense DHCP server is up, while the cable modem interim DHCP server is up.  You may be able to turn off that interim DHCP server on your cable modem, but there's no way to do that on the motorola units I've seen.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.