IPSEC binds to private ip address after cable modem resets
-
Hello all
Last night the cable modem lost access to its upstream connection for a few minutes. Once the connection was restored my ipsec server seemed to get stuck with a private 192.168.100.10 address, all other services are working fine on the firewall.
Restarting the ipsec service didn't fix the issue, only a reboot seemed to get me working again.
Anyone know of another work around to this issue?
Any help will be much appreciated.
ipsec log
Nov 20 11:55:31 racoon: ERROR: failed to begin ipsec sa negotication. Nov 20 11:55:31 racoon: ERROR: phase1 negotiation failed due to send error. c2254f580d7b8ef7:0000000000000000 Nov 20 11:55:31 racoon: INFO: begin Identity Protection mode. Nov 20 11:55:31 racoon: [vpn02]: INFO: initiate new phase 1 negotiation: 192.168.100.10[500]<=>32.216.31.xx [500] Nov 20 11:55:31 racoon: [vpn02]: INFO: IPsec-SA request for 32.216.31.xx queued due to no phase1 found. Nov 20 11:54:12 racoon: ERROR: failed to begin ipsec sa negotication. Nov 20 11:54:12 racoon: ERROR: phase1 negotiation failed due to send error. 2488591703bb237c:0000000000000000 Nov 20 11:54:12 racoon: INFO: begin Identity Protection mode. Nov 20 11:54:12 racoon: [vpn02]: INFO: initiate new phase 1 negotiation: 192.168.100.10[500]<=>32.216.31.xx [500] Nov 20 11:54:12 racoon: [vpn02]: INFO: IPsec-SA request for 32.216.31.xx queued due to no phase1 found.
ifconfig -a shows the correct ipaddress info
(wan) re0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 14:da:e9:67:xx:yy inet 68.191.49.xx netmask 0xfffffe00 broadcast 255.255.255.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active (lan) em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:1b:78:57:aa:bb inet 192.168.200.1 netmask 0xffffff00 broadcast 192.168.200.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active enc0: flags=41 <up,running>metric 0 mtu 1536 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 pflog0: flags=100 <promisc>metric 0 mtu 33144</promisc></rxcsum,txcsum></up,loopback,running,multicast></up,running></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast>
netstat shows ipsec lisening to the correct wan ip adddress
netstat -an | grep -i 500 udp4 0 0 68.191.49.xx.500 *.* udp4 0 0 68.191.49.xx.4500 *.*
/var/etc/ipsec/* doesnt show any reference to the 192.168.100.x network or ip
/var/etc/ipsec/racoon.conf looks correctpfctl (-sa/-sn/-ss) | grep -i 192.168.100 Doesn't show any reference 192.168.100 network or ip
-
On WAN interface tab, have you already entered your cable modem IP into the 'Reject Leases From' box? Most likely would be 192.168.100.1
Not sure that will help IPSEC though. It means IPSEC is requesting a DHCP address before the pfSense DHCP server is up, while the cable modem interim DHCP server is up. You may be able to turn off that interim DHCP server on your cable modem, but there's no way to do that on the motorola units I've seen.