Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Problems

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    8 Posts 3 Posters 10.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kitdavis
      last edited by

      I have a pfsense implementation that has ipsec tunnels to 17 different networks with pfsense firewalls inplace.  These connections are mostly utilized for monitoring, via zabbix, equipment behind each of the firewalls, so there is a light volume of traffic sent over these connections.

      Due to the nature of the setup (fixed long range wireless) quality of service is poor and the connections can be broken several times a day for a few minutes resulting in a need to re-establish connectivitiy.  This setup has been working for the past 3 or 4 years across multiple versions with no serious problems.

      After upgrading to the 2.2 Release candidate, the tunnels are initially all established and active for up to 48 hours - however after loosing and re-establishing the connections multiple times many of the connections fail.    When Pfsense starts, the dashboard widget for IPSEC shows 17 active tunnels and 0 inactive tunnels  However, when the problem occurs, the dashboard widget shows only 7 active tunnels and 0 inactive tunnels.  Checking the status of the tunnels shows normal status for the 7 active tunnels and the other 10 just show as "disconnected"  If I look at the IPSEC page, the active tunnels are the first 7 listed on the page and the disconnected tunnels are the last 10.  Clicking on the Connect Button does not result in a connection.

      The IPSEC log is very active, however the following entries appear regularly:

      Dec 21 14:45:20 charon: 08[KNL] unable to query SAD entry with SPI 0eeb0121: No such file or directory (2)
      Dec 21 14:45:20 charon: 08[KNL] unable to query SAD entry with SPI 0cdc9537: No such file or directory (2)
      Dec 21 14:45:20 charon: 08[KNL] unable to query SAD entry with SPI 0d94efe7: No such file or directory (2)
      (repeated 47 more times)

      This is followed by:  (111.111.111.111 is the end point of the disconnected tunnel)
      Dec 21 14:45:20 charon: 08[NET] received packet: from 111.111.111.111[500] to 222.222.222.222[500] (368 bytes)
      Dec 21 14:45:20 charon: 08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
      Dec 21 14:45:20 charon: 08[IKE] <18729> no IKE config found for 222.222.222.222…111.111.111.111, sending NO_PROPOSAL_CHOSEN
      Dec 21 14:45:20 charon: 08[IKE] no IKE config found for 222.222.222.222…111.111.111.111, sending NO_PROPOSAL_CHOSEN
      Dec 21 14:45:20 charon: 08[ENC] generating INFORMATIONAL_V1 request 1899503199 [ N(NO_PROP) ]
      Dec 21 14:45:20 charon: 08[NET] sending packet: from 222.222.222.222[500] to 111.111.111.111[500] (40 bytes)

      I also note that the when hovering over the connect button for the disconnected tunnels, the first entry shows (192.168.1.1/diag_ipsec.php?act=connect&ikeid=10 the second is ikeid 11 etc.  The entries that do connect all have ikeids under 10.  (probably just a coincidence)

      1 Reply Last reply Reply Quote 0
      • K
        kitdavis
        last edited by

        At the other end of the connection I see the following:

        Dec 20 17:23:42 racoon: [MXXX YXXX]: [222.222.222.222] INFO: Hashing 222.222.222.222[500] with algo #1
        Dec 20 17:23:42 racoon: [Self]: [111.111.111.111] INFO: Hashing 1111.111.111.111[500] with algo #1
        Dec 20 17:23:42 racoon: INFO: Adding xauth VID payload.
        Dec 20 17:23:46 racoon: NOTIFY: the packet is retransmitted by 222.222.222.222[500] (1).
        Dec 20 17:23:53 racoon: NOTIFY: the packet is retransmitted by 222.222.222.222[500] (1).
        Dec 20 17:24:06 racoon: NOTIFY: the packet is retransmitted by 222.222.222.222[500] (1).
        Dec 20 17:24:30 racoon: NOTIFY: the packet is retransmitted by 222.222.222.222[500] (1).
        Dec 20 17:24:32 racoon: ERROR: phase1 negotiation failed due to time up. 10433a4740788da4:11cccbd07a686bad

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Which snapshot is this?

          1 Reply Last reply Reply Quote 0
          • K
            kitdavis
            last edited by

            The Release candidate dated  -  Dec 09 09:46:36 CST 2014

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              There have been various things changed/fixed in the time since the early 2.2-RC release. It will be easiest to diagnose the issue/s if you update to the latest 2.2-RC snapshot, then report what symptoms you have.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • K
                kitdavis
                last edited by

                I upgraded to pfSense-Full-Update-2.2-RC-amd64-20141220-1507 on the 21st and I am experiencing the exact same symptoms - 10 of the tunnels show disconnected, the connect button does not re-establish the connection and a similar error appears in the log:

                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 04af269a: No such file or directory (2)
                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 0d243ba4: No such file or directory (2)
                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 03e0bcda: No such file or directory (2)
                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 02f79aa6: No such file or directory (2)
                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 0d0c69dd: No such file or directory (2)
                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 0207921f: No such file or directory (2)
                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 087c490f: No such file or directory (2)
                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 01026338: No such file or directory (2)
                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 00072247: No such file or directory (2)
                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 0fb23a8d: No such file or directory (2)
                Dec 23 07:34:36 charon: 12[KNL] unable to query SAD entry with SPI 0c676842: No such file or directory (2)
                Dec 23 07:34:38 charon: 12[NET] received packet: from 34.34.34.34[500] to 111.111.111.111[500] (84 bytes)
                Dec 23 07:34:38 charon: 12[ENC] parsed INFORMATIONAL_V1 request 3768348861 [ HASH N(DPD) ]
                Dec 23 07:34:38 charon: 12[ENC] generating INFORMATIONAL_V1 request 3661510268 [ HASH N(DPD_ACK) ]
                Dec 23 07:34:38 charon: 12[NET] sending packet: from 111.111.111.111[500] to 34.34.34.34[500] (84 bytes)
                Dec 23 07:34:39 charon: 14[IKE] <con8|13830>sending retransmit 2 of response message ID 0, seq 1
                Dec 23 07:34:39 charon: 14[IKE] sending retransmit 2 of response message ID 0, seq 1
                Dec 23 07:34:39 charon: 14[NET] sending packet: from 111.111.111.111[500] to 66.66.66.66[500] (416 bytes)
                Dec 23 07:34:40 charon: 14[NET] received packet: from 142.177.207.38[500] to 69.60.66.83[500] (84 bytes)
                Dec 23 07:34:40 charon: 14[ENC] parsed INFORMATIONAL_V1 request 4130208874 [ HASH N(DPD) ]
                Dec 23 07:34:40 charon: 14[ENC] generating INFORMATIONAL_V1 request 279634980 [ HASH N(DPD_ACK) ]
                Dec 23 07:34:40 charon: 14[NET] sending packet: from 111.111.111.111[500] to 38.38.38.38[500] (84 bytes)
                Dec 23 07:34:41 charon: 14[NET] received packet: from 42.42.42.42[500] to 111.111.111.111[500] (368 bytes)
                Dec 23 07:34:41 charon: 14[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
                Dec 23 07:34:41 charon: 14[IKE] <13832> no IKE config found for 111.111.111.111…42.42.42.42, sending NO_PROPOSAL_CHOSEN
                Dec 23 07:34:41 charon: 14[IKE] no IKE config found for 111.111.111.111…42.42.42.42, sending NO_PROPOSAL_CHOSEN
                Dec 23 07:34:41 charon: 14[ENC] generating INFORMATIONAL_V1 request 403123786 [ N(NO_PROP) ]
                Dec 23 07:34:41 charon: 14[NET] sending packet: from 111.111.111.111[500] to 42.42.42.42[500] (40 bytes)
                Dec 23 07:34:42 charon: 14[NET] received packet: from 42.42.42.42[500] to 111.111.111.111[500] (372 bytes)
                Dec 23 07:34:42 charon: 14[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
                Dec 23 07:34:42 charon: 14[IKE] <13833> no IKE config found for 111.111.111.111…42.42.42.42, sending NO_PROPOSAL_CHOSEN
                Dec 23 07:34:42 charon: 14[IKE] no IKE config found for 111.111.111.111…42.42.42.42, sending NO_PROPOSAL_CHOSEN
                Dec 23 07:34:42 charon: 14[ENC] generating INFORMATIONAL_V1 request 3608187401 [ N(NO_PROP) ]

                If I reboot pfSense then the tunnels will again work for the next 24-48 hours.</con8|13830>

                1 Reply Last reply Reply Quote 0
                • K
                  kitdavis
                  last edited by

                  I'm still seeing the problem in the December 28 build.  At first the tunnels work but after 24 hours or so they - just show up as disconnected and can not be restarted.

                  The log is full of the same set of messages:
                  Dec 29 07:55:10 charon: 02[NET] sending packet: from 69.69.69.83[500] to 22.77.2.2[500] (40 bytes)
                  Dec 29 07:55:10 charon: 02[ENC] generating INFORMATIONAL_V1 request 4290582802 [ N(NO_PROP) ]
                  Dec 29 07:55:10 charon: 02[IKE] no IKE config found for 69.69.69.83…22.77.2.2, sending NO_PROPOSAL_CHOSEN
                  Dec 29 07:55:10 charon: 02[IKE] <13155> no IKE config found for 69.69.69.83…22.77.2.2, sending NO_PROPOSAL_CHOSEN
                  Dec 29 07:55:10 charon: 02[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
                  Dec 29 07:55:10 charon: 02[NET] received packet: from 22.77.2.26[500] to 69.69.69.83[500] (372 bytes)
                  Dec 29 07:55:10 charon: 02[NET] sending packet: from 69.60.66.83[500] to 22.76.1.2[500] (40 bytes)
                  Dec 29 07:55:10 charon: 02[ENC] generating INFORMATIONAL_V1 request 3199455391 [ N(NO_PROP) ]
                  Dec 29 07:55:10 charon: 02[IKE] no IKE config found for 69.69.69.83…22.76.1.2, sending NO_PROPOSAL_CHOSEN
                  Dec 29 07:55:10 charon: 02[IKE] <13154> no IKE config found for 69.69.69.83…22.76.1.2, sending NO_PROPOSAL_CHOSEN

                  A reboot brings up the tunnels again.

                  discipsec.png
                  discipsec.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • K
                    kitdavis
                    last edited by

                    Additionally, I am finding additional problems with the IPSEC connections:

                    I have three tunnels to remote end points that with the exception of sites specific information (IP addresses) that are exact duplicates of each other, even to the point of running the same hardware.  All three sites are running version 2.15.

                    Since upgrading to the 2.2 RC stream on my local firewall, 1 of the remote connections works without fail.

                    The second site establishes a connection, but the no data can be passed across the tunnel to the remote side.  As can be seen in the first screen print the tunnel shows it is active but the child entry shows no packets being passed.

                    The third site also establishes the tunnel however it creates 10 child entries all with no data being passed. (second screen print).  This tunnel fails and then recycles after about 10 minutes.  During the process I find many of the following message in the IPSEC Log:

                    Dec 29 11:02:23 charon: 08[NET] sending packet: from 69.69.69.83[500] to 2.6.3.4[500] (420 bytes)
                    Dec 29 11:02:23 charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
                    Dec 29 11:02:23 charon: 08[IKE] <con18000|623>received retransmit of request with ID 0, retransmitting response
                    Dec 29 11:02:23 charon: 08[NET] received packet: from 2.6.3.4[500] to 69.69.69.83[500] (372 bytes)

                    gschild.png
                    gschild.png_thumb
                    childentries.png
                    childentries.png_thumb</con18000|623>

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.