Another IPSEC issue

cmb

This happened today to me as well. Seems specific to IKEv1, but doesn't appear to be universal to all IKEv1. Have you noticed anything common to the ones that are doing that for you vs. the ones that aren't? Or do the affected ones change in your case?

I dropped my P1 lifetime down to an hour in hopes of being able to replicate it more quickly. Seems to coincide with rekeying of P1, at least if I remember your configs. You have a P1 lifetime of 86400 on the affected connections, and something less than that as the P2 lifetime?

I was thinking it was something new given it's never happened to me before nor do I seem to find it from anyone else, but the symptoms might match what you'd posted in December. The fact at the time it was only higher numbered connections doing it, I figured it was part of the other overall issue we'd fixed with the identifiers there that fixed the general problem you had. Is it still the higher ID ones that have an issue?

eri--

Can you please put this systcl under system->advanced->tunables
net.inet.ipsec.debug = 0xffffff

After that tell me when the issue happens if you see anything on the output of dmesg -a or paste the last lines from it here.

eri--

Also can you please give me the output of
netstat -f inet -sp esp

when you have the issue?

cmb

We backed down to strongswan 5.2.1 to see if that fixes this issue. I upgraded your system kitdavis and am keeping an eye on its logs. Earlier today, it started exhibiting the same symptoms about 12 hours after the upgrade. So we should know one way or another within the next 12 hours or so.

swix

I have a similar issue as described here, and it it still seems to be the case on latest snapshot (2.2-RC (amd64) built on Fri Jan 16 11:53:08 CST 2015 FreeBSD 10.1-RELEASE-p4 on PC-Engines APU Board).

2 IPSEC Tunnels with respectively 2 and 4 phase 2 entries.  And after a few hours, some of the phases 2 are not reachable anymore, while the others are still there. For example users connected to the LAN cannot connect to the tunneled IP's while users connected via OpenVPN to our network still can.

Stopping and restarting the IPSEC service "fixes" the issue (clicking on the Restart IPSEC icon doesn't).

I could not reproduce it yet, but the logfile says approximately this around the time of a disconnect:

Jan 19 15:43:16 pf charon: 02[ENC] generating INFORMATIONAL_V1 request 3956259368 [ HASH N(DPD) ]
Jan 19 15:43:16 pf charon: 02[NET] sending packet: from ip1[500] to ip2[500] (92 bytes)
Jan 19 15:43:16 pf charon: 02[NET] received packet: from ip2[500] to ip1[500] (92 bytes)
Jan 19 15:43:16 pf charon: 02[ENC] parsed INFORMATIONAL_V1 request 735452451 [ HASH N(DPD_ACK) ]
Jan 19 15:43:20 pf charon: 02[NET] received packet: from ip3[500] to ip1[500] (364 bytes)
Jan 19 15:43:20 pf charon: 02[ENC] parsed QUICK_MODE request 141741184 [ HASH SA No KE ID ID ]
Jan 19 15:43:20 pf charon: 02[ENC] received HASH payload does not match
Jan 19 15:43:20 pf charon: 02[IKE] <con2000|13>integrity check failed
Jan 19 15:43:20 pf charon: 02[IKE] integrity check failed
Jan 19 15:43:20 pf charon: 02[ENC] generating INFORMATIONAL_V1 request 1348227468 [ HASH N(INVAL_HASH) ]
Jan 19 15:43:20 pf charon: 02[NET] sending packet: from ip1[500] to ip3[500] (76 bytes)
Jan 19 15:43:20 pf charon: 02[IKE] <con2000|13>QUICK_MODE request with message ID 141741184 processing failed
Jan 19 15:43:20 pf charon: 02[IKE] QUICK_MODE request with message ID 141741184 processing failed
Jan 19 15:43:21 pf charon: 02[IKE] <con2000|13>sending DPD request
Jan 19 15:43:21 pf charon: 02[IKE] sending DPD request
Jan 19 15:43:21 pf charon: 02[ENC] generating INFORMATIONAL_V1 request 3461990251 [ HASH N(DPD) ]
Jan 19 15:43:21 pf charon: 02[NET] sending packet: from ip1[500] to ip3[500] (92 bytes)
Jan 19 15:43:21 pf charon: 02[NET] received packet: from ip3[500] to ip1[500] (92 bytes)
Jan 19 15:43:21 pf charon: 02[ENC] parsed INFORMATIONAL_V1 request 3939011389 [ HASH N(DPD_ACK) ]
Jan 19 15:43:21 pf charon: 02[NET] received packet: from ip3[500] to ip1[500] (364 bytes)
Jan 19 15:43:21 pf charon: 02[ENC] parsed QUICK_MODE request 3030064237 [ HASH SA No KE ID ID ]
Jan 19 15:43:21 pf charon: 02[IKE] <con2000|13>detected rekeying of CHILD_SA con2000{4}
Jan 19 15:43:21 pf charon: 02[IKE] detected rekeying of CHILD_SA con2000{4}
Jan 19 15:43:21 pf charon: 02[ENC] generating QUICK_MODE response 3030064237 [ HASH SA No KE ID ID ]
Jan 19 15:43:21 pf charon: 02[NET] sending packet: from ip1[500] to ip3[500] (380 bytes)
Jan 19 15:43:21 pf charon: 02[NET] received packet: from ip3[500] to ip1[500] (76 bytes)
Jan 19 15:43:21 pf charon: 02[ENC] parsed INFORMATIONAL_V1 request 2447641578 [ HASH N(INVAL_ID) ]
Jan 19 15:43:21 pf charon: 02[IKE] <con2000|13>received INVALID_ID_INFORMATION error notify
Jan 19 15:43:21 pf charon: 02[IKE] received INVALID_ID_INFORMATION error notify
Jan 19 15:43:21 pf charon: 02[IKE] <con2000|13>received INVALID_ID_INFORMATION error notify
Jan 19 15:43:21 pf charon: 02[IKE] received INVALID_ID_INFORMATION error notify
Jan 19 15:43:26 pf charon: 16[NET] received packet: from ip3[500] to ip1[500] (364 bytes)
Jan 19 15:43:26 pf charon: 16[ENC] parsed QUICK_MODE request 84872551 [ HASH SA No KE ID ID ]
Jan 19 15:43:26 pf charon: 16[IKE] <con2000|13>detected rekeying of CHILD_SA con2000{4}
Jan 19 15:43:26 pf charon: 16[IKE] detected rekeying of CHILD_SA con2000{4}
Jan 19 15:43:26 pf charon: 16[ENC] generating QUICK_MODE response 84872551 [ HASH SA No KE ID ID ]
Jan 19 15:43:26 pf charon: 16[NET] sending packet: from ip1[500] to ip3[500] (380 bytes)
Jan 19 15:43:26 pf charon: 16[NET] received packet: from ip3[500] to ip1[500] (76 bytes)
Jan 19 15:43:26 pf charon: 16[ENC] parsed INFORMATIONAL_V1 request 4148709878 [ HASH N(INVAL_ID) ]
Jan 19 15:43:26 pf charon: 16[IKE] <con2000|13>received INVALID_ID_INFORMATION error notify
Jan 19 15:43:26 pf charon: 16[IKE] received INVALID_ID_INFORMATION error notify
Jan 19 15:43:26 pf charon: 16[IKE] <con2000|13>received INVALID_ID_INFORMATION error notify</con2000|13></con2000|13></con2000|13></con2000|13></con2000|13></con2000|13></con2000|13></con2000|13></con2000|13> 

To be continued !  I will try to tune the rekey/reauth settings later this week.  But with pfSense 2.1.x everything was very stable, so it seems quite 2.2-related to me.

eri--

What is the other side of the tunnel?

swix

Hi Ermal and thanks for your answer :

@ermal:

What is the other side of the tunnel?

Not a pfsense for sure, but I will need to ask (in both case these are large companies with expensive setups).  Regards.

eri--

Which DH group you using?

cmb

@swix:

I have a similar issue as described here, and it it still seems to be the case on latest snapshot (2.2-RC (amd64) built on Fri Jan 16 11:53:08 CST 2015 FreeBSD 10.1-RELEASE-p4 on PC-Engines APU Board).

Is your Internet connectivity extremely unstable? It appears that's the bulk of OP's issue, he's in the middle of nowhere with connectivity that's hit and miss and that seems to be the source of remaining issues there.

swix

IKE: AES 256 encryption with SHA1 auth, 7800 SA lifetime, IKE DH group : Group 5, MODP 1536
IPSEC:  AES 256 encryption with SHA1 auth, 3600 SA lifetime, IPsec PFS group: Group 5, MODP 1536

Line is very stable (DSL 30Mbit) and has not changed since the upgrade from pfsense 2.1.x to latest 2.2-RC.

Everything remained quite stable the last 2-3 days, with only an issue this afternoon, which disappeared as usual after a complete stop + start of the ipsec service.