IPsec silently dies?
-
I am not sure if my observation has already been described in any of the numerous threads about IPsec issues under pfSense 2.2. If so, please move correspondingly.
I am rather new to IPsec. I have started recently with pfSense 2.2 to build up a IPsec VPN gateway allowing mobile clients to connect using IKEv2 and EAP-TLS. It is working with a Windows 7 client. There is just another issue: If I try to connect after serveral hours again, I cannot get any connection with my IPsec gateway. Although process list looks fine
ps ax |grep charon 64927 - Is 0:00.01 /usr/local/libexec/ipsec/starter --daemon charon 65043 - Is 0:03.15 /usr/local/libexec/ipsec/charon --use-syslog 51819 0 S+ 0:00.00 grep charonthere is no connection attempt logged at all. If I restart IPsec on the pfSense machine I can immediately connect again.
My assumption so far: Charon is not correctly re-initialised after an IP change on the WAN interface.
Regards,
Peter -
Hello,
I could confirm this, we've got same problem for PC Engines ALI 1.4D Board and PFsense 2.2. But we've got a static ip adress, that would not be renewed. We did not lost the ppoe connection. The ipsec mobil tunnel is rejected and no log entry in ipsec tab is available.
After restarting the ipsec deamon everything works like charm, for a quit short time 4-12h.
So would it be fixed in next release?
Best regards,
Daniel -
Hi,
I seem to be suffering from the same, or similar, problem. IPSec stops responding to remote connections after a day or so, refusing any connections. I cannot see any attempt to connect logged on the IPSec log. Last time I was onsite where the pfSense system is, I was able to test locally, and by dumping packets I could see a UDP packet coming through for IPSec to handle, however, no further communication followed.
In my case, hitting 'restart IPSec' is not sufficient. I have to stop the service and then manually start it again for IPSec to work. I am unsure as to how I can help with more information for this to be reproduced.
-
Hi,
I seem to be suffering from the same, or similar, problem. IPSec stops responding to remote connections after a day or so, refusing any connections. I cannot see any attempt to connect logged on the IPSec log. Last time I was onsite where the pfSense system is, I was able to test locally, and by dumping packets I could see a UDP packet coming through for IPSec to handle, however, no further communication followed.
In my case, hitting 'restart IPSec' is not sufficient. I have to stop the service and then manually start it again for IPSec to work. I am unsure as to how I can help with more information for this to be reproduced.
Same problem here.
-
Hi,
I seem to be suffering from the same, or similar, problem. IPSec stops responding to remote connections after a day or so, refusing any connections. I cannot see any attempt to connect logged on the IPSec log. Last time I was onsite where the pfSense system is, I was able to test locally, and by dumping packets I could see a UDP packet coming through for IPSec to handle, however, no further communication followed.
In my case, hitting 'restart IPSec' is not sufficient. I have to stop the service and then manually start it again for IPSec to work. I am unsure as to how I can help with more information for this to be reproduced.
Same problem here.
Me too.
-
Has anyone with this issue tried to turn up the debug logging level and look for messages after charon goes silent?
Though there are so many options, I'm not sure which ones would cover a lockup like this. Daemon, kernel, networking, job and lib would seem to be good ones to turn up
-
Has anyone with this issue tried to turn up the debug logging level and look for messages after charon goes silent?
The logging is so noisy even at silent that the logs are not really useful for anyone but IPsec freaks…
-
The logging is so noisy even at silent that the logs are not really useful for anyone but IPsec freaks…
ISTR a patch to address that; the logging levels were not correctly applied.
Of course, now I can't seem to find it ….
Nevermind, that seems to be included in 2.2 release: https://redmine.pfsense.org/projects/pfsense/repository/revisions/2ae99d06ce01d75a705c5c0e2563da4c24643343 -
Nevermind, that seems to be included in 2.2 release: https://redmine.pfsense.org/projects/pfsense/repository/revisions/2ae99d06ce01d75a705c5c0e2563da4c24643343
What's included in 2.2? Less noisy IPsec logging?
