Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec funktioniert nicht mehr nach update auf 2.2.3

    Scheduled Pinned Locked Moved Deutsch
    5 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      esquire1968
      last edited by

      Hallo zusammen,

      leider habe ich im englischen Forum keine Antwort auf meine Anfrage erhalten, deshalb versuche ich es hier mal.

      Ich habe eine IPsec Tunnel, der bis zum Update auf 2.2.3 bestens funktioniert hat. Ziemlich zur gleichen Zeit habe ich FreeRadius2 installiert.

      Hier das Log:

      Jul 19 13:59:51 ipsec_starter[71965]:  
      Jul 19 13:59:51 ipsec_starter[71965]: 'con1' routed 
      Jul 19 13:59:51 charon: 10[CFG] received stroke: route 'con1' 
      Jul 19 13:59:51 charon: 14[CFG] added configuration 'con1' 
      Jul 19 13:59:51 charon: 14[CFG] received stroke: add connection 'con1' 
      Jul 19 13:59:51 ipsec_starter[71965]: charon (72241) started after 60 ms 
      Jul 19 13:59:51 charon: 00[JOB] spawning 16 worker threads 
      Jul 19 13:59:51 charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity 
      [b]Jul 19 13:59:51 charon: 00[CFG] loaded 0 RADIUS server configurations [/b]
      [b]Jul 19 13:59:51 charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory [/b]
      Jul 19 13:59:51 charon: 00[CFG] loaded IKE secret for <my_dyndns><ip_remote_gateway>Jul 19 13:59:51 charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' 
      Jul 19 13:59:51 charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls' 
      Jul 19 13:59:51 charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' 
      Jul 19 13:59:51 charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' 
      Jul 19 13:59:51 charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' 
      Jul 19 13:59:51 charon: 00[CFG] loaded ca certificate ".........." from '/var/etc/ipsec/ipsec.d/cacerts/df28683a.0.crt' 
      Jul 19 13:59:51 charon: 00[CFG] loaded ca certificate ".........." from '/var/etc/ipsec/ipsec.d/cacerts/a9025906.0.crt' 
      Jul 19 13:59:51 charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' 
      Jul 19 13:59:51 charon: 00[CFG] ipseckey plugin is disabled 
      [b]Jul 19 13:59:51 charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed [/b]
      [b]Jul 19 13:59:51 charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument [/b]
      Jul 19 13:59:51 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.1-RELEASE-p13, amd64) 
      Jul 19 13:59:51 ipsec_starter[71373]: no known IPsec stack detected, ignoring! 
      Jul 19 13:59:51 ipsec_starter[71373]: no KLIPS IPsec stack detected 
      Jul 19 13:59:51 ipsec_starter[71373]: no netkey IPsec stack detected 
      Jul 19 13:59:51 ipsec_starter[71373]: Starting strongSwan 5.3.2 IPsec [starter]...</ip_remote_gateway></my_dyndns> 
      

      Bitte um dringende Hilfe!

      Besten Dank im voraus.

      esquire1968

      1 Reply Last reply Reply Quote 0
      • V
        voleatech
        last edited by

        Hi esquire1968,

        was sagt denn der IPSec Daemon im Status?
        Läuft der überhaupt?

        Viele Grüße
        Sven

        1 Reply Last reply Reply Quote 0
        • E
          esquire1968
          last edited by

          Hi!

          Ja, das Service läuft!

          LG
          Thomas

          services.JPG
          services.JPG_thumb

          1 Reply Last reply Reply Quote 0
          • V
            voleatech
            last edited by

            Hi Thomas,

            hast du schon versucht AES-NI abzuschalten?
            Es gibt in 2.2.3 einen Bug, der IPSec Traffic blockt, wenn man nicht AES-NI als Verschlüsselung gewählt hat.
            Unter System->Advanced->Miscellaneous AES-NI auf None stellen und danach die pfSense neu starten.

            Klappt es mit dem Trick?

            LG
            Sven

            1 Reply Last reply Reply Quote 0
            • E
              esquire1968
              last edited by

              Danke für Deinen Tipp! Cryptographic Hardware war bereits aus 'none'.

              Mir ist noch folgender Log-Eintrag aufgefallen:

              Jul 23 08:28:59 php-fpm[53850]: /vpn_ipsec_settings.php: The command '/usr/local/sbin/ipsec stroke loglevel mgr 4' returned exit code '255', the output was 'connecting to 'unix:///var/run/charon.ctl' failed: No such file or directory failed to connect to stroke socket 'unix:///var/run/charon.ctl'' 
              Jul 23 08:28:59 php-fpm[53850]: /vpn_ipsec_settings.php: The command '/usr/local/sbin/ipsec stroke loglevel dmn 4' returned exit code '255', the output was 'connecting to 'unix:///var/run/charon.ctl' failed: No such file or directory failed to connect to stroke socket 'unix:///var/run/charon.ctl'' 
              
              

              … und im IPsec Log:

              Jul 23 08:29:33 charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory 
              

              Das File 'triples.dat' finde ich auf der gazen pfSense nicht.

              Vielleicht ist das ein Ansatzpunkt.

              Jedenfalls vielen Danke für Deine Mühe.

              LG
              Thomas

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.