IPSEC connection problem
-
Hello,
Just updated to 2.2.6 and I'm having connection problems that weren't happening before the update. Our tunnel goes down about an hour or so of use. It still shows up inside the status for IPSEC but doesn't work. I called the other company and from their end it shows down.The only way for me to get it back up is to stop the service and restart it. Clicking on the play button to enable/disable the connection does not work. Can anyone suggest anything for me to try?
below is the logs
thanks!
Jan 26 18:17:38 ipsec_starter[45536]:
Jan 26 18:17:38 ipsec_starter[45536]: 'con1000' routed
Jan 26 18:17:38 ipsec_starter[45536]:
Jan 26 18:17:38 ipsec_starter[45536]: 'bypasslan' shunt PASS policy installed
Jan 26 18:17:38 ipsec_starter[45536]:
Jan 26 18:17:38 ipsec_starter[45536]: configuration 'con1000' unrouted
Jan 26 18:17:38 ipsec_starter[45536]:
Jan 26 18:17:38 ipsec_starter[45536]: shunt policy 'bypasslan' uninstalled
Jan 26 18:11:51 ipsec_starter[45536]:
Jan 26 18:11:51 ipsec_starter[45536]: 'con1000' routed
Jan 26 18:11:51 ipsec_starter[45536]:
Jan 26 18:11:51 ipsec_starter[45536]: 'bypasslan' shunt PASS policy installed
Jan 26 18:11:51 ipsec_starter[45536]:
Jan 26 18:11:51 ipsec_starter[45536]: configuration 'con2001' unrouted
Jan 26 18:11:51 ipsec_starter[45536]:
Jan 26 18:11:51 ipsec_starter[45536]: configuration 'con2000' unrouted
Jan 26 18:11:51 ipsec_starter[45536]:
Jan 26 18:11:51 ipsec_starter[45536]: configuration 'con1000' unrouted
Jan 26 18:11:51 ipsec_starter[45536]:
Jan 26 18:11:51 ipsec_starter[45536]: shunt policy 'bypasslan' uninstalled
Jan 26 18:11:42 charon: 10[MGR] <con1000|1>check-in of IKE_SA successful.
Jan 26 18:11:42 charon: 10[MGR] <con1000|1>checkin IKE_SA con1000[1]
Jan 26 18:11:42 charon: 10[MGR] IKE_SA con1000[1] successfully checked out
Jan 26 18:11:42 charon: 10[MGR] checkout IKE_SA
Jan 26 18:11:42 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
Jan 26 18:11:42 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
Jan 26 18:11:42 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
Jan 26 18:11:42 charon: 12[MGR] checkout IKE_SA
Jan 26 18:11:42 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
Jan 26 18:11:42 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
Jan 26 18:11:42 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
Jan 26 18:11:42 charon: 12[MGR] checkout IKE_SA
Jan 26 18:11:42 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
Jan 26 18:11:42 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
Jan 26 18:11:42 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
Jan 26 18:11:42 charon: 12[MGR] checkout IKE_SA
Jan 26 18:11:38 charon: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
Jan 26 18:11:38 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
Jan 26 18:11:38 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
Jan 26 18:11:38 charon: 12[NET] <con1000|1>sending packet: from x.x.x.x[500] to x.x.x.x[500] (60 bytes)
Jan 26 18:11:38 charon: 12[IKE] <con1000|1>CHILD_SA con1000{4} established with SPIs c15be0d1_i 4867f4c2_o and TS x.x.x.x/32|172.16.0.0/12 === x.x.x.x/32|/0
Jan 26 18:11:38 charon: 12[NET] <con1000|1>received packet: from x.x.x.x[500] to x.x.x.x[500] (180 bytes)
Jan 26 18:11:38 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
Jan 26 18:11:38 charon: 12[MGR] checkout IKE_SA by message
Jan 26 18:11:38 charon: 06[NET] waiting for data on sockets
Jan 26 18:11:38 charon: 06[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]
Jan 26 18:11:38 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
Jan 26 18:11:38 charon: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
Jan 26 18:11:38 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
Jan 26 18:11:38 charon: 12[NET] <con1000|1>sending packet: from x.x.x.x[500] to x.x.x.x[500] (164 bytes)
Jan 26 18:11:38 charon: 12[IKE] <con1000|1>IKE_SA con1000[1] established between x.x.x.x[x.x.x.x]…x.x.x.x[x.x.x.x]
Jan 26 18:11:38 charon: 12[NET] <con1000|1>received packet: from x.x.x.x[500] to x.x.x.x[500] (68 bytes)
Jan 26 18:11:38 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
Jan 26 18:11:38 charon: 12[MGR] checkout IKE_SA by message
Jan 26 18:11:38 charon: 06[NET] waiting for data on sockets
Jan 26 18:11:38 charon: 06[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]
Jan 26 18:11:38 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
Jan 26 18:11:38 charon: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
Jan 26 18:11:38 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
Jan 26 18:11:38 charon: 12[NET] <con1000|1>sending packet: from x.x.x.x[500] to x.x.x.x[500] (68 bytes)
Jan 26 18:11:38 charon: 12[NET] <con1000|1>received packet: from x.x.x.x[500] to x.x.x.x[500] (304 bytes)
Jan 26 18:11:38 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
Jan 26 18:11:38 charon: 12[MGR] checkout IKE_SA by message
Jan 26 18:11:38 charon: 06[NET] waiting for data on sockets
Jan 26 18:11:38 charon: 06[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]
Jan 26 18:11:38 charon: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
Jan 26 18:11:38 charon: 11[MGR] <con1000|1>check-in of IKE_SA successful.
Jan 26 18:11:38 charon: 11[MGR] <con1000|1>checkin IKE_SA con1000[1]
Jan 26 18:11:38 charon: 11[NET] <con1000|1>sending packet: from x.x.x.x[500] to x.x.x.x[500] (244 bytes)
Jan 26 18:11:38 charon: 11[NET] <con1000|1>received packet: from x.x.x.x[500] to x.x.x.x[500] (128 bytes)
Jan 26 18:11:38 charon: 11[MGR] IKE_SA con1000[1] successfully checked out
Jan 26 18:11:38 charon: 11[MGR] checkout IKE_SA by message
Jan 26 18:11:38 charon: 06[NET] waiting for data on sockets
Jan 26 18:11:38 charon: 06[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]
Jan 26 18:11:38 charon: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
Jan 26 18:11:38 charon: 11[MGR] <con1000|1>checkin IKE_SA con1000[1]
Jan 26 18:11:38 charon: 11[NET] <con1000|1>sending packet: from x.x.x.x[500] to x.x.x.x[500] (180 bytes)
Jan 26 18:11:38 charon: 11[IKE] <con1000|1>initiating Main Mode IKE_SA con1000[1] to x.x.x.x
Jan 26 18:11:38 charon: 11[MGR] created IKE_SA (unnamed)[1]
Jan 26 18:11:38 charon: 11[MGR] checkout IKE_SA by config
Jan 26 18:11:27 ipsec_starter[45536]:
Jan 26 18:11:27 ipsec_starter[45536]: 'con2001' routed
Jan 26 18:11:27 ipsec_starter[45536]:
Jan 26 18:11:27 ipsec_starter[45536]: 'con2000' routed
Jan 26 18:11:27 ipsec_starter[45536]:
Jan 26 18:11:27 ipsec_starter[45536]: 'con1000' routed
Jan 26 18:11:27 ipsec_starter[45536]:
Jan 26 18:11:27 ipsec_starter[45536]: 'bypasslan' shunt PASS policy installed
Jan 26 18:11:27 ipsec_starter[45536]: charon (45548) started after 40 ms
Jan 26 18:11:27 charon: 06[NET] waiting for data on sockets
Jan 26 18:11:27 charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Jan 26 18:11:27 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, FreeBSD 10.1-RELEASE-p25, amd64)
Jan 26 18:11:27 ipsec_starter[44754]: no known IPsec stack detected, ignoring!
Jan 26 18:11:27 ipsec_starter[44754]: no KLIPS IPsec stack detected
Jan 26 18:11:27 ipsec_starter[44754]: no netkey IPsec stack detected
Jan 26 18:11:27 ipsec_starter[44754]: Starting strongSwan 5.3.5 IPsec [starter]…
Jan 26 18:11:19 ipsec_starter[24825]: ipsec starter stopped
Jan 26 18:11:19 ipsec_starter[24825]: charon stopped after 200 ms
Jan 26 18:11:19 charon: 09[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
Jan 26 18:11:19 charon: 00[MGR] <con1000|1>destroy all entries</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1> -
What version did you upgrade from?
The logs there look like they start from when the restart occurred, and just show a successful negotiation. What logs do you have from prior to the restart? Diag>Command, 'clog /var/log/ipsec.log' to get the entirety of what's on the system now if it's rolled off the log display page.
-
Hello,
Thanks for your help! I was on 2.2.5 Here is the full log. I attached it as a text file
thanks again!
-
was wondering if you have had any update on this?