Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC connection problem

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dboe732
      last edited by

      Hello,
      Just updated to 2.2.6 and I'm having connection problems that weren't happening before the update. Our tunnel goes down about an hour or so of use. It still shows up inside the status for IPSEC but doesn't work. I called the other company and from their end it shows down.

      The only way for me to get it back up is to stop the service and restart it. Clicking on the play button to enable/disable the connection does not work.  Can anyone suggest anything for me to try?

      below is the logs

      thanks!

      Jan 26 18:17:38 ipsec_starter[45536]:
      Jan 26 18:17:38 ipsec_starter[45536]: 'con1000' routed
      Jan 26 18:17:38 ipsec_starter[45536]:
      Jan 26 18:17:38 ipsec_starter[45536]: 'bypasslan' shunt PASS policy installed
      Jan 26 18:17:38 ipsec_starter[45536]:
      Jan 26 18:17:38 ipsec_starter[45536]: configuration 'con1000' unrouted
      Jan 26 18:17:38 ipsec_starter[45536]:
      Jan 26 18:17:38 ipsec_starter[45536]: shunt policy 'bypasslan' uninstalled
      Jan 26 18:11:51 ipsec_starter[45536]:
      Jan 26 18:11:51 ipsec_starter[45536]: 'con1000' routed
      Jan 26 18:11:51 ipsec_starter[45536]:
      Jan 26 18:11:51 ipsec_starter[45536]: 'bypasslan' shunt PASS policy installed
      Jan 26 18:11:51 ipsec_starter[45536]:
      Jan 26 18:11:51 ipsec_starter[45536]: configuration 'con2001' unrouted
      Jan 26 18:11:51 ipsec_starter[45536]:
      Jan 26 18:11:51 ipsec_starter[45536]: configuration 'con2000' unrouted
      Jan 26 18:11:51 ipsec_starter[45536]:
      Jan 26 18:11:51 ipsec_starter[45536]: configuration 'con1000' unrouted
      Jan 26 18:11:51 ipsec_starter[45536]:
      Jan 26 18:11:51 ipsec_starter[45536]: shunt policy 'bypasslan' uninstalled
      Jan 26 18:11:42 charon: 10[MGR] <con1000|1>check-in of IKE_SA successful.
      Jan 26 18:11:42 charon: 10[MGR] <con1000|1>checkin IKE_SA con1000[1]
      Jan 26 18:11:42 charon: 10[MGR] IKE_SA con1000[1] successfully checked out
      Jan 26 18:11:42 charon: 10[MGR] checkout IKE_SA
      Jan 26 18:11:42 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
      Jan 26 18:11:42 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
      Jan 26 18:11:42 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
      Jan 26 18:11:42 charon: 12[MGR] checkout IKE_SA
      Jan 26 18:11:42 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
      Jan 26 18:11:42 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
      Jan 26 18:11:42 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
      Jan 26 18:11:42 charon: 12[MGR] checkout IKE_SA
      Jan 26 18:11:42 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
      Jan 26 18:11:42 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
      Jan 26 18:11:42 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
      Jan 26 18:11:42 charon: 12[MGR] checkout IKE_SA
      Jan 26 18:11:38 charon: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
      Jan 26 18:11:38 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
      Jan 26 18:11:38 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
      Jan 26 18:11:38 charon: 12[NET] <con1000|1>sending packet: from x.x.x.x[500] to x.x.x.x[500] (60 bytes)
      Jan 26 18:11:38 charon: 12[IKE] <con1000|1>CHILD_SA con1000{4} established with SPIs c15be0d1_i 4867f4c2_o and TS x.x.x.x/32|172.16.0.0/12 === x.x.x.x/32|/0
      Jan 26 18:11:38 charon: 12[NET] <con1000|1>received packet: from x.x.x.x[500] to x.x.x.x[500] (180 bytes)
      Jan 26 18:11:38 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
      Jan 26 18:11:38 charon: 12[MGR] checkout IKE_SA by message
      Jan 26 18:11:38 charon: 06[NET] waiting for data on sockets
      Jan 26 18:11:38 charon: 06[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]
      Jan 26 18:11:38 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
      Jan 26 18:11:38 charon: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
      Jan 26 18:11:38 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
      Jan 26 18:11:38 charon: 12[NET] <con1000|1>sending packet: from x.x.x.x[500] to x.x.x.x[500] (164 bytes)
      Jan 26 18:11:38 charon: 12[IKE] <con1000|1>IKE_SA con1000[1] established between x.x.x.x[x.x.x.x]…x.x.x.x[x.x.x.x]
      Jan 26 18:11:38 charon: 12[NET] <con1000|1>received packet: from x.x.x.x[500] to x.x.x.x[500] (68 bytes)
      Jan 26 18:11:38 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
      Jan 26 18:11:38 charon: 12[MGR] checkout IKE_SA by message
      Jan 26 18:11:38 charon: 06[NET] waiting for data on sockets
      Jan 26 18:11:38 charon: 06[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]
      Jan 26 18:11:38 charon: 12[MGR] <con1000|1>check-in of IKE_SA successful.
      Jan 26 18:11:38 charon: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
      Jan 26 18:11:38 charon: 12[MGR] <con1000|1>checkin IKE_SA con1000[1]
      Jan 26 18:11:38 charon: 12[NET] <con1000|1>sending packet: from x.x.x.x[500] to x.x.x.x[500] (68 bytes)
      Jan 26 18:11:38 charon: 12[NET] <con1000|1>received packet: from x.x.x.x[500] to x.x.x.x[500] (304 bytes)
      Jan 26 18:11:38 charon: 12[MGR] IKE_SA con1000[1] successfully checked out
      Jan 26 18:11:38 charon: 12[MGR] checkout IKE_SA by message
      Jan 26 18:11:38 charon: 06[NET] waiting for data on sockets
      Jan 26 18:11:38 charon: 06[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]
      Jan 26 18:11:38 charon: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
      Jan 26 18:11:38 charon: 11[MGR] <con1000|1>check-in of IKE_SA successful.
      Jan 26 18:11:38 charon: 11[MGR] <con1000|1>checkin IKE_SA con1000[1]
      Jan 26 18:11:38 charon: 11[NET] <con1000|1>sending packet: from x.x.x.x[500] to x.x.x.x[500] (244 bytes)
      Jan 26 18:11:38 charon: 11[NET] <con1000|1>received packet: from x.x.x.x[500] to x.x.x.x[500] (128 bytes)
      Jan 26 18:11:38 charon: 11[MGR] IKE_SA con1000[1] successfully checked out
      Jan 26 18:11:38 charon: 11[MGR] checkout IKE_SA by message
      Jan 26 18:11:38 charon: 06[NET] waiting for data on sockets
      Jan 26 18:11:38 charon: 06[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]
      Jan 26 18:11:38 charon: 05[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
      Jan 26 18:11:38 charon: 11[MGR] <con1000|1>checkin IKE_SA con1000[1]
      Jan 26 18:11:38 charon: 11[NET] <con1000|1>sending packet: from x.x.x.x[500] to x.x.x.x[500] (180 bytes)
      Jan 26 18:11:38 charon: 11[IKE] <con1000|1>initiating Main Mode IKE_SA con1000[1] to x.x.x.x
      Jan 26 18:11:38 charon: 11[MGR] created IKE_SA (unnamed)[1]
      Jan 26 18:11:38 charon: 11[MGR] checkout IKE_SA by config
      Jan 26 18:11:27 ipsec_starter[45536]:
      Jan 26 18:11:27 ipsec_starter[45536]: 'con2001' routed
      Jan 26 18:11:27 ipsec_starter[45536]:
      Jan 26 18:11:27 ipsec_starter[45536]: 'con2000' routed
      Jan 26 18:11:27 ipsec_starter[45536]:
      Jan 26 18:11:27 ipsec_starter[45536]: 'con1000' routed
      Jan 26 18:11:27 ipsec_starter[45536]:
      Jan 26 18:11:27 ipsec_starter[45536]: 'bypasslan' shunt PASS policy installed
      Jan 26 18:11:27 ipsec_starter[45536]: charon (45548) started after 40 ms
      Jan 26 18:11:27 charon: 06[NET] waiting for data on sockets
      Jan 26 18:11:27 charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
      Jan 26 18:11:27 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, FreeBSD 10.1-RELEASE-p25, amd64)
      Jan 26 18:11:27 ipsec_starter[44754]: no known IPsec stack detected, ignoring!
      Jan 26 18:11:27 ipsec_starter[44754]: no KLIPS IPsec stack detected
      Jan 26 18:11:27 ipsec_starter[44754]: no netkey IPsec stack detected
      Jan 26 18:11:27 ipsec_starter[44754]: Starting strongSwan 5.3.5 IPsec [starter]…
      Jan 26 18:11:19 ipsec_starter[24825]: ipsec starter stopped
      Jan 26 18:11:19 ipsec_starter[24825]: charon stopped after 200 ms
      Jan 26 18:11:19 charon: 09[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500]
      Jan 26 18:11:19 charon: 00[MGR] <con1000|1>destroy all entries</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1>

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        What version did you upgrade from?

        The logs there look like they start from when the restart occurred, and just show a successful negotiation. What logs do you have from prior to the restart? Diag>Command, 'clog /var/log/ipsec.log' to get the entirety of what's on the system now if it's rolled off the log display page.

        1 Reply Last reply Reply Quote 0
        • D
          dboe732
          last edited by

          Hello,

          Thanks for your help! I was on 2.2.5 Here is the full log. I attached it as a text file

          thanks again!

          log.txt

          1 Reply Last reply Reply Quote 0
          • D
            dboe732
            last edited by

            was wondering if you have had any update on this?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.