Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec

    Scheduled Pinned Locked Moved 1.2.1-RC Snapshot Feedback and Problems-RETIRED
    21 Posts 6 Posters 9.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jonb
      last edited by

      When I installed this the IPsec tunnel were no longer listed in the SA section. I tryed to resave the IPsec tunnels but it wouldn't recreate them.

      Hosted desktops and servers with support without complication.
      www.blueskysystems.co.uk

      1 Reply Last reply Reply Quote 0
      • M
        mascaos
        last edited by

        As for me. IPSec not Work.

        1.2.1-TESTING-SNAPSHOT
        built on Wed Jul 9 01:01:43 EDT 2008

        Matteo

        1 Reply Last reply Reply Quote 0
        • M
          mascaos
          last edited by

          also the version 1.2.1-TESTING-SNAPSHOT - built on Thu Jul 10 00:10:45 EDT 2008 the ipsecs don't work.

          Matteo

          :(

          1 Reply Last reply Reply Quote 0
          • J
            Jonb
            last edited by

            I think this is something you will need to give them time to fix this.

            Hosted desktops and servers with support without complication.
            www.blueskysystems.co.uk

            1 Reply Last reply Reply Quote 0
            • C
              celtic
              last edited by

              here is my log

              My log ( 1.2.1 testing 07-10)
              Jul 10 20:15:11 racoon: ERROR: failed to pre-process packet.
              Jul 10 20:15:11 racoon: ERROR: failed to get proposal for responder.
              Jul 10 20:15:11 racoon: [Unknown Gateway/Dynamic]: ERROR: no policy found: remote lan/24[0] local Lan/24[0] proto=any dir=in
              Jul 10 20:15:11 racoon: [Bas !!]: INFO: respond new phase 2 negotiation: local WAN[0]<=>remote wan[0]
              Jul 10 20:15:01 racoon: ERROR: failed to pre-process packet.
              Jul 10 20:15:01 racoon: ERROR: failed to get proposal for responder.
              Jul 10 20:15:01 racoon: ERROR: no policy found: remote lan[0] local lan/24[0] proto=any dir=in
              Jul 10 20:15:01 racoon: [Bas !!]: INFO: respond new phase 2 negotiation: local wan[0]<=>remote wan[0]

              Remote log (1.2 embedded)
              Jul 10 19:50:00 racoon: INFO: ISAKMP-SA expired local wan[500]-My wan[500] spi:46ad15180bb8f90f:46f3c69382edae8e
              Jul 10 19:50:00 racoon: ERROR: unknown Informational exchange received.
              Jul 10 19:50:00 racoon: INFO: IPsec-SA request for My wan queued due to no phase1 found.
              Jul 10 19:50:00 racoon: INFO: initiate new phase 1 negotiation: local wan[500]<=>my wan[500]
              Jul 10 19:50:00 racoon: INFO: begin Aggressive mode.
              Jul 10 19:50:00 racoon: INFO: received Vendor ID: DPD

              Hope this helps… i you need anything more... lemme know....

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                What happens if you run /usr/local/sbin/setkey  … Please post the output.

                1 Reply Last reply Reply Quote 0
                • C
                  celtic
                  last edited by

                  /usr/local/sbin/setkey

                  /usr/local/sbin/setkey: Command not found.

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Please issue:

                    ls -lah /usr/local/sbin/

                    1 Reply Last reply Reply Quote 0
                    • C
                      celtic
                      last edited by

                      ls -lah /usr/local/sbin/

                      total 3366
                      drwxr-xr-x  2 root  wheel  1.0K Jul  8 13:19 .
                      drwxr-xr-x  16 root  wheel  512B Jul  8 13:18 ..
                      -r-xr-xr-x  1 root  wheel  6.8K Jul  8 13:19 check_reload_status
                      -r-xr-xr-x  1 root  wheel  7.1K Jul  8 13:19 choparp
                      -r-xr-xr-x  1 root  wheel    31K Jul  8 12:08 dfuife_curses
                      -rwxr-xr-x  1 root  wheel  505K Jul  8 13:19 dhcpd
                      -rwxr-xr-x  1 root  wheel  128K Jul  8 13:19 dhcrelay
                      -r-xr-xr-x  1 root  wheel  133K Jul  8 13:19 dnsmasq
                      -rwxr-xr-x  1 root  wheel  9.9K Jul  8 13:19 expiretable
                      -r-xr-xr-x  1 root  wheel    22K Jul  8 13:19 fping
                      -r-xr-xr-x  1 root  wheel    15K Jul  8 13:19 ftpsesame
                      -r-xr-xr-x  1 root  wheel  134K Jul  8 12:12 grub
                      -r-xr-xr-x  1 root  wheel    13K Jul  8 12:12 grub-install
                      -r-xr-xr-x  1 root  wheel  2.3K Jul  8 12:12 grub-md5-crypt
                      -r-xr-xr-x  1 root  wheel  2.5K Jul  8 12:12 grub-set-default
                      -r-xr-xr-x  1 root  wheel  2.4K Jul  8 12:12 grub-terminfo
                      -r-xr-xr-x  1 root  wheel  157K Jul  8 13:19 lighttpd
                      -r-xr-xr-x  1 root  wheel    43K Jul  8 13:19 miniupnpd
                      -r-xr-xr-x  1 root  wheel  239K Jul  8 13:19 mpd
                      -r-xr-xr-x  1 root  wheel    31K Jul  8 13:19 ntpd
                      -rwxr-xr-x  1 root  wheel  152K Jul  8 13:19 olsrd
                      -r-xr-xr-x  1 root  wheel  357K Jul  8 13:19 openvpn
                      -rwxr-xr-x  1 root  wheel  8.5K Apr 14 19:31 pfSsh.php
                      -r-xr-xr-x  1 root  wheel    98K Jul  8 13:19 pftop
                      -r-xr-xr-x  1 root  wheel    22K Jul  8 13:19 pftpx
                      -rwxr-xr-x  1 root  wheel  613B Nov 28  2005 ppp-linkup
                      -r-xr-xr-x  1 root  wheel  1.0M Jul  8 13:19 racoon
                      -r-xr-xr-x  1 root  wheel    48K Jul  8 13:19 racoonctl
                      -rwxr-xr-x  1 root  wheel  361B Jan 31 05:36 reset_slbd.sh
                      -rwxr-xr-x  1 root  wheel  551B Jun 10  2006 show_filter_reload_status.php
                      -rwxr-xr-x  1 root  wheel    29K Jul  8 13:19 slbd
                      -r-xr-xr-x  1 root  wheel  3.0K Jul  8 13:19 ssh_tunnel_shell
                      -r-xr-xr-x  1 root  wheel  4.4K Jul  8 13:19 sshlockout_pf
                      -rwxr-xr-x  1 root  wheel    75B Apr 11  2006 vpn-linkdown
                      -rwxr-xr-x  1 root  wheel    75B Apr 11  2006 vpn-linkup

                      always fun… 2 people trying to help each other.... in different timezones :)

                      1 Reply Last reply Reply Quote 0
                      • M
                        mascaos
                        last edited by

                        ls -lah /usr/local/sbin/

                        total 4522
                        drwxr-xr-x  2 root  wheel  1.0K Jul 10 09:22 .
                        drwxr-xr-x  18 root  wheel  512B Jul 10 09:23 ..
                        -rwxr-xr-x  1 root  wheel  5.3K Nov  4  2005 atareinit
                        -rwxr-xr-x  1 root  wheel    46K Nov  7  2004 bpalogin
                        -rwxr-xr-x  1 root  wheel  6.8K May 18  2007 check_reload_status
                        -rwxr-xr-x  1 root  wheel  7.1K Nov  4  2005 choparp
                        -rwxr-xr-x  1 root  wheel  505K Jan 18  2007 dhcpd
                        -rwxr-xr-x  1 root  wheel  128K Jan 13  2006 dhcrelay
                        -rwxr-xr-x  1 root  wheel  192K Mar  8  2005 dnsextd
                        -rwxr-xr-x  1 root  wheel  133K Jul 27  2007 dnsmasq
                        -rwxr-xr-x  1 root  wheel  4.7K Mar 13  2005 env4801
                        -rwxr-xr-x  1 root  wheel  9.9K Jul 10  2005 expiretable
                        -rwxr-xr-x  1 root  wheel    22K Apr 19  2007 fping
                        -rwxr-xr-x  1 root  wheel    15K Jul 11  2007 ftpsesame
                        -rwxr-xr-x  1 root  wheel  795K Nov  8  2005 gzsig
                        -rwxr-xr-x  1 root  wheel  3.3K Nov  4  2005 kbdcheck
                        -rwxr-xr-x  1 root  wheel  157K Sep 11  2007 lighttpd
                        -rwxr-xr-x  1 root  wheel  220K Mar  8  2005 mdnsd
                        -rwxr-xr-x  1 root  wheel    43K Sep 29  2007 miniupnpd
                        -rwxr-xr-x  1 root  wheel  239K Jan  6  2008 mpd
                        -rwxr-xr-x  1 root  wheel    31K Oct  3  2006 ntpd
                        -rwxr-xr-x  1 root  wheel  152K Feb 13  2007 olsrd
                        -rwxr-xr-x  1 root  wheel  357K Sep 13  2007 openvpn
                        -rwxr-xr-x  1 root  wheel  8.5K Nov 24  2007 pfSsh.php
                        -rwxr-xr-x  1 root  wheel    98K May 27  2007 pftop
                        -rwxr-xr-x  1 root  wheel    22K Jun 30  2007 pftpx
                        -rwxr-xr-x  1 root  wheel  613B Nov 28  2005 ppp-linkup
                        -rwxr-xr-x  1 root  wheel  1.0M Feb  1 22:32 racoon
                        -rwxr-xr-x  1 root  wheel  669B Oct  4  2007 racoon_watch.sh
                        -rwxr-xr-x  1 root  wheel    48K Dec 26  2005 racoonctl
                        -rwxr-xr-x  1 root  wheel  361B Jan 31 05:36 reset_slbd.sh
                        -rwxr-xr-x  1 root  wheel    37K Aug 19  2005 sasyncd
                        -rwxr-xr-x  1 root  wheel  551B Jun 10  2006 show_filter_reload_status.php
                        -rwxr-xr-x  1 root  wheel    29K Apr 24  2007 slbd
                        -rwxr-xr-x  1 root  wheel  3.0K Jun  5  2006 ssh_tunnel_shell
                        -rwxr-xr-x  1 root  wheel  4.4K Nov  4  2005 sshlockout_pf
                        -rwxr-xr-x  1 root  wheel    75B Apr 11  2006 vpn-linkdown
                        -rwxr-xr-x  1 root  wheel    75B Apr 11  2006 vpn-linkup

                        1 Reply Last reply Reply Quote 0
                        • C
                          celtic
                          last edited by

                          1.2.1-TESTING-SNAPSHOT
                          built on Fri Jul 11 01:40:31 EDT 2008

                          ls -lah /usr/local/sbin/

                          total 3366
                          drwxr-xr-x  2 root  wheel  1.0K Jul  8 13:19 .
                          drwxr-xr-x  16 root  wheel  512B Jul  8 13:18 ..
                          -r-xr-xr-x  1 root  wheel  6.8K Jul  8 13:19 check_reload_status
                          -r-xr-xr-x  1 root  wheel  7.1K Jul  8 13:19 choparp
                          -r-xr-xr-x  1 root  wheel    31K Jul  8 12:08 dfuife_curses
                          -rwxr-xr-x  1 root  wheel  505K Jul  8 13:19 dhcpd
                          -rwxr-xr-x  1 root  wheel  128K Jul  8 13:19 dhcrelay
                          -r-xr-xr-x  1 root  wheel  133K Jul  8 13:19 dnsmasq
                          -rwxr-xr-x  1 root  wheel  9.9K Jul  8 13:19 expiretable
                          -r-xr-xr-x  1 root  wheel    22K Jul  8 13:19 fping
                          -r-xr-xr-x  1 root  wheel    15K Jul  8 13:19 ftpsesame
                          -r-xr-xr-x  1 root  wheel  134K Jul  8 12:12 grub
                          -r-xr-xr-x  1 root  wheel    13K Jul  8 12:12 grub-install
                          -r-xr-xr-x  1 root  wheel  2.3K Jul  8 12:12 grub-md5-crypt
                          -r-xr-xr-x  1 root  wheel  2.5K Jul  8 12:12 grub-set-default
                          -r-xr-xr-x  1 root  wheel  2.4K Jul  8 12:12 grub-terminfo
                          -r-xr-xr-x  1 root  wheel  157K Jul  8 13:19 lighttpd
                          -r-xr-xr-x  1 root  wheel    43K Jul  8 13:19 miniupnpd
                          -r-xr-xr-x  1 root  wheel  239K Jul  8 13:19 mpd
                          -r-xr-xr-x  1 root  wheel    31K Jul  8 13:19 ntpd
                          -rwxr-xr-x  1 root  wheel  152K Jul  8 13:19 olsrd
                          -r-xr-xr-x  1 root  wheel  357K Jul  8 13:19 openvpn
                          -rwxr-xr-x  1 root  wheel  8.5K Apr 14 19:31 pfSsh.php
                          -r-xr-xr-x  1 root  wheel    98K Jul  8 13:19 pftop
                          -r-xr-xr-x  1 root  wheel    22K Jul  8 13:19 pftpx
                          -rwxr-xr-x  1 root  wheel  613B Nov 28  2005 ppp-linkup
                          -r-xr-xr-x  1 root  wheel  1.0M Jul  8 13:19 racoon
                          -r-xr-xr-x  1 root  wheel    48K Jul  8 13:19 racoonctl
                          -rwxr-xr-x  1 root  wheel  361B Jan 31 05:36 reset_slbd.sh
                          -rwxr-xr-x  1 root  wheel  551B Jun 10  2006 show_filter_reload_status.php
                          -rwxr-xr-x  1 root  wheel    29K Jul  8 13:19 slbd
                          -r-xr-xr-x  1 root  wheel  3.0K Jul  8 13:19 ssh_tunnel_shell
                          -r-xr-xr-x  1 root  wheel  4.4K Jul  8 13:19 sshlockout_pf
                          -rwxr-xr-x  1 root  wheel    75B Apr 11  2006 vpn-linkdown
                          -rwxr-xr-x  1 root  wheel    75B Apr 11  2006 vpn-linkup

                          1 Reply Last reply Reply Quote 0
                          • C
                            celtic
                            last edited by

                            did a fresh install instead of the upgrade this time….

                            # ls -lah /usr/local/sbin/
total 3366
drwxr-xr-x   2 root  wheel   1.0K Jul 11 07:35 .
drwxr-xr-x  15 root  wheel   512B Jul 11 07:33 ..
-r-xr-xr-x   1 root  wheel   6.8K Jul 11 07:35 check_reload_status
-r-xr-xr-x   1 root  wheel   7.1K Jul 11 07:35 choparp
-r-xr-xr-x   1 root  wheel    31K Jul 11 06:44 dfuife_curses
-rwxr-xr-x   1 root  wheel   505K Jul 11 07:35 dhcpd
-rwxr-xr-x   1 root  wheel   128K Jul 11 07:35 dhcrelay
-r-xr-xr-x   1 root  wheel   133K Jul 11 07:35 dnsmasq
-rwxr-xr-x   1 root  wheel   9.9K Jul 11 07:35 expiretable
-r-xr-xr-x   1 root  wheel    22K Jul 11 07:35 fping
-r-xr-xr-x   1 root  wheel    15K Jul 11 07:35 ftpsesame
-r-xr-xr-x   1 root  wheel   134K Jul 10 04:58 grub
-r-xr-xr-x   1 root  wheel    13K Jul 10 04:58 grub-install
-r-xr-xr-x   1 root  wheel   2.3K Jul 10 04:58 grub-md5-crypt
-r-xr-xr-x   1 root  wheel   2.5K Jul 10 04:58 grub-set-default
-r-xr-xr-x   1 root  wheel   2.4K Jul 10 04:58 grub-terminfo
-r-xr-xr-x   1 root  wheel   157K Jul 11 07:35 lighttpd
-r-xr-xr-x   1 root  wheel    43K Jul 11 07:35 miniupnpd
-r-xr-xr-x   1 root  wheel   239K Jul 11 07:35 mpd
-r-xr-xr-x   1 root  wheel    31K Jul 11 07:35 ntpd
-rwxr-xr-x   1 root  wheel   152K Jul 11 07:35 olsrd
-r-xr-xr-x   1 root  wheel   357K Jul 11 07:35 openvpn
-rwxr-xr-x   1 root  wheel   8.5K Apr 14 19:31 pfSsh.php
-r-xr-xr-x   1 root  wheel    98K Jul 11 07:35 pftop
-r-xr-xr-x   1 root  wheel    22K Jul 11 07:35 pftpx
-rwxr-xr-x   1 root  wheel   613B Nov 28  2005 ppp-linkup
-r-xr-xr-x   1 root  wheel   1.0M Jul 11 07:35 racoon
-r-xr-xr-x   1 root  wheel    48K Jul 11 07:35 racoonctl
-rwxr-xr-x   1 root  wheel   361B Jan 31 05:36 reset_slbd.sh
-rwxr-xr-x   1 root  wheel   551B Jun 10  2006 show_filter_reload_status.php
-rwxr-xr-x   1 root  wheel    29K Jul 11 07:35 slbd
-r-xr-xr-x   1 root  wheel   3.0K Jul 11 07:35 ssh_tunnel_shell
-r-xr-xr-x   1 root  wheel   4.4K Jul 11 07:35 sshlockout_pf
-rwxr-xr-x   1 root  wheel    75B Apr 11  2006 vpn-linkdown
-rwxr-xr-x   1 root  wheel    75B Apr 11  2006 vpn-linkup

                            not much change here…. but got the setkey in /sbin now...

                            anyway i can do more testing for u guys ?

                            my logs while trying to get a connection with a 1.2 pfsense :
                            Jul 12 14:01:57 last message repeated 3 times

                            Jul 12 14:01:27 	racoon: ERROR: couldn't find configuration.
Jul 12 14:01:05 	racoon: [Self]: INFO: 85.223.49.41[500] used as isakmp port (fd=15)
Jul 12 14:01:05 	racoon: [Self]: INFO: 172.16.66.254[500] used as isakmp port (fd=14)
Jul 12 14:01:05 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Jul 12 14:01:04 	racoon: [Self]: INFO: 85.223.49.41[500] used as isakmp port (fd=15)
Jul 12 14:01:04 	racoon: [Self]: INFO: 172.16.66.254[500] used as isakmp port (fd=14)
Jul 12 14:01:04 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Jul 12 14:01:03 	racoon: [Self]: INFO: 85.223.49.41[500] used as isakmp port (fd=15)
Jul 12 14:01:03 	racoon: [Self]: INFO: 172.16.66.254[500] used as isakmp port (fd=14)
Jul 12 14:01:03 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Jul 12 14:01:03 	racoon: [Self]: INFO: 85.223.49.41[500] used as isakmp port (fd=15)
Jul 12 14:01:03 	racoon: [Self]: INFO: 172.16.66.254[500] used as isakmp port (fd=14)
Jul 12 14:01:03 	racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)

                            still no SA's btw.

                            after rebooting and trying some diferent settings…

                            
Jul 12 14:37:21 	racoon: ERROR: failed to pre-process packet.
Jul 12 14:37:21 	racoon: ERROR: failed to get proposal for responder.
Jul 12 14:37:21 	racoon: [Unknown Gateway/Dynamic]: ERROR: no policy found: 172.17.77.0/24[0] 172.16.66.0/24[0] proto=any dir=in
Jul 12 14:37:21 	racoon: [Bas]: INFO: respond new phase 2 negotiation: 85.223.49.41[0]<=>85.223.50.134[0]
Jul 12 14:37:11 	racoon: ERROR: failed to pre-process packet.
Jul 12 14:37:11 	racoon: ERROR: failed to get proposal for responder.
Jul 12 14:37:11 	racoon: ERROR: no policy found: 172.17.77.0/24[0] 172.16.66.0/24[0] proto=any dir=in
Jul 12 14:37:11 	racoon: [Bas]: INFO: respond new phase 2 negotiation: 85.223.49.41[0]<=>85.223.50.134[0]
                            1 Reply Last reply Reply Quote 0
                            • C
                              celtic
                              last edited by

                              IPsec is working…. got some yellew crosses in the status => ipsec but it is working... not that fast.... was hoping that the AES stuff on my MB would do more...  15Mbps with a Via C3 1Ghz,, not that shabby i presume...

                              edit
                              In the ipsec SA

                              Source Destination Protocol SPI Enc. alg. Auth. alg.
                              Invalid extension
                              Invalid extension
                              Invalid extension
                              Invalid extension

                              no show stopper... but well.... something is wrong...

                              1 Reply Last reply Reply Quote 0
                              • D
                                David_W
                                last edited by

                                @celtic:

                                was hoping that the AES stuff on my MB would do more…  15Mbps with a Via C3 1Ghz,, not that shabby i presume...

                                Have a look at the dmesg - does a 'padlock' device show up? That's the device driver that supports the crypto features of the C3.

                                If it shows up, maybe pfSense isn't configured to make use of it, though the man page suggests it should work fine with the IPsec code that pfSense uses.

                                It's possible that this is a configuration error in the FreeBSD kernel being used in the current betas, which is why I'm suggesting you look at the dmesg.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  celtic
                                  last edited by

                                  no "padlock" in dmesg… :-(

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    David_W
                                    last edited by

                                    What happens if you try kldload /boot/kernel/padlock.ko at the command prompt. Do you have a padlock device in the dmesg then? Does it help with IPsec?

                                    The next stage, whether or not that works (but assuming you have a /boot/kernel/padlock.ko file) is to try adding padlock_load="YES" to the /boot/loader.conf file. If that sorts it out, then I wonder whether the kernel configuration should be changed to have padlock built in - or a configuration option to load padlock. There are many people running pfSense on VIA processors with the necessary hardware to use the padlock driver.

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      celtic
                                      last edited by

                                      no files in /boot/modules…

                                      am running the version form 07-12 so can try and upgrade...
                                      Will upgrade to the newest build tonight.

                                      1 Reply Last reply Reply Quote 0
                                      • dotdashD
                                        dotdash
                                        last edited by

                                        That should be kldload /boot/kernel/padlock.ko
                                        I see the module on my 1.3AA test box, but I overwrote my 1.2.1 image so I can't confirm if it's there and don't have any hardware to see if it loads.

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          David_W
                                          last edited by

                                          @dotdash:

                                          That should be kldload /boot/kernel/padlock.ko

                                          Indeed it should - sorry for the typo. I've corrected my original post.

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            celtic
                                            last edited by

                                            it's there :-P
                                            going up to 19Mbps….  but the other machine is an old version of pfsense....
                                            same cpu and motherboard....  so no acceleration

                                            My CPU usage is lower... abt 10-15% but it's stable, not flapping like before...
                                            So i guess it's working.. Maybe an idea to enable it through the webinterface ?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.