Version 2.3 IPSec both sides



  • Hi guys,

    I´ve read some of the IPSec posts here and the problems with the V2.3.

    I have a similar problem … We Updated 2 of our pfsense Boxes to v2.3 same Hardware except: one is an alix 1d4 with SDCard (NANO) and the other with SSD (FULL)

    Our boxes had a cronjob to reboot these at 6 AM but since the update the IPSec does not connect after the reboot.
    We can reboot it manually but nothing helps ...

    In the Logfiles I can see entrys like: NO_PROPOSAL and so on

    But without doing anything the IPSec gets connected after 8 AM when one box is rebooted that time.

    Is there someone with a suggestion?

    Greets



  • Is it connecting via dynamic DNS hostname? Seems like what might happen initially post-reboot (assuming an IP change) until the DNS TTL expired.

    NO_PROPOSAL would mean a phase 1 mismatch. In the described situation, I'm guessing DDNS delay would be the likely reason.



  • Hi,

    we got fixed IP´s on both sites.
    But we´re using hostnames from our public Domain (site1.domain.com & site2.domain.com) with A Records.

    Yeah NO_PROPOSAL would mean that there is a mismatch on Phase 1 but again: after 8 AM and a reboot it works without a configchange.

    Greets



  • Hi !

    I have also problems with IPsec after upgrade from 2.2.6 to 2.3.
    HW is PC engines boards (one is Alix 2D13, others are APU1D).

    Only the tunnel between two 2.3s is down (but is was working before upgrade).
    I have another from 2.3 to 2.2.6, which is still working perfectly
    and another one from 2.3 to some older Netgear box which is OK too.

    Here are logs from both sides of 2.3 to 2.3
    ( order is newest on top !!! )

    May 4 11:47:27 charon 15[IKE] <con3000|20>received NO_PROPOSAL_CHOSEN error notify
    May 4 11:47:27 charon 15[ENC] <con3000|20>parsed INFORMATIONAL_V1 request 3826032390 [ N(NO_PROP) ]
    May 4 11:47:27 charon 15[NET] <con3000|20>received packet: from xxxx [500] to xxxx [500] (40 bytes)
    May 4 11:47:27 charon 15[NET] <con3000|20>sending packet: from xxxx [500] to xxxx [500] (180 bytes)
    May 4 11:47:27 charon 15[ENC] <con3000|20>generating ID_PROT request 0 [ SA V V V V V ]
    May 4 11:47:27 charon 15[IKE] <con3000|20>initiating Main Mode IKE_SA con3000[20] to xxxx
    May 4 11:47:27 charon 07[KNL] creating acquire job for policy xxxx /32|/0 === xxxx /32|/0 with reqid {9}

    May 4 11:47:27 charon 12[NET] <15> sending packet: from xxxx [500] to xxxx [500] (40 bytes)
    May 4 11:47:27 charon 12[ENC] <15> generating INFORMATIONAL_V1 request 3826032390 [ N(NO_PROP) ]
    May 4 11:47:27 charon 12[IKE] <15> no IKE config found for xxxx … xxxx , sending NO_PROPOSAL_CHOSEN
    May 4 11:47:27 charon 12[ENC] <15> parsed ID_PROT request 0 [ SA V V V V V ]
    May 4 11:47:27 charon 12[NET] <15> received packet: from xxxx [500] to xxxx [500] (180 bytes)

    Any ideas ?

    Regards, Miro</con3000|20></con3000|20></con3000|20></con3000|20></con3000|20></con3000|20>



  • Yeah that´s exactly the same output as mine.
    And we´re using the same Hardware ^^



  • "no IKE config found" means it doesn't match any of the configured connection entries.

    Has nothing to do with hardware.

    @cpirasa:

    But we´re using hostnames from our public Domain (site1.domain.com & site2.domain.com) with A Records.

    Using those where, as the "remote gateway"? Identifiers in the P1? Or both



  • I have the same no ike error when I configured for carp ipsec mschapv2 for win8/10 as seen in
    https://www.youtube.com/watch?v=xV1vEl4XAnw
    but did not changed WAN IP for WAN CARP IP