On Sun, Feb 15, 2015 at 12:37 PM, Mark Relf <mark.r...@4slgroup.com> wrote:
> Hi all, > > We are experiencing a number of issues with IPSEC tunnels rekeying. We > see the following in the IPSEC log : > > Feb 15 17:30:45 4slgbmernfw01 charon: 13[IKE] <con1000|1080> received > INVALID_ID_INFORMATION error notify > > Feb 15 17:30:50 4slgbmernfw01 charon: 14[IKE] <con1000|1080> received > INVALID_ID_INFORMATION error notify > > Feb 15 17:30:54 4slgbmernfw01 charon: 09[IKE] <con1000|1080> received > INVALID_ID_INFORMATION error notify > > Feb 15 17:30:59 4slgbmernfw01 charon: 09[IKE] <con1000|1080> received > INVALID_ID_INFORMATION error notify > > Feb 15 17:31:04 4slgbmernfw01 charon: 15[IKE] <con1000|1080> received > INVALID_ID_INFORMATION error notify > > > This is not always for the same connection but does happen frequently > and has made release 2.2 almost unusable for us. > > We have to issue ipsec down con xxx and ipsec up con xxx to reset the > tunnel. > > I have had a brief look at the strongswan website and they seem to be > indicating an issue and have a patch. > > Has this/when will this patch be incorporated into pfsense (strongswan > issue819 seems to be a close match) > > One of our community members opened that strongswan 819 ticket when it's at least a mix of two completely different problems, and not a good description of what might be happening there. I can't seem to find a replicable circumstance that produces that issue. Do you have multiple phase 2 entries on a single phase 1? What is the remote endpoint you're connecting to? The only confirmed issue where I'm aware of a specific cause is a problem in the Cisco Unity plugin that can be triggered when rekeying with certain configurations in place on the Cisco end.
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold