Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Wed, Apr 6, 2011 at 9:12 PM, Leon Strong wrote: > > On this subject, i'm also noticing whenever a rules update happens, our > openvpn connections all drop. > > possibly something related to resetting the rules, and therefore any > established tcp/udp connections? > Changing rules does not touch any active connections. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On 05/04/11 19:59, David Rees wrote: On Mon, Apr 4, 2011 at 3:56 AM, Ermal Luçi wrote: On Mon, Apr 4, 2011 at 12:52 AM, David Rees wrote: On Sat, Apr 2, 2011 at 12:19 AM, Chris Buechler wrote: Can't replicate, I connected and disconnected PPTP about 30 times to a system with a few IPsec connections all with DPD and had 0 issues with any of them. Typical basic PPTP setup and site to site IPsec. See if you can narrow it down more, or if there's something specific about your setup that's pertinent. Thanks for the response - I'll try to narrow down our config in a test bed to try to duplicate situation. Can you try the suggestion posted here http://forum.pfsense.org/index.php/topic,34853.0.html? Only "special" settings are that it's a dual-WAN setup with multiple VLANs and use IPsec, OpenVPN and PPTP VPN. connections... We were able to replicate the issue today with a barebones configuration on a spare system. We tested both the original RC1 release as well as the most recent snapshot with the same results. I can send a configuration backup privately along with configuration notes to any developer interested - let me know... -Dave On this subject, i'm also noticing whenever a rules update happens, our openvpn connections all drop. possibly something related to resetting the rules, and therefore any established tcp/udp connections? -- *Leon Strong *| Technical Engineer *DDI:* +64 9 950 2203 *Fax:* +64 9 302 0518 *Mobile:* +64 21 557 300 *Freephone:* 0800 SMX SMX (769 769) Level 15, 19 Victoria Street, Auckland, New Zealand | SMX Ltd | http://smxemail.com The information contained in this email and any attachments is confidential. If you are not the intended recipient then you must not use, disseminate, distribute or copy any information contained in this email or any attachments. If you have received this email in error or you are not the originally intended recipient please contact SMX immediately and destroy this email. __ This email has been filtered by SMX. For more information visit smxemail.com __
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Mon, Apr 4, 2011 at 3:56 AM, Ermal Luçi wrote: > On Mon, Apr 4, 2011 at 12:52 AM, David Rees wrote: >> On Sat, Apr 2, 2011 at 12:19 AM, Chris Buechler wrote: >>> Can't replicate, I connected and disconnected PPTP about 30 times to a >>> system with a few IPsec connections all with DPD and had 0 issues with >>> any of them. Typical basic PPTP setup and site to site IPsec. See if >>> you can narrow it down more, or if there's something specific about >>> your setup that's pertinent. >> >> Thanks for the response - I'll try to narrow down our config in a test >> bed to try to duplicate situation. >> > > Can you try the suggestion posted here > http://forum.pfsense.org/index.php/topic,34853.0.html? > >> Only "special" settings are that it's a dual-WAN setup with multiple >> VLANs and use IPsec, OpenVPN and PPTP VPN. connections... We were able to replicate the issue today with a barebones configuration on a spare system. We tested both the original RC1 release as well as the most recent snapshot with the same results. I can send a configuration backup privately along with configuration notes to any developer interested - let me know... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Mon, Apr 4, 2011 at 3:56 AM, Ermal Luçi wrote: > On Mon, Apr 4, 2011 at 12:52 AM, David Rees wrote: >> On Sat, Apr 2, 2011 at 12:19 AM, Chris Buechler wrote: >>> On Thu, Mar 31, 2011 at 5:05 PM, David Rees wrote: On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 When a PPTP user connects and then disconnects, all IPsec VPNs go down shortly afterwards. In the logs, we see that the pptp user logs out - shortly afterwards the DPD kicks in on the VPNs, but fails to bring the VPNs back up. Disabling/enabling an IPsec VPN brings them all back up. We don't use PPTP much so it's the first time we've seen it. We're planning on going back to the official RC1 in the mean time. Known issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this issue? What's your setup like? >>> >>> Can't replicate, I connected and disconnected PPTP about 30 times to a >>> system with a few IPsec connections all with DPD and had 0 issues with >>> any of them. Typical basic PPTP setup and site to site IPsec. See if >>> you can narrow it down more, or if there's something specific about >>> your setup that's pertinent. >> >> Thanks for the response - I'll try to narrow down our config in a test >> bed to try to duplicate situation. >> >> Only "special" settings are that it's a dual-WAN setup with multiple >> VLANs and use IPsec, OpenVPN and PPTP VPN. connections... > > Can you try the suggestion posted here > http://forum.pfsense.org/index.php/topic,34853.0.html? Thanks - saw your reply there - will give it a shot in a little bit... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Mon, Apr 4, 2011 at 12:52 AM, David Rees wrote: > On Sat, Apr 2, 2011 at 12:19 AM, Chris Buechler wrote: >> On Thu, Mar 31, 2011 at 5:05 PM, David Rees wrote: >>> I posted this on the forum[1] but didn't get any responses, so am trying >>> here. >>> >>> On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 >>> >>> When a PPTP user connects and then disconnects, all IPsec VPNs go down >>> shortly afterwards. >>> >>> In the logs, we see that the pptp user logs out - shortly afterwards >>> the DPD kicks in on the VPNs, but fails to bring the VPNs back up. >>> Disabling/enabling an IPsec VPN brings them all back up. >>> >>> We don't use PPTP much so it's the first time we've seen it. We're >>> planning on going back to the official RC1 in the mean time. Known >>> issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this >>> issue? What's your setup like? >> >> Can't replicate, I connected and disconnected PPTP about 30 times to a >> system with a few IPsec connections all with DPD and had 0 issues with >> any of them. Typical basic PPTP setup and site to site IPsec. See if >> you can narrow it down more, or if there's something specific about >> your setup that's pertinent. > > Thanks for the response - I'll try to narrow down our config in a test > bed to try to duplicate situation. > Can you try the suggestion posted here http://forum.pfsense.org/index.php/topic,34853.0.html? > Only "special" settings are that it's a dual-WAN setup with multiple > VLANs and use IPsec, OpenVPN and PPTP VPN. connections... > > -Dave > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- Ermal - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Sat, Apr 2, 2011 at 12:19 AM, Chris Buechler wrote: > On Thu, Mar 31, 2011 at 5:05 PM, David Rees wrote: >> I posted this on the forum[1] but didn't get any responses, so am trying >> here. >> >> On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 >> >> When a PPTP user connects and then disconnects, all IPsec VPNs go down >> shortly afterwards. >> >> In the logs, we see that the pptp user logs out - shortly afterwards >> the DPD kicks in on the VPNs, but fails to bring the VPNs back up. >> Disabling/enabling an IPsec VPN brings them all back up. >> >> We don't use PPTP much so it's the first time we've seen it. We're >> planning on going back to the official RC1 in the mean time. Known >> issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this >> issue? What's your setup like? > > Can't replicate, I connected and disconnected PPTP about 30 times to a > system with a few IPsec connections all with DPD and had 0 issues with > any of them. Typical basic PPTP setup and site to site IPsec. See if > you can narrow it down more, or if there's something specific about > your setup that's pertinent. Thanks for the response - I'll try to narrow down our config in a test bed to try to duplicate situation. Only "special" settings are that it's a dual-WAN setup with multiple VLANs and use IPsec, OpenVPN and PPTP VPN. connections... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Thu, Mar 31, 2011 at 5:05 PM, David Rees wrote: > I posted this on the forum[1] but didn't get any responses, so am trying here. > > On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 > > When a PPTP user connects and then disconnects, all IPsec VPNs go down > shortly afterwards. > > In the logs, we see that the pptp user logs out - shortly afterwards > the DPD kicks in on the VPNs, but fails to bring the VPNs back up. > Disabling/enabling an IPsec VPN brings them all back up. > > We don't use PPTP much so it's the first time we've seen it. We're > planning on going back to the official RC1 in the mean time. Known > issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this > issue? What's your setup like? > Can't replicate, I connected and disconnected PPTP about 30 times to a system with a few IPsec connections all with DPD and had 0 issues with any of them. Typical basic PPTP setup and site to site IPsec. See if you can narrow it down more, or if there's something specific about your setup that's pertinent. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
I posted this on the forum[1] but didn't get any responses, so am trying here. On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 When a PPTP user connects and then disconnects, all IPsec VPNs go down shortly afterwards. In the logs, we see that the pptp user logs out - shortly afterwards the DPD kicks in on the VPNs, but fails to bring the VPNs back up. Disabling/enabling an IPsec VPN brings them all back up. We don't use PPTP much so it's the first time we've seen it. We're planning on going back to the official RC1 in the mean time. Known issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this issue? What's your setup like? It definitely looks lke this thread[2] could be related - but I tried making the change noted in that thread w/no change in results. Here's what the IPsec logs look like - replaced IPs with characters. Mar 23 15:38:40 fw-vista racoon: [x.x.x.x] INFO: DPD: remote (ISAKMP-SA spi=xxx) seems to be dead. Mar 23 15:38:40 fw-vista racoon: INFO: purging ISAKMP-SA spi=xxx. Mar 23 15:38:40 fw-vista racoon: INFO: purged IPsec-SA spi=yyy. Mar 23 15:38:40 fw-vista racoon: INFO: purged IPsec-SA spi=zzz. Mar 23 15:38:40 fw-vista racoon: INFO: purged ISAKMP-SA spi=xxx. Mar 23 15:38:40 fw-vista racoon: INFO: ISAKMP-SA deleted y.y.y.y[500]-x.x.x.x[500] spi:xxx Mar 23 15:38:49 fw-vista racoon: INFO: IPsec-SA request for x.x.x.x queued due to no phase1 found. Mar 23 15:38:49 fw-vista racoon: INFO: initiate new phase 1 negotiation: y.y.y.y[500]<=>x.x.x.x[500] Mar 23 15:38:49 fw-vista racoon: INFO: begin Identity Protection mode. Mar 23 15:38:49 fw-vista racoon: ERROR: phase1 negotiation failed due to send error. www Mar 23 15:38:49 fw-vista racoon: ERROR: failed to begin ipsec sa negotication. This is the only real issue we've seen with the 2.0 release so far - otherwise looks good! Thanks Dave [1] http://forum.pfsense.org/index.php/topic,34853.0.html [2] http://forum.pfsense.org/index.php/topic,34250.0.html - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
