Re: [pfSense Support] raccon message: racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
I have had a tunnel up and working for a few weeks (I have a LSys rv042 on 1 end of the tunnel.) And 2 days ago, I started getting similar messages. I was briefly veiwing the logs last night, and it seems to me that the AH (of IPsec) failed due to some mismatch in the hash key. But I'd need to re-examine the logs to verify. My log was filled with these messages almost the whole day yesterday. And during that time, the tunnel was pretty much down; the rv042 wasn't reachable via the tunnel. - PV On 9/2/09, luismi wrote: > Yes I know that link and I checked my config and seems to be ok. > > The cisco side is: > > crypto isakmp policy 10 > encr 3des > authentication pre-share > group 2 > lifetime 3600 > crypto isakmp key address 11.22.33.44 no-xauth > crypto isakmp invalid-spi-recovery > crypto isakmp keepalive 10 > ! > ! > crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac > ! > crypto map PFSVPN 15 ipsec-isakmp > description VPN IPSEC contra PFSense FW1 > set peer 11.22.33.44 > set security-association lifetime seconds 28800 > set transform-set 3DES-SHA > set pfs group2 > match address 100 > > and in the pfsense side... > under Phase 1 proposal (Authentication) I have 28800 seconds as lifetime > under Phase 2 proposal (SA/Key Exchange) I have 3600 seconds as lifetime > > I don't see clearly if those values are correct located against my cisco > configuration. > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- Sent from my mobile device - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] raccon message: racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
Yes I know that link and I checked my config and seems to be ok. The cisco side is: crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key address 11.22.33.44 no-xauth crypto isakmp invalid-spi-recovery crypto isakmp keepalive 10 ! ! crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac ! crypto map PFSVPN 15 ipsec-isakmp description VPN IPSEC contra PFSense FW1 set peer 11.22.33.44 set security-association lifetime seconds 28800 set transform-set 3DES-SHA set pfs group2 match address 100 and in the pfsense side... under Phase 1 proposal (Authentication) I have 28800 seconds as lifetime under Phase 2 proposal (SA/Key Exchange) I have 3600 seconds as lifetime I don't see clearly if those values are correct located against my cisco configuration. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] raccon message: racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
luismi wrote: > Is there anyone here with experience with this message "racoon: ERROR: > libipsec failed pfkey align (Invalid sadb message)"? > > Pfsense version is 1.2.2 and the remote side is a cisco router. > Everything seems to be ok, but we have some connectivity problems with > some servers and I don't know if they are related with that message. I've seen that before but it's never really been a "fatal" condition. The tunnels have continued to work despite it. http://doc.pfsense.org/index.php/IPsec_Troubleshooting#Failed_pfkey_align Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] raccon message: racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
Is there anyone here with experience with this message "racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)"? Pfsense version is 1.2.2 and the remote side is a cisco router. Everything seems to be ok, but we have some connectivity problems with some servers and I don't know if they are related with that message. Regards. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org