Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects
On Fri, Feb 11, 2011 at 7:10 PM, Chris Buechler cbuech...@gmail.com wrote: On Fri, Feb 11, 2011 at 5:31 PM, David Rees dree...@gmail.com wrote: Ah, now I see my confusion. You can't create an alias or firewall rule with a hostname in 1.2.3 You can do that too. :) doesn't update automatically though, have to cron a ruleset reload. 2.0 handles it very nicely. Hmm.. so what am I missing? When trying to create an alias with a host name, I get an error when I use either the Host(s) or Network(s) type. If I try to create a rule, set the source type to Single host or alias and type in a hostname for the address, I get an error, too. Good to know 2.0 will be able to handle this nicely, though as it does come in handy on occasion... Thanks -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects
I run pfsense 1.2.3 and use 4 ipsec tunnels with dynamic endpoints. Everything works fine, but when one endpoint continuously gets a new WAN-IP due to numerous reconnects, raccoon stops working and has to be started manually… Can anyone confirm this issue ? I have the same issue; and almost all my endpoints are pfsenses too on a dynamic ADSL connection. I now have built in some tricks to make racoon work a little bit more stable : 1. the endpoints have a built-in restart at 4 AM (our provider restarts PPPoE on 36 hours, which makes it disconnect each and every 1,5 days), so I have setup pfSense to do the restarting. 2. I restart the racoon service on the central pfSense machine at 4:15 AM using a cronjob. And then hope for the best :) This helped me come through the day, as before I had to restart racoon at least each and every 3 days... this has become a weekly task or longer from time to time now. Regards, Michel - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects
On Thu, Feb 10, 2011 at 6:14 PM, Chris Buechler cbuech...@gmail.com wrote: On Thu, Feb 10, 2011 at 8:11 PM, David Rees dree...@gmail.com wrote: BTW Martin - how are you using dynamic endpoints for IPsec w/pfSense? I didn't think that was possible... It's possible, just use dyndns names. It largely works fine, you can hit some scenarios in 1.2.3 though that require kicking racoon on typically rare occasion. Ah, now I see my confusion. You can't create an alias or firewall rule with a hostname in 1.2.3, but you can setup an IPsec VPN connection with one... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects
On Fri, Feb 11, 2011 at 5:31 PM, David Rees dree...@gmail.com wrote: Ah, now I see my confusion. You can't create an alias or firewall rule with a hostname in 1.2.3 You can do that too. :) doesn't update automatically though, have to cron a ruleset reload. 2.0 handles it very nicely. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects
On Thu, Feb 10, 2011 at 5:36 PM, Fuchs, Martin martin.fu...@trendchiller.com wrote: Hi ! I run pfsense 1.2.3 and use 4 ipsec tunnels with dynamic endpoints. Everything works fine, but when one endpoint continuously gets a new WAN-IP due to numerous reconnects, raccoon stops working and has to be started manually… Probably because DPD doesn't work entirely correctly in that version of ipsec-tools, it does in the newest version that's now in 2.0 snapshots. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects
On Thu, Feb 10, 2011 at 2:57 PM, Chris Buechler cbuech...@gmail.com wrote: On Thu, Feb 10, 2011 at 5:36 PM, Fuchs, Martin martin.fu...@trendchiller.com wrote: I run pfsense 1.2.3 and use 4 ipsec tunnels with dynamic endpoints. Everything works fine, but when one endpoint continuously gets a new WAN-IP due to numerous reconnects, raccoon stops working and has to be started manually… Probably because DPD doesn't work entirely correctly in that version of ipsec-tools, it does in the newest version that's now in 2.0 snapshots. Is this the relevant ticket? http://redmine.pfsense.org/issues/1256 Has the fix been checked in to 2.0 yet? We occasionally see issues with VPNs dropping after network drops and may want to do some testing with the latest snapshots... BTW Martin - how are you using dynamic endpoints for IPsec w/pfSense? I didn't think that was possible... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects
On Thu, Feb 10, 2011 at 8:11 PM, David Rees dree...@gmail.com wrote: On Thu, Feb 10, 2011 at 2:57 PM, Chris Buechler cbuech...@gmail.com wrote: On Thu, Feb 10, 2011 at 5:36 PM, Fuchs, Martin martin.fu...@trendchiller.com wrote: I run pfsense 1.2.3 and use 4 ipsec tunnels with dynamic endpoints. Everything works fine, but when one endpoint continuously gets a new WAN-IP due to numerous reconnects, raccoon stops working and has to be started manually… Probably because DPD doesn't work entirely correctly in that version of ipsec-tools, it does in the newest version that's now in 2.0 snapshots. Is this the relevant ticket? http://redmine.pfsense.org/issues/1256 yes now fixed. Has the fix been checked in to 2.0 yet? as of a couple days ago yes. BTW Martin - how are you using dynamic endpoints for IPsec w/pfSense? I didn't think that was possible... It's possible, just use dyndns names. It largely works fine, you can hit some scenarios in 1.2.3 though that require kicking racoon on typically rare occasion. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org