I'm experiencing some problems with this IPSEC version. My tunnel opens lasts sometimes and closes.
My IPSEC section in both sides: Side 1: 200.204.120.145 Side 2: 200.179.214.104 Side 1: <ipsec> <preferredoldsa/> <enable/> <tunnel> <auto/> <interface>wan</interface> <local-subnet> <network>lan</network> </local-subnet> <remote-subnet>192.168.0.0/24</remote-subnet> <remote-gateway>200.179.214.104</remote-gateway> <p1> <mode>aggressive</mode> <myident> <myaddress/> </myident> <encryption-algorithm>3des</encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup> <lifetime>86400</lifetime> <pre-shared-key>supersecret</pre-shared-key> <private-key/> <cert/> <peercert/> <authentication_method>pre_shared_key</authentication_method> </p1> <p2> <protocol>esp</protocol> <encryption-algorithm-option>3des</encryption-algorithm-option> <encryption-algorithm-option>blowfish</encryption-algorithm-option> <encryption-algorithm-option>cast128</encryption-algorithm-option> <encryption-algorithm-option>rijndael</encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <hash-algorithm-option>hmac_md5</hash-algorithm-option> <pfsgroup>0</pfsgroup> <lifetime>86400</lifetime> </p2> <descr>NetfilterRJ</descr> </tunnel> </ipsec> Side 2: <ipsec> <preferredoldsa/> <enable/> <tunnel> <auto/> <interface>wan</interface> <local-subnet> <network>lan</network> </local-subnet> <remote-subnet>192.168.1.0/24</remote-subnet> <remote-gateway>200.204.120.145</remote-gateway> <p1> <mode>aggressive</mode> <myident> <myaddress/> </myident> <encryption-algorithm>3des</encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup> <lifetime>86400</lifetime> <pre-shared-key>bqnsepc</pre-shared-key> <private-key/> <cert/> <peercert/> <authentication_method>pre_shared_key</authentication_method> </p1> <p2> <protocol>esp</protocol> <encryption-algorithm-option>3des</encryption-algorithm-option> <encryption-algorithm-option>blowfish</encryption-algorithm-option> <encryption-algorithm-option>cast128</encryption-algorithm-option> <encryption-algorithm-option>rijndael</encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <hash-algorithm-option>hmac_md5</hash-algorithm-option> <pfsgroup>0</pfsgroup> <lifetime>86400</lifetime> </p2> <descr>Netfilter SP</descr> </tunnel> </ipsec> -----Mensagem original----- De: Scott Ullrich [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 14:24 Para: support@pfsense.com Assunto: Re: [pfSense Support] IPSec Problems Okay, if for some reason 0.6.5 is not out by the time we go to release I'll back down to 0.6.2. Scott On 1/16/06, John Cianfarani <[EMAIL PROTECTED]> wrote: > From the looks of it I don't know if it's exactly related it seems that > bug is related to remote address being /32's all of the ones I have are > /24's. > > Strange part is the mobile connection will work part of the time, but > when it stops working it just seems to be dead. > > John > -----Original Message----- > From: Scott Ullrich [mailto:[EMAIL PROTECTED] > Sent: Monday, January 16, 2006 11:07 AM > To: support@pfsense.com > Subject: Re: [pfSense Support] IPSec Problems > > We are waiting for 0.6.5 of IPSEC-Tools due to a bug. Is this the same? > > http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/23905 > > Scott > > On 1/16/06, Pedro Paulo de Magalhaes Oliveira Junior > <[EMAIL PROTECTED]> wrote: > > We are facing the same problem. > > > > And it also happen with non mobile. > > > > -----Mensagem original----- > > De: John Cianfarani [mailto:[EMAIL PROTECTED] > > Enviada em: segunda-feira, 16 de janeiro de 2006 13:58 > > Para: support@pfsense.com > > Assunto: [pfSense Support] IPSec Problems > > > > Hey All, > > > > I have been having some problems again with some of the Mobile Client > > IPSec. Not sure if there is any changes/improvements in Beta 2. (All > > sites are running Beta 1) > > Here is the issue I've been having, Ipsec tunnels seem to bounce quite > > frequently while this could be caused by many issues it seems that > > sometimes when the tunnel goes down it just won't come back up. > > > > Setup is a remote-pf site which is the mobile client and the > central-pf > > host site that has a carp address which is the where the remote site > > builds the tunnel to. > > I haven't isolated which one the problem is with. When the tunnel > gets > > in this state I try to do the sourced ping from the remote-pf I also > > have tried to restart the box and the tunnel will still not build. > (See > > below for the ipsec.log after a reboot and a test ping). If I check > the > > ipsec.log on the central-pf it is empty, as if there was either no > > attempt. If I nmap both hosts it shows "500/udp open|filtered isakmp" > so > > it looks like its bound correctly > > > > Now just for testing while it is in this state I can build a regular > > tunnel on the central-pf to the dynamic ip of the remote site and ping > > and the tunnel will come up right away. > > > > Anything to check or try would be appreciated. > > > > Thanks > > John Cianfarani > > > > > > ---- Log from remote-pf after a reload and ping -c 10 -S LANIP > > REMOTELANIP ---- > > Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 > > (http://ipsec-tools.sourceforge.net) > > Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked > OpenSSL > > 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) > > Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as > isakmp > > port (fd=8) > > Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port > > (fd=9) > > Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp > > port (fd=10) > > Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as > isakmp > > port (fd=11) > > Jan 16 10:15:17 gw-remote1 racoon: INFO: > > fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=12) > > Jan 16 10:15:17 gw-remote1 racoon: INFO: > > fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=13) > > Jan 16 10:15:17 gw-remote1 racoon: INFO: 192.168.0.1[500] used as > isakmp > > port (fd=14) > > Jan 16 10:15:17 gw-remote1 racoon: INFO: > > fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=15) > > Jan 16 10:15:17 gw-remote1 racoon: INFO: 172.16.10.1[500] used as > isakmp > > port (fd=16) > > Jan 16 10:15:18 gw-remote1 racoon: INFO: caught signal 15 > > Jan 16 10:15:19 gw-remote1 racoon: INFO: racoon shutdown > > Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 > > (http://ipsec-tools.sourceforge.net) > > Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)This product linked > OpenSSL > > 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) > > Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as > isakmp > > port (fd=7) > > Jan 16 10:15:21 gw-remote1 racoon: INFO: ::1[500] used as isakmp port > > (fd=8) > > Jan 16 10:15:21 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp > > port (fd=9) > > Jan 16 10:15:21 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as > isakmp > > port (fd=10) > > Jan 16 10:15:21 gw-remote1 racoon: INFO: > > fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=11) > > Jan 16 10:15:21 gw-remote1 racoon: INFO: > > fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=12) > > Jan 16 10:15:21 gw-remote1 racoon: INFO: 192.168.0.1[500] used as > isakmp > > port (fd=13) > > Jan 16 10:15:21 gw-remote1 racoon: INFO: > > fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=14) > > Jan 16 10:15:21 gw-remote1 racoon: INFO: 172.16.10.1[500] used as > isakmp > > port (fd=15) > > Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. > > anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any > dir=in > > Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. > > anyway replace it: 172.16.0.0/24[0] 172.16.10.0/24[0] proto=any dir=in > > Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. > > anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any > dir=out > > Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. > > anyway replace it: 172.16.10.0/24[0] 172.16.0.0/24[0] proto=any > dir=out > > Jan 16 10:16:01 gw-remote1 racoon: INFO: IPsec-SA request for > > ce.nt.ral.ip queued due to no phase1 found. > > Jan 16 10:16:01 gw-remote1 racoon: INFO: initiate new phase 1 > > negotiation: re.mo.te.ip[500]<=>ce.nt.ral.ip[500] > > Jan 16 10:16:01 gw-remote1 racoon: INFO: begin Aggressive mode. > > Jan 16 10:16:32 gw-remote1 racoon: ERROR: phase2 negotiation failed > due > > to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0] > > Jan 16 10:16:32 gw-remote1 racoon: INFO: delete phase 2 handler. > > Jan 16 10:17:00 gw-remote1 racoon: INFO: request for establishing > > IPsec-SA was queued due to no phase1 found. > > Jan 16 10:17:01 gw-remote1 racoon: ERROR: phase1 negotiation failed > due > > to time up. ea11cee6415ca5ef:0000000000000000 > > Jan 16 10:17:31 gw-remote1 racoon: ERROR: phase2 negotiation failed > due > > to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0] > > Jan 16 10:17:31 gw-remote1 racoon: INFO: delete phase 2 handler. > > Jan 16 10:18:00 gw-remote1 racoon: INFO: IPsec-SA request for > > ce.nt.ral.ip queued due to no phase1 found. > > Jan 16 10:18:00 gw-remote1 racoon: INFO: initiate new phase 1 > > negotiation: re.mo.te.ip[500]<=>ce.nt.ral.ip[500] > > Jan 16 10:18:00 gw-remote1 racoon: INFO: begin Aggressive mode. > > Jan 16 10:18:31 gw-remote1 racoon: ERROR: phase2 negotiation failed > due > > to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0] > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > -- > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: > 14/1/2006 > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 14/1/2006 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]