Regarding this e-mail: the shared keys are the same
-----Mensagem original-----
De: Pedro Paulo de Magalhaes Oliveira Junior [mailto:[EMAIL PROTECTED]
Enviada em: terça-feira, 17 de janeiro de 2006 15:12
Para: support@pfsense.com
Assunto: RES: [pfSense Support] IPSec Problems
I'm experiencing some problems with this IPSEC version.
My tunnel opens lasts sometimes and closes.
My IPSEC section in both sides:
Side 1: 200.204.120.145
Side 2: 200.179.214.104
Side 1:
<ipsec>
<preferredoldsa/>
<enable/>
<tunnel>
<auto/>
<interface>wan</interface>
<local-subnet>
<network>lan</network>
</local-subnet>
<remote-subnet>192.168.0.0/24</remote-subnet>
<remote-gateway>200.179.214.104</remote-gateway>
<p1>
<mode>aggressive</mode>
<myident>
<myaddress/>
</myident>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>86400</lifetime>
<pre-shared-key>supersecret</pre-shared-key>
<private-key/>
<cert/>
<peercert/>
<authentication_method>pre_shared_key</authentication_method>
</p1>
<p2>
<protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
<encryption-algorithm-option>cast128</encryption-algorithm-option>
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>0</pfsgroup>
<lifetime>86400</lifetime>
</p2>
<descr>NetfilterRJ</descr>
</tunnel>
</ipsec>
Side 2:
<ipsec>
<preferredoldsa/>
<enable/>
<tunnel>
<auto/>
<interface>wan</interface>
<local-subnet>
<network>lan</network>
</local-subnet>
<remote-subnet>192.168.1.0/24</remote-subnet>
<remote-gateway>200.204.120.145</remote-gateway>
<p1>
<mode>aggressive</mode>
<myident>
<myaddress/>
</myident>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>86400</lifetime>
<pre-shared-key> supersecret
</pre-shared-key>
<private-key/>
<cert/>
<peercert/>
<authentication_method>pre_shared_key</authentication_method>
</p1>
<p2>
<protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
<encryption-algorithm-option>cast128</encryption-algorithm-option>
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>0</pfsgroup>
<lifetime>86400</lifetime>
</p2>
<descr>Netfilter SP</descr>
</tunnel>
</ipsec>
-----Mensagem original-----
De: Scott Ullrich [mailto:[EMAIL PROTECTED]
Enviada em: segunda-feira, 16 de janeiro de 2006 14:24
Para: support@pfsense.com
Assunto: Re: [pfSense Support] IPSec Problems
Okay, if for some reason 0.6.5 is not out by the time we go to release
I'll back down to 0.6.2.
Scott
On 1/16/06, John Cianfarani <[EMAIL PROTECTED]> wrote:
> From the looks of it I don't know if it's exactly related it seems that
> bug is related to remote address being /32's all of the ones I have are
> /24's.
>
> Strange part is the mobile connection will work part of the time, but
> when it stops working it just seems to be dead.
>
> John
> -----Original Message-----
> From: Scott Ullrich [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 16, 2006 11:07 AM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] IPSec Problems
>
> We are waiting for 0.6.5 of IPSEC-Tools due to a bug. Is this the same?
>
> http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/23905
>
> Scott
>
> On 1/16/06, Pedro Paulo de Magalhaes Oliveira Junior
> <[EMAIL PROTECTED]> wrote:
> > We are facing the same problem.
> >
> > And it also happen with non mobile.
> >
> > -----Mensagem original-----
> > De: John Cianfarani [mailto:[EMAIL PROTECTED]
> > Enviada em: segunda-feira, 16 de janeiro de 2006 13:58
> > Para: support@pfsense.com
> > Assunto: [pfSense Support] IPSec Problems
> >
> > Hey All,
> >
> > I have been having some problems again with some of the Mobile Client
> > IPSec. Not sure if there is any changes/improvements in Beta 2. (All
> > sites are running Beta 1)
> > Here is the issue I've been having, Ipsec tunnels seem to bounce quite
> > frequently while this could be caused by many issues it seems that
> > sometimes when the tunnel goes down it just won't come back up.
> >
> > Setup is a remote-pf site which is the mobile client and the
> central-pf
> > host site that has a carp address which is the where the remote site
> > builds the tunnel to.
> > I haven't isolated which one the problem is with. When the tunnel
> gets
> > in this state I try to do the sourced ping from the remote-pf I also
> > have tried to restart the box and the tunnel will still not build.
> (See
> > below for the ipsec.log after a reboot and a test ping). If I check
> the
> > ipsec.log on the central-pf it is empty, as if there was either no
> > attempt. If I nmap both hosts it shows "500/udp open|filtered isakmp"
> so
> > it looks like its bound correctly
> >
> > Now just for testing while it is in this state I can build a regular
> > tunnel on the central-pf to the dynamic ip of the remote site and ping
> > and the tunnel will come up right away.
> >
> > Anything to check or try would be appreciated.
> >
> > Thanks
> > John Cianfarani
> >
> >
> > ---- Log from remote-pf after a reload and ping -c 10 -S LANIP
> > REMOTELANIP ----
> > Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4
> > (http://ipsec-tools.sourceforge.net)
> > Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked
> OpenSSL
> > 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
> > Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as
> isakmp
> > port (fd=8)
> > Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port
> > (fd=9)
> > Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp
> > port (fd=10)
> > Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as
> isakmp
> > port (fd=11)
> > Jan 16 10:15:17 gw-remote1 racoon: INFO:
> > fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=12)
> > Jan 16 10:15:17 gw-remote1 racoon: INFO:
> > fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=13)
> > Jan 16 10:15:17 gw-remote1 racoon: INFO: 192.168.0.1[500] used as
> isakmp
> > port (fd=14)
> > Jan 16 10:15:17 gw-remote1 racoon: INFO:
> > fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=15)
> > Jan 16 10:15:17 gw-remote1 racoon: INFO: 172.16.10.1[500] used as
> isakmp
> > port (fd=16)
> > Jan 16 10:15:18 gw-remote1 racoon: INFO: caught signal 15
> > Jan 16 10:15:19 gw-remote1 racoon: INFO: racoon shutdown
> > Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4
> > (http://ipsec-tools.sourceforge.net)
> > Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)This product linked
> OpenSSL
> > 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
> > Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as
> isakmp
> > port (fd=7)
> > Jan 16 10:15:21 gw-remote1 racoon: INFO: ::1[500] used as isakmp port
> > (fd=8)
> > Jan 16 10:15:21 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp
> > port (fd=9)
> > Jan 16 10:15:21 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as
> isakmp
> > port (fd=10)
> > Jan 16 10:15:21 gw-remote1 racoon: INFO:
> > fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=11)
> > Jan 16 10:15:21 gw-remote1 racoon: INFO:
> > fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=12)
> > Jan 16 10:15:21 gw-remote1 racoon: INFO: 192.168.0.1[500] used as
> isakmp
> > port (fd=13)
> > Jan 16 10:15:21 gw-remote1 racoon: INFO:
> > fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=14)
> > Jan 16 10:15:21 gw-remote1 racoon: INFO: 172.16.10.1[500] used as
> isakmp
> > port (fd=15)
> > Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists.
> > anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any
> dir=in
> > Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists.
> > anyway replace it: 172.16.0.0/24[0] 172.16.10.0/24[0] proto=any dir=in
> > Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists.
> > anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any
> dir=out
> > Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists.
> > anyway replace it: 172.16.10.0/24[0] 172.16.0.0/24[0] proto=any
> dir=out
> > Jan 16 10:16:01 gw-remote1 racoon: INFO: IPsec-SA request for
> > ce.nt.ral.ip queued due to no phase1 found.
> > Jan 16 10:16:01 gw-remote1 racoon: INFO: initiate new phase 1
> > negotiation: re.mo.te.ip[500]<=>ce.nt.ral.ip[500]
> > Jan 16 10:16:01 gw-remote1 racoon: INFO: begin Aggressive mode.
> > Jan 16 10:16:32 gw-remote1 racoon: ERROR: phase2 negotiation failed
> due
> > to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0]
> > Jan 16 10:16:32 gw-remote1 racoon: INFO: delete phase 2 handler.
> > Jan 16 10:17:00 gw-remote1 racoon: INFO: request for establishing
> > IPsec-SA was queued due to no phase1 found.
> > Jan 16 10:17:01 gw-remote1 racoon: ERROR: phase1 negotiation failed
> due
> > to time up. ea11cee6415ca5ef:0000000000000000
> > Jan 16 10:17:31 gw-remote1 racoon: ERROR: phase2 negotiation failed
> due
> > to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0]
> > Jan 16 10:17:31 gw-remote1 racoon: INFO: delete phase 2 handler.
> > Jan 16 10:18:00 gw-remote1 racoon: INFO: IPsec-SA request for
> > ce.nt.ral.ip queued due to no phase1 found.
> > Jan 16 10:18:00 gw-remote1 racoon: INFO: initiate new phase 1
> > negotiation: re.mo.te.ip[500]<=>ce.nt.ral.ip[500]
> > Jan 16 10:18:00 gw-remote1 racoon: INFO: begin Aggressive mode.
> > Jan 16 10:18:31 gw-remote1 racoon: ERROR: phase2 negotiation failed
> due
> > to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0]
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date:
> 14/1/2006
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 14/1/2006
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.14.19/231 - Release Date: 16/1/2006
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
