[pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs

Thu, 31 Mar 2011 14:05:49 -0700 

I posted this on the forum[1] but didn't get any responses, so am trying here.

On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011

When a PPTP user connects and then disconnects, all IPsec VPNs go down
shortly afterwards.

In the logs, we see that the pptp user logs out - shortly afterwards
the DPD kicks in on the VPNs, but fails to bring the VPNs back up.
Disabling/enabling an IPsec VPN brings them all back up.

We don't use PPTP much so it's the first time we've seen it.  We're
planning on going back to the official RC1 in the mean time.  Known
issue?  Anyone using both PPTP server and IPsec VPNs NOT seeing this
issue?  What's your setup like?

It definitely looks lke this thread[2] could be related - but I tried
making the change noted in that thread w/no change in results.

Here's what the IPsec logs look like - replaced IPs with characters.

Mar 23 15:38:40 fw-vista racoon: [x.x.x.x] INFO: DPD: remote
(ISAKMP-SA spi=xxx) seems to be dead.
Mar 23 15:38:40 fw-vista racoon: INFO: purging ISAKMP-SA spi=xxx.
Mar 23 15:38:40 fw-vista racoon: INFO: purged IPsec-SA spi=yyy.
Mar 23 15:38:40 fw-vista racoon: INFO: purged IPsec-SA spi=zzz.
Mar 23 15:38:40 fw-vista racoon: INFO: purged ISAKMP-SA spi=xxx.
Mar 23 15:38:40 fw-vista racoon: INFO: ISAKMP-SA deleted
y.y.y.y[500]-x.x.x.x[500] spi:xxx

Mar 23 15:38:49 fw-vista racoon: INFO: IPsec-SA request for x.x.x.x
queued due to no phase1 found.
Mar 23 15:38:49 fw-vista racoon: INFO: initiate new phase 1
negotiation: y.y.y.y[500]<=>x.x.x.x[500]
Mar 23 15:38:49 fw-vista racoon: INFO: begin Identity Protection mode.
Mar 23 15:38:49 fw-vista racoon: ERROR: phase1 negotiation failed due
to send error. www
Mar 23 15:38:49 fw-vista racoon: ERROR: failed to begin ipsec sa negotication.

This is the only real issue we've seen with the 2.0 release so far -
otherwise looks good!

Thanks

Dave

[1] http://forum.pfsense.org/index.php/topic,34853.0.html
[2] http://forum.pfsense.org/index.php/topic,34250.0.html

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Reply via email to