Re: [pfSense Support] Ipsec issues update
On Dec 18, 2005, at 6:34 AM, alan walters wrote:I found that in the mobile clients section that I needed to change my identifier to a fqdn. Where before it was an ip.I have never gotten mobile clients to work using IP as identifier. I'm surprised it worked for you before.
RE: [pfSense Support] Ipsec issues update
Title: Ipsec issues update What version are you running that works for you? Thanks John From: alan walters [mailto:[EMAIL PROTECTED] Sent: Sunday, December 18, 2005 6:35 AM To: support@pfsense.com Subject: [pfSense Support] Ipsec issues update Well I have got all my tunnels working again. I found that in the mobile clients section that I needed to change my identifier to a fqdn. Where before it was an ip. Once this was done all my tunnels worked fine again. All sites are on static ip addresses. Alan Walters Aillweecave Company Limited Ballyvaughan Co Clare Ph: 00 353 65 7077 036 Fax: 00 353 65 7077 107
RE: [pfSense Support] Ipsec issues update
Title: Ipsec issues update 0.96.4 but it took some fiddling. From: John Cianfarani [mailto:[EMAIL PROTECTED] Sent: Monday, December 19, 2005 7:18 PM To: support@pfsense.com Subject: RE: [pfSense Support] Ipsec issues update What version are you running that works for you? Thanks John From: alan walters [mailto:[EMAIL PROTECTED] Sent: Sunday, December 18, 2005 6:35 AM To: support@pfsense.com Subject: [pfSense Support] Ipsec issues update Well I have got all my tunnels working again. I found that in the mobile clients section that I needed to change my identifier to a fqdn. Where before it was an ip. Once this was done all my tunnels worked fine again. All sites are on static ip addresses. Alan Walters Aillweecave Company Limited Ballyvaughan Co Clare Ph: 00 353 65 7077 036 Fax: 00 353 65 7077 107
Re: [pfSense Support] ipsec issues
You simply upgraded and did not reinstall? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: I know I have seen a few reports of ipsec issues recently I can confirm that this problem does seem real to me. Working configuration 0.95.4 tunnel initiator. 0.89 something client 0.94.12 client All worked here As soon as we upgraded a client into 0.95 series ipsec stopped working. Clients are a mix of pc and embedded platform - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ipsec issues
yep -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 15:53 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues You simply upgraded and did not reinstall? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: I know I have seen a few reports of ipsec issues recently I can confirm that this problem does seem real to me. Working configuration 0.95.4 tunnel initiator. 0.89 something client 0.94.12 client All worked here As soon as we upgraded a client into 0.95 series ipsec stopped working. Clients are a mix of pc and embedded platform - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ipsec issues
Actually now that you say that the one box that I did reinstall is fine. This is the issue yes -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 15:53 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues You simply upgraded and did not reinstall? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: I know I have seen a few reports of ipsec issues recently I can confirm that this problem does seem real to me. Working configuration 0.95.4 tunnel initiator. 0.89 something client 0.94.12 client All worked here As soon as we upgraded a client into 0.95 series ipsec stopped working. Clients are a mix of pc and embedded platform - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipsec issues
Reflasing fixes it!? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: As an additional note on this wraps(embedded) boxes where reflashed The pc versions where upgraded -Original Message- From: alan walters Sent: 15 December 2005 16:13 To: support@pfsense.com Subject: RE: [pfSense Support] ipsec issues Actually now that you say that the one box that I did reinstall is fine. This is the issue yes -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 15:53 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues You simply upgraded and did not reinstall? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: I know I have seen a few reports of ipsec issues recently I can confirm that this problem does seem real to me. Working configuration 0.95.4 tunnel initiator. 0.89 something client 0.94.12 client All worked here As soon as we upgraded a client into 0.95 series ipsec stopped working. Clients are a mix of pc and embedded platform - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ipsec issues
Well when I flashed a box clean it is ok. The other ones I have not done anything with yet. It Seems a like a bit of extranious problem. I am having trouble locking it down. It looks like the server is not sending back a correct reply for phase two Still not sure though -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 17:40 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Reflasing fixes it!? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: As an additional note on this wraps(embedded) boxes where reflashed The pc versions where upgraded -Original Message- From: alan walters Sent: 15 December 2005 16:13 To: support@pfsense.com Subject: RE: [pfSense Support] ipsec issues Actually now that you say that the one box that I did reinstall is fine. This is the issue yes -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 15:53 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues You simply upgraded and did not reinstall? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: I know I have seen a few reports of ipsec issues recently I can confirm that this problem does seem real to me. Working configuration 0.95.4 tunnel initiator. 0.89 something client 0.94.12 client All worked here As soon as we upgraded a client into 0.95 series ipsec stopped working. Clients are a mix of pc and embedded platform - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipsec issues
Can you tell me if racoon is listening on * or on the correct ip? Do a sockstat from the shell prompt. I really don't understand why my firmware upgrades went without a hitch and yours required a reinstall. On 12/15/05, alan walters [EMAIL PROTECTED] wrote: Well when I flashed a box clean it is ok. The other ones I have not done anything with yet. It Seems a like a bit of extranious problem. I am having trouble locking it down. It looks like the server is not sending back a correct reply for phase two Still not sure though -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 17:40 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Reflasing fixes it!? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: As an additional note on this wraps(embedded) boxes where reflashed The pc versions where upgraded -Original Message- From: alan walters Sent: 15 December 2005 16:13 To: support@pfsense.com Subject: RE: [pfSense Support] ipsec issues Actually now that you say that the one box that I did reinstall is fine. This is the issue yes -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 15:53 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues You simply upgraded and did not reinstall? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: I know I have seen a few reports of ipsec issues recently I can confirm that this problem does seem real to me. Working configuration 0.95.4 tunnel initiator. 0.89 something client 0.94.12 client All worked here As soon as we upgraded a client into 0.95 series ipsec stopped working. Clients are a mix of pc and embedded platform - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ipsec issues
Yep it is listening correctly. The boxes in question can still make tunnels to 0.94.12 boxes Only a problem starting at 0.95.4 I will look again tonight and see if anything else looks Odd. I might try and upgrade my Initiation side to the latest version as well and see if this fixes it. -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 17:50 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Can you tell me if racoon is listening on * or on the correct ip? Do a sockstat from the shell prompt. I really don't understand why my firmware upgrades went without a hitch and yours required a reinstall. On 12/15/05, alan walters [EMAIL PROTECTED] wrote: Well when I flashed a box clean it is ok. The other ones I have not done anything with yet. It Seems a like a bit of extranious problem. I am having trouble locking it down. It looks like the server is not sending back a correct reply for phase two Still not sure though -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 17:40 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Reflasing fixes it!? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: As an additional note on this wraps(embedded) boxes where reflashed The pc versions where upgraded -Original Message- From: alan walters Sent: 15 December 2005 16:13 To: support@pfsense.com Subject: RE: [pfSense Support] ipsec issues Actually now that you say that the one box that I did reinstall is fine. This is the issue yes -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 15:53 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues You simply upgraded and did not reinstall? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: I know I have seen a few reports of ipsec issues recently I can confirm that this problem does seem real to me. Working configuration 0.95.4 tunnel initiator. 0.89 something client 0.94.12 client All worked here As soon as we upgraded a client into 0.95 series ipsec stopped working. Clients are a mix of pc and embedded platform - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipsec issues
Also, on the boxes in question do a uname -a from a shell What is the output? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: Yep it is listening correctly. The boxes in question can still make tunnels to 0.94.12 boxes Only a problem starting at 0.95.4 I will look again tonight and see if anything else looks Odd. I might try and upgrade my Initiation side to the latest version as well and see if this fixes it. -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 17:50 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Can you tell me if racoon is listening on * or on the correct ip? Do a sockstat from the shell prompt. I really don't understand why my firmware upgrades went without a hitch and yours required a reinstall. On 12/15/05, alan walters [EMAIL PROTECTED] wrote: Well when I flashed a box clean it is ok. The other ones I have not done anything with yet. It Seems a like a bit of extranious problem. I am having trouble locking it down. It looks like the server is not sending back a correct reply for phase two Still not sure though -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 17:40 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Reflasing fixes it!? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: As an additional note on this wraps(embedded) boxes where reflashed The pc versions where upgraded -Original Message- From: alan walters Sent: 15 December 2005 16:13 To: support@pfsense.com Subject: RE: [pfSense Support] ipsec issues Actually now that you say that the one box that I did reinstall is fine. This is the issue yes -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 15:53 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues You simply upgraded and did not reinstall? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: I know I have seen a few reports of ipsec issues recently I can confirm that this problem does seem real to me. Working configuration 0.95.4 tunnel initiator. 0.89 something client 0.94.12 client All worked here As soon as we upgraded a client into 0.95 series ipsec stopped working. Clients are a mix of pc and embedded platform - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ipsec issues
uname -a FreeBSD ballyvaughan.radiowave.net 6.0-RC1 FreeBSD 6.0-RC1 #0: Fri Oct 21 16:30:10 UTC 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/pfSense.6 i386 Sockstat USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root racoon 658 4 dgram - /var/run/logpriv root racoon 658 7 udp6 fe80:8::1:500 *:* root racoon 658 8 udp6 ::1:500 *:* root racoon 658 9 udp4 127.0.0.1:500 *:* root racoon 658 10 udp6 fe80:7::280:c8ff:fe37:6c9a:500*:* root racoon 658 11 udp4 192.168.168.1:500 *:* root racoon 658 12 udp6 fe80:6::210:60ff:fe02:79c1:500*:* root racoon 658 13 udp4 192.168.1.100:500 *:* root racoon 658 14 udp6 fe80:4::240:f4ff:fe65:3d13:500*:* root racoon 658 15 udp4 10.4.230.1:500*:* root racoon 658 16 udp6 fe80:1::2c0:9fff:fe1e:2df8:500*:* root racoon 658 17 udp4 192.168.50.1:500 *:* Yep it is listening on all interfaces. -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 18:12 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Also, on the boxes in question do a uname -a from a shell What is the output? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: Yep it is listening correctly. The boxes in question can still make tunnels to 0.94.12 boxes Only a problem starting at 0.95.4 I will look again tonight and see if anything else looks Odd. I might try and upgrade my Initiation side to the latest version as well and see if this fixes it. -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 17:50 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Can you tell me if racoon is listening on * or on the correct ip? Do a sockstat from the shell prompt. I really don't understand why my firmware upgrades went without a hitch and yours required a reinstall. On 12/15/05, alan walters [EMAIL PROTECTED] wrote: Well when I flashed a box clean it is ok. The other ones I have not done anything with yet. It Seems a like a bit of extranious problem. I am having trouble locking it down. It looks like the server is not sending back a correct reply for phase two Still not sure though -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 17:40 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Reflasing fixes it!? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: As an additional note on this wraps(embedded) boxes where reflashed The pc versions where upgraded -Original Message- From: alan walters Sent: 15 December 2005 16:13 To: support@pfsense.com Subject: RE: [pfSense Support] ipsec issues Actually now that you say that the one box that I did reinstall is fine. This is the issue yes -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 15:53 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues You simply upgraded and did not reinstall? On 12/15/05, alan walters [EMAIL PROTECTED] wrote: I know I have seen a few reports of ipsec issues recently I can confirm that this problem does seem real to me. Working configuration 0.95.4 tunnel initiator. 0.89 something client 0.94.12 client All worked here As soon as we upgraded a client into 0.95 series ipsec stopped working. Clients are a mix of pc and embedded platform -- -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
Re: [pfSense Support] ipsec issues
On Dec 15, 2005, at 12:49 PM, Scott Ullrich wrote: I really don't understand why my firmware upgrades went without a hitch and yours required a reinstall. FWIW my 0.89.2 - 0.96.2 upgrade seems to work with fixed address IPsec between two offices. I'll test the mobile client once I get home (snowing here, and school's are letting out early...) I'm not on an embedded platform. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] ipsec issues
Yep, that's exactly what is going on. Just delete the old kernel file and install the new firmware. In terms of the older files elsewhere, I'd play it safe and not touch them for the time being. If you're really concerned with stale files, a reinstall is the correct answer. Scott On 12/15/05, Vivek Khera [EMAIL PROTECTED] wrote: On Dec 15, 2005, at 1:29 PM, Scott Ullrich wrote: Somethings not correct here. We are well past RC1. inneresting... my 0.96.2 upgraded box also has the same uname -a output. A bunch of modules in /boot/kernel are dated december 11, but the kernel file and a bunch of other modules are dated october 22... OH I see it. We now install /boot/kernel.gz (dated december 11) but the loader is picking up the older uncompressed version. Looks like the upgrade should delete the older kernel... I suspect the right thing to do on upgrade is a similar thing that make installkernel does to move /boot/kernel to /boot/kernel.old and update some sysctl values to tell the system that's the booted kernel. This way /boot/kernel will be exactly the current kernel no more no less. additionally, /usr/bin has some october 22 dated files: yp*, usb*, dig, and host. /usr/libexec has some older files too. Can these outdated files just be deleted? Seems like they are not used at all. On a normal freebsd install I'd just delete any non- updated files like these. The only risk with deleting old libs from /lib or /usr/lib is that some older packages may be linked against older libc's. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ipsec issues
Funny well at least we are getting to the bottom of it. So reinstall fresh seems to be the answer -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED] Sent: 15 December 2005 19:44 To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues On Dec 15, 2005, at 1:29 PM, Scott Ullrich wrote: Somethings not correct here. We are well past RC1. inneresting... my 0.96.2 upgraded box also has the same uname -a output. A bunch of modules in /boot/kernel are dated december 11, but the kernel file and a bunch of other modules are dated october 22... OH I see it. We now install /boot/kernel.gz (dated december 11) but the loader is picking up the older uncompressed version. Looks like the upgrade should delete the older kernel... I suspect the right thing to do on upgrade is a similar thing that make installkernel does to move /boot/kernel to /boot/kernel.old and update some sysctl values to tell the system that's the booted kernel. This way /boot/kernel will be exactly the current kernel no more no less. additionally, /usr/bin has some october 22 dated files: yp*, usb*, dig, and host. /usr/libexec has some older files too. Can these outdated files just be deleted? Seems like they are not used at all. On a normal freebsd install I'd just delete any non- updated files like these. The only risk with deleting old libs from /lib or /usr/lib is that some older packages may be linked against older libc's. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipsec issues
On Dec 15, 2005, at 2:49 PM, alan walters wrote: Funny well at least we are getting to the bottom of it. So reinstall fresh seems to be the answer all i did was rm `find . \! -newer kernel.gz | grep -v kernel.gz` in / boot/kernel and reboot. done. no need to re-install the whole thing. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] ipsec issues
Not really necessary. This all came about because we redid the builder scripts. I don't forsee this happening again as freesbie2 works very well. On 12/15/05, Vivek Khera [EMAIL PROTECTED] wrote: On Dec 15, 2005, at 2:49 PM, Scott Ullrich wrote: Either that or delete the files in /boot/kernel/* and upgrade the firmware. so any thought on mimicking the make installkernel tricks of moving / boot/kernel to /boot/kernel.old then installing? this will avoid any stale modules ever happening again. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipsec issues
We have identified the issue. Please see the prior responses.On 12/15/05, alan walters [EMAIL PROTECTED] wrote: Dec 15 10:25:46 racoon: DEBUG: 15503e09 3081b54d 1820e3e8 3256835b 08100501 9641d697 0044 04909587 3d73d865 12ce65fb 37efe8a3 88e4f114 fcbbd77c 56005075 0623b629 206c7c1b fc84f737 Dec 15 10:25:46 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet. Dec 15 10:25:47 racoon: ERROR: 195.218.118.115 give up to get IPsec-SA due to time up to wait. This is the only snip I could find that looks of interest in the client side log
RE: [pfSense Support] ipsec issues
Is this only required if you upgraded? All my installs were a reflash. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 2:45 PM To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Yep, that's exactly what is going on. Just delete the old kernel file and install the new firmware. In terms of the older files elsewhere, I'd play it safe and not touch them for the time being. If you're really concerned with stale files, a reinstall is the correct answer. Scott On 12/15/05, Vivek Khera [EMAIL PROTECTED] wrote: On Dec 15, 2005, at 1:29 PM, Scott Ullrich wrote: Somethings not correct here. We are well past RC1. inneresting... my 0.96.2 upgraded box also has the same uname -a output. A bunch of modules in /boot/kernel are dated december 11, but the kernel file and a bunch of other modules are dated october 22... OH I see it. We now install /boot/kernel.gz (dated december 11) but the loader is picking up the older uncompressed version. Looks like the upgrade should delete the older kernel... I suspect the right thing to do on upgrade is a similar thing that make installkernel does to move /boot/kernel to /boot/kernel.old and update some sysctl values to tell the system that's the booted kernel. This way /boot/kernel will be exactly the current kernel no more no less. additionally, /usr/bin has some october 22 dated files: yp*, usb*, dig, and host. /usr/libexec has some older files too. Can these outdated files just be deleted? Seems like they are not used at all. On a normal freebsd install I'd just delete any non- updated files like these. The only risk with deleting old libs from /lib or /usr/lib is that some older packages may be linked against older libc's. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipsec issues
Yep, only from 0.95ish + upgrades. On 12/15/05, John Cianfarani [EMAIL PROTECTED] wrote: Is this only required if you upgraded? All my installs were a reflash. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 2:45 PM To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Yep, that's exactly what is going on. Just delete the old kernel file and install the new firmware. In terms of the older files elsewhere, I'd play it safe and not touch them for the time being. If you're really concerned with stale files, a reinstall is the correct answer. Scott On 12/15/05, Vivek Khera [EMAIL PROTECTED] wrote: On Dec 15, 2005, at 1:29 PM, Scott Ullrich wrote: Somethings not correct here. We are well past RC1. inneresting... my 0.96.2 upgraded box also has the same uname -a output. A bunch of modules in /boot/kernel are dated december 11, but the kernel file and a bunch of other modules are dated october 22... OH I see it. We now install /boot/kernel.gz (dated december 11) but the loader is picking up the older uncompressed version. Looks like the upgrade should delete the older kernel... I suspect the right thing to do on upgrade is a similar thing that make installkernel does to move /boot/kernel to /boot/kernel.old and update some sysctl values to tell the system that's the booted kernel. This way /boot/kernel will be exactly the current kernel no more no less. additionally, /usr/bin has some october 22 dated files: yp*, usb*, dig, and host. /usr/libexec has some older files too. Can these outdated files just be deleted? Seems like they are not used at all. On a normal freebsd install I'd just delete any non- updated files like these. The only risk with deleting old libs from /lib or /usr/lib is that some older packages may be linked against older libc's. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ipsec issues
I agree that even after the kernel there is still an issue here as well. I think that there is a versioning issue with ipsec or something else odd that we cant see. I hope to get time to look at it tomorrow -Original Message- From: John Cianfarani [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 10:39 PM To: support@pfsense.com Subject: RE: [pfSense Support] ipsec issues This is very strange. Gar... it seems like my issue is still different than this other one. Since with my mobile client side I'm running 96.2, and the kernel.gz is dated Dec12. Not sure what else to try but to reflash both boxes. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 5:26 PM To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Yep, only from 0.95ish + upgrades. On 12/15/05, John Cianfarani [EMAIL PROTECTED] wrote: Is this only required if you upgraded? All my installs were a reflash. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 2:45 PM To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Yep, that's exactly what is going on. Just delete the old kernel file and install the new firmware. In terms of the older files elsewhere, I'd play it safe and not touch them for the time being. If you're really concerned with stale files, a reinstall is the correct answer. Scott On 12/15/05, Vivek Khera [EMAIL PROTECTED] wrote: On Dec 15, 2005, at 1:29 PM, Scott Ullrich wrote: Somethings not correct here. We are well past RC1. inneresting... my 0.96.2 upgraded box also has the same uname -a output. A bunch of modules in /boot/kernel are dated december 11, but the kernel file and a bunch of other modules are dated october 22... OH I see it. We now install /boot/kernel.gz (dated december 11) but the loader is picking up the older uncompressed version. Looks like the upgrade should delete the older kernel... I suspect the right thing to do on upgrade is a similar thing that make installkernel does to move /boot/kernel to /boot/kernel.old and update some sysctl values to tell the system that's the booted kernel. This way /boot/kernel will be exactly the current kernel no more no less. additionally, /usr/bin has some october 22 dated files: yp*, usb*, dig, and host. /usr/libexec has some older files too. Can these outdated files just be deleted? Seems like they are not used at all. On a normal freebsd install I'd just delete any non- updated files like these. The only risk with deleting old libs from /lib or /usr/lib is that some older packages may be linked against older libc's. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]