We are facing the same problem. And it also happen with non mobile.
-----Mensagem original----- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 13:58 Para: [email protected] Assunto: [pfSense Support] IPSec Problems Hey All, I have been having some problems again with some of the Mobile Client IPSec. Not sure if there is any changes/improvements in Beta 2. (All sites are running Beta 1) Here is the issue I've been having, Ipsec tunnels seem to bounce quite frequently while this could be caused by many issues it seems that sometimes when the tunnel goes down it just won't come back up. Setup is a remote-pf site which is the mobile client and the central-pf host site that has a carp address which is the where the remote site builds the tunnel to. I haven't isolated which one the problem is with. When the tunnel gets in this state I try to do the sourced ping from the remote-pf I also have tried to restart the box and the tunnel will still not build. (See below for the ipsec.log after a reboot and a test ping). If I check the ipsec.log on the central-pf it is empty, as if there was either no attempt. If I nmap both hosts it shows "500/udp open|filtered isakmp" so it looks like its bound correctly Now just for testing while it is in this state I can build a regular tunnel on the central-pf to the dynamic ip of the remote site and ping and the tunnel will come up right away. Anything to check or try would be appreciated. Thanks John Cianfarani ---- Log from remote-pf after a reload and ping -c 10 -S LANIP REMOTELANIP ---- Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=8) Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=9) Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10) Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=11) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=12) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=13) Jan 16 10:15:17 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=14) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=15) Jan 16 10:15:17 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=16) Jan 16 10:15:18 gw-remote1 racoon: INFO: caught signal 15 Jan 16 10:15:19 gw-remote1 racoon: INFO: racoon shutdown Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=7) Jan 16 10:15:21 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=8) Jan 16 10:15:21 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Jan 16 10:15:21 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=10) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=11) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=12) Jan 16 10:15:21 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=13) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=14) Jan 16 10:15:21 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=15) Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any dir=in Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.0.0/24[0] 172.16.10.0/24[0] proto=any dir=in Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any dir=out Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.0.0/24[0] proto=any dir=out Jan 16 10:16:01 gw-remote1 racoon: INFO: IPsec-SA request for ce.nt.ral.ip queued due to no phase1 found. Jan 16 10:16:01 gw-remote1 racoon: INFO: initiate new phase 1 negotiation: re.mo.te.ip[500]<=>ce.nt.ral.ip[500] Jan 16 10:16:01 gw-remote1 racoon: INFO: begin Aggressive mode. Jan 16 10:16:32 gw-remote1 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0] Jan 16 10:16:32 gw-remote1 racoon: INFO: delete phase 2 handler. Jan 16 10:17:00 gw-remote1 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jan 16 10:17:01 gw-remote1 racoon: ERROR: phase1 negotiation failed due to time up. ea11cee6415ca5ef:0000000000000000 Jan 16 10:17:31 gw-remote1 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0] Jan 16 10:17:31 gw-remote1 racoon: INFO: delete phase 2 handler. Jan 16 10:18:00 gw-remote1 racoon: INFO: IPsec-SA request for ce.nt.ral.ip queued due to no phase1 found. Jan 16 10:18:00 gw-remote1 racoon: INFO: initiate new phase 1 negotiation: re.mo.te.ip[500]<=>ce.nt.ral.ip[500] Jan 16 10:18:00 gw-remote1 racoon: INFO: begin Aggressive mode. Jan 16 10:18:31 gw-remote1 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 14/1/2006 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
