My problem is packet loss:
C:\Documents and Settings\Administrador>ping -t 192.168.0.252
Sending to 192.168.0.252 with 32 bytes data:
Request timeout.
Reply from 192.168.0.252: bytes=32 tempo=146ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=72ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=116ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=116ms TTL=126
Request timeout.
Request timeout.
Reply from 192.168.0.252: bytes=32 tempo=158ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=169ms TTL=126
Request timeout.
Request timeout.
Reply from 192.168.0.252: bytes=32 tempo=210ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=266ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=63ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=84ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=139ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=131ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=136ms TTL=126
Request timeout.
Request timeout.
Reply from 192.168.0.252: bytes=32 tempo=234ms TTL=126
Reply from 192.168.0.252: bytes=32 tempo=57ms TTL=126
Request timeout.
Request timeout.
Reply from 192.168.0.252: bytes=32 tempo=62ms TTL=126
Request timeout.
Request timeout.
Reply from 192.168.0.252: bytes=32 tempo=84ms TTL=126
Ping to 192.168.0.252:
Pacotes: Sent = 28, Received = 17, Lost = 11 (39% loss),
Roundtrip:
Mínimo = 57ms, Máximo = 266ms, Média = 131ms
-----Mensagem original-----
De: John Cianfarani [mailto:[EMAIL PROTECTED]
Enviada em: segunda-feira, 16 de janeiro de 2006 14:21
Para: [email protected]
Assunto: RE: [pfSense Support] IPSec Problems
>From the looks of it I don't know if it's exactly related it seems that
bug is related to remote address being /32's all of the ones I have are
/24's.
Strange part is the mobile connection will work part of the time, but
when it stops working it just seems to be dead.
John
-----Original Message-----
From: Scott Ullrich [mailto:[EMAIL PROTECTED]
Sent: Monday, January 16, 2006 11:07 AM
To: [email protected]
Subject: Re: [pfSense Support] IPSec Problems
We are waiting for 0.6.5 of IPSEC-Tools due to a bug. Is this the same?
http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/23905
Scott
On 1/16/06, Pedro Paulo de Magalhaes Oliveira Junior
<[EMAIL PROTECTED]> wrote:
> We are facing the same problem.
>
> And it also happen with non mobile.
>
> -----Mensagem original-----
> De: John Cianfarani [mailto:[EMAIL PROTECTED]
> Enviada em: segunda-feira, 16 de janeiro de 2006 13:58
> Para: [email protected]
> Assunto: [pfSense Support] IPSec Problems
>
> Hey All,
>
> I have been having some problems again with some of the Mobile Client
> IPSec. Not sure if there is any changes/improvements in Beta 2. (All
> sites are running Beta 1)
> Here is the issue I've been having, Ipsec tunnels seem to bounce quite
> frequently while this could be caused by many issues it seems that
> sometimes when the tunnel goes down it just won't come back up.
>
> Setup is a remote-pf site which is the mobile client and the
central-pf
> host site that has a carp address which is the where the remote site
> builds the tunnel to.
> I haven't isolated which one the problem is with. When the tunnel
gets
> in this state I try to do the sourced ping from the remote-pf I also
> have tried to restart the box and the tunnel will still not build.
(See
> below for the ipsec.log after a reboot and a test ping). If I check
the
> ipsec.log on the central-pf it is empty, as if there was either no
> attempt. If I nmap both hosts it shows "500/udp open|filtered isakmp"
so
> it looks like its bound correctly
>
> Now just for testing while it is in this state I can build a regular
> tunnel on the central-pf to the dynamic ip of the remote site and ping
> and the tunnel will come up right away.
>
> Anything to check or try would be appreciated.
>
> Thanks
> John Cianfarani
>
>
> ---- Log from remote-pf after a reload and ping -c 10 -S LANIP
> REMOTELANIP ----
> Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4
> (http://ipsec-tools.sourceforge.net)
> Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked
OpenSSL
> 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
> Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as
isakmp
> port (fd=8)
> Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port
> (fd=9)
> Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp
> port (fd=10)
> Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as
isakmp
> port (fd=11)
> Jan 16 10:15:17 gw-remote1 racoon: INFO:
> fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=12)
> Jan 16 10:15:17 gw-remote1 racoon: INFO:
> fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=13)
> Jan 16 10:15:17 gw-remote1 racoon: INFO: 192.168.0.1[500] used as
isakmp
> port (fd=14)
> Jan 16 10:15:17 gw-remote1 racoon: INFO:
> fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=15)
> Jan 16 10:15:17 gw-remote1 racoon: INFO: 172.16.10.1[500] used as
isakmp
> port (fd=16)
> Jan 16 10:15:18 gw-remote1 racoon: INFO: caught signal 15
> Jan 16 10:15:19 gw-remote1 racoon: INFO: racoon shutdown
> Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4
> (http://ipsec-tools.sourceforge.net)
> Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)This product linked
OpenSSL
> 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
> Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as
isakmp
> port (fd=7)
> Jan 16 10:15:21 gw-remote1 racoon: INFO: ::1[500] used as isakmp port
> (fd=8)
> Jan 16 10:15:21 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp
> port (fd=9)
> Jan 16 10:15:21 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as
isakmp
> port (fd=10)
> Jan 16 10:15:21 gw-remote1 racoon: INFO:
> fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=11)
> Jan 16 10:15:21 gw-remote1 racoon: INFO:
> fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=12)
> Jan 16 10:15:21 gw-remote1 racoon: INFO: 192.168.0.1[500] used as
isakmp
> port (fd=13)
> Jan 16 10:15:21 gw-remote1 racoon: INFO:
> fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=14)
> Jan 16 10:15:21 gw-remote1 racoon: INFO: 172.16.10.1[500] used as
isakmp
> port (fd=15)
> Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists.
> anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any
dir=in
> Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists.
> anyway replace it: 172.16.0.0/24[0] 172.16.10.0/24[0] proto=any dir=in
> Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists.
> anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any
dir=out
> Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists.
> anyway replace it: 172.16.10.0/24[0] 172.16.0.0/24[0] proto=any
dir=out
> Jan 16 10:16:01 gw-remote1 racoon: INFO: IPsec-SA request for
> ce.nt.ral.ip queued due to no phase1 found.
> Jan 16 10:16:01 gw-remote1 racoon: INFO: initiate new phase 1
> negotiation: re.mo.te.ip[500]<=>ce.nt.ral.ip[500]
> Jan 16 10:16:01 gw-remote1 racoon: INFO: begin Aggressive mode.
> Jan 16 10:16:32 gw-remote1 racoon: ERROR: phase2 negotiation failed
due
> to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0]
> Jan 16 10:16:32 gw-remote1 racoon: INFO: delete phase 2 handler.
> Jan 16 10:17:00 gw-remote1 racoon: INFO: request for establishing
> IPsec-SA was queued due to no phase1 found.
> Jan 16 10:17:01 gw-remote1 racoon: ERROR: phase1 negotiation failed
due
> to time up. ea11cee6415ca5ef:0000000000000000
> Jan 16 10:17:31 gw-remote1 racoon: ERROR: phase2 negotiation failed
due
> to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0]
> Jan 16 10:17:31 gw-remote1 racoon: INFO: delete phase 2 handler.
> Jan 16 10:18:00 gw-remote1 racoon: INFO: IPsec-SA request for
> ce.nt.ral.ip queued due to no phase1 found.
> Jan 16 10:18:00 gw-remote1 racoon: INFO: initiate new phase 1
> negotiation: re.mo.te.ip[500]<=>ce.nt.ral.ip[500]
> Jan 16 10:18:00 gw-remote1 racoon: INFO: begin Aggressive mode.
> Jan 16 10:18:31 gw-remote1 racoon: ERROR: phase2 negotiation failed
due
> to time up waiting for phase1. ESP ce.nt.ral.ip[0]->re.mo.te.ip[0]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date:
14/1/2006
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.18/230 - Release Date: 14/1/2006
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
