Re: [pfSense Support] ipsec woes

Fri, 09 May 2008 02:01:43 -0700 

On Thu, 8 May 2008 16:23:28 -0700
"David Rees" <[EMAIL PROTECTED]> wrote:

> What version of pfSense?

1.2 everywhere.
 
> What do you mean "goes blank"?

100% packet loss.
 
> Going to need logs. 

Of course. Let's debug one by one. This is office1->office2):

on office1 i see:
May 9 10:30:20  racoon: [tunel 11 -> 111 mv]: INFO: initiate new phase 2 
negotiation:
May 9 10:30:20  racoon: [tunel 11 -> 111 mv]: INFO: IPsec-SA established: 
ESP/Tunnel 84.255.245.212[0]->77.234.135.134[0] spi=143114727(0x887c1e7)
May 9 10:30:20  racoon: [tunel 11 -> 111 mv]: INFO: IPsec-SA established: 
ESP/Tunnel 77.234.135.134[0]->84.255.245.212[0] spi=207960073(0xc653809)
May 9 10:30:20  racoon: INFO: purged IPsec-SA proto_id=ESP spi=265358510.
May 9 10:30:20  racoon: [tunel 11 -> 111 mv]: INFO: initiate new phase 2 
negotiation:
May 9 10:30:21  racoon: [tunel 11 -> 111 mv]: INFO: IPsec-SA established: 
ESP/Tunnel 84.255.245.212[0]->77.234.135.134[0] spi=66013813(0x3ef4a75)
May 9 10:30:21  racoon: [tunel 11 -> 111 mv]: INFO: IPsec-SA established: 
ESP/Tunnel 77.234.135.134[0]->84.255.245.212[0] spi=30759723(0x1d55b2b)
May 9 10:30:21  racoon: INFO: purged IPsec-SA proto_id=ESP spi=207960073.
May 9 10:31:02  racoon: [tunel 11 -> 111 mv]: INFO: initiate new phase 2 
negotiation:
May 9 10:31:02  racoon: [tunel 11 -> 111 mv]: INFO: IPsec-SA established: 
ESP/Tunnel 84.255.245.212[0]->77.234.135.134[0] spi=31393894(0x1df0866)
May 9 10:31:02  racoon: [tunel 11 -> 111 mv]: INFO: IPsec-SA established: 
ESP/Tunnel 77.234.135.134[0]->84.255.245.212[0] spi=10754697(0xa41a89)
May 9 10:31:03  racoon: INFO: purged IPsec-SA proto_id=ESP spi=30759723.
May 9 10:31:03  racoon: [tunel 11 -> 111 mv]: INFO: initiate new phase 2 
negotiation:

... and on office2 side i see:

May 9 10:30:20  racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 
negotiation: 84.255.245.212[0]<=>77.234.135.134[0]
May 9 10:30:20  racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated 
policy : 192.168.1.0/24[0] 192.168.111.0/24[0] proto=any dir=in
May 9 10:30:20  racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: 
ESP/Tunnel 77.234.135.134[0]->84.255.245.212[0] spi=30759723(0x1d55b2b)
May 9 10:30:20  racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: 
ESP/Tunnel 84.255.245.212[0]->77.234.135.134[0] spi=66013813(0x3ef4a75)
May 9 10:30:20  racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not 
already exist: "192.168.1.0/24[0] 192.168.111.0/24[0] proto=any dir=in"
May 9 10:30:20  racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not 
already exist: "192.168.111.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
May 9 10:30:20  racoon: [Unknown Gateway/Dynamic]: ERROR: pfkey DELETE 
received: ESP 84.255.245.212[0]->77.234.135.134[0] spi=143114727(0x887c1e7)
May 9 10:31:02  racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 
negotiation: 84.255.245.212[0]<=>77.234.135.134[0]
May 9 10:31:02  racoon: [Unknown Gateway/Dynamic]: INFO: Update the generated 
policy : 192.168.11.0/24[0] 192.168.111.0/24[0] proto=any dir=in
May 9 10:31:02  racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: 
ESP/Tunnel 77.234.135.134[0]->84.255.245.212[0] spi=10754697(0xa41a89)
May 9 10:31:02  racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: 
ESP/Tunnel 84.255.245.212[0]->77.234.135.134[0] spi=31393894(0x1df0866)
May 9 10:31:02  racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not 
already exist: "192.168.11.0/24[0] 192.168.111.0/24[0] proto=any dir=in"
May 9 10:31:02  racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not 
already exist: "192.168.111.0/24[0] 192.168.11.0/24[0] proto=any dir=out"
May 9 10:31:03  racoon: [Unknown Gateway/Dynamic]: ERROR: pfkey DELETE 
received: ESP 84.255.245.212[0]->77.234.135.134[0] spi=66013813(0x3ef4a75)
May 9 10:31:03  racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 
negotiation: 84.255.245.212[0]<=>77.234.135.134[0]

... and so on. This is repeating at a fairly higher frequency that I'd expect. 
While this is going on, tunnel mostly works but dissapears every now and then.

What could be the reason for this?

Lifetimes for phase1 and phase2 are set to 28800s on both sides.



-- 

Jure Pečar
http://jure.pecar.org

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to