I'm running 1.2.1 on both ends of this particular IPsec connection. One location is my main office and is running the full version, the other is my home office running embedded on a WRAP based system. The office is connected via a local wireless ISP, and the home is on Comcast.
For the longest time this was perfectly reliable with an occasional down time when something in between the two sites was down. Lately, however the VPN has been going down and seemingly having a very hard time coming back up. It was coincidental with upgrading both to 1.2.1. Neither endpoint has any issues connecting with our datacenter (also on a WRAP, but running pfsense 1.0.1). The home office is configured as a mobile client to all remotes, but the other endpoints use fixed endpoint configuration between each other. I sometimes use the IPsec status screen to delete the SAD entries on the home firewall when it is not connecting. In either case, when the connection is down, I see on my home firewall's logs the following: racoon: [KCI Main Office]: INFO: initiate new phase 2 negotiation: 69.140.125.240[0]<=>66.250.193.115[0] racoon: ERROR: none message must be encrypted last message repeated 2 times racoon: [KCI Main Office]: ERROR: 66.250.193.115 give up to get IPsec-SA due to time up to wait. Then it repeats ad nauseam. The time between the first and list lines is 30 seconds. On the office firewall, at the same timestamp corresponding to the "initiate new phase 2" above, I see this: racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 4092e8f7af1c0d41:01da63468e20618c:0000e359 last message repeated 2 times Where the number at the end changes every time the initiation starts. The curious thing is that this goes on and on and then eventually I'll see a "initiate new phase 1 negotiation" and it suddenly connects. Right now, I just went into IPsec config on my home firewall, and disabled the tunnel to the main office. Then I re-enabled it, and it connected immediately. I'm assuming that is because it forced a re-negotiation of phase 1. racoon: [KCI Main Office]: INFO: IPsec-SA request for 66.250.193.115 queued due to no phase1 found. racoon: [KCI Main Office]: INFO: initiate new phase 1 negotiation: 69.140.125.240[500]<=>66.250.193.115[500] racoon: INFO: begin Aggressive mode. racoon: INFO: received broken Microsoft ID: FRAGMENTATION racoon: INFO: received Vendor ID: DPD racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. racoon: [KCI Main Office]: INFO: ISAKMP-SA established 69.140.125.240[500]-66.250.193.115[500] spi:f7ba1b8598534661:01bfdab8f0897871 racoon: [KCI Main Office]: INFO: initiate new phase 2 negotiation: 69.140.125.240[500]<=>66.250.193.115[500] racoon: [KCI Main Office]: INFO: IPsec-SA established: ESP 66.250.193.115[0]->69.140.125.240[0] spi=199244852(0xbe03c34) racoon: [KCI Main Office]: INFO: IPsec-SA established: ESP 69.140.125.240[0]->66.250.193.115[0] spi=182261056(0xadd1540) The total time is 1 second. So I guess my question is: how do I force the IPsec subsystem to renegotiate at phase 1 rather than phase 2? Would that be to go in and delete the SPD entries from the status screen? The disable/re-enable hack is painful. Is anyone else observing such failures to connect? --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
