Project

General

Profile

Actions
Copy link

Bug #2821

closed

mobile ipsec problem since upgrade from pfsense 2.0.1 to 2.0.2

Added by Dennis Neuhaeuser about 11 years ago. Updated about 11 years ago.

Status:
Rejected
Priority:
High
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
02/16/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0.x
Affected Architecture:
i386

Description

since upgrade from 2.0.1 to 2.0.2 there is a problem with mobile ipsec connections:

the first client always connects fine and traffic is flowing nicely.
client can even disconnect and reconnect multiple times without problem.

BUT when a second client connects: the IPsec tunnel comes up, but NO traffic is going through the tunnel.
from this point on, the first client is also affected and cannot communicate through the tunnel anymore.

when restarting the racoon service I can reproduce the behavior from the start again.

here are my logs:

first client connection:

------------------------------------
Feb 16 17:31:07 racoon: [Self]: INFO: IPsec-SA established: ESP 217.88.191.65500->84.61.40.187500 spi=171222001(0xa34a3f1)
Feb 16 17:31:07 racoon: [Self]: INFO: IPsec-SA established: ESP 217.88.191.65500->84.61.40.187500 spi=64138542(0x3d2ad2e)
Feb 16 17:31:07 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Feb 16 17:31:07 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Feb 16 17:31:07 racoon: INFO: no policy found, try to generate the policy : 10.10.10.1/320 192.168.10.0/240 proto=any dir=in
Feb 16 17:31:07 racoon: [Self]: INFO: respond new phase 2 negotiation: 217.88.191.654500<=>84.61.40.1874500
Feb 16 17:31:06 racoon: WARNING: Ignored attribute 28683
Feb 16 17:31:06 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Feb 16 17:31:06 racoon: INFO: login succeeded for user "arbor"
Feb 16 17:31:06 racoon: INFO: Using port 0
Feb 16 17:31:06 racoon: [Self]: INFO: ISAKMP-SA established 217.88.191.654500-84.61.40.1874500 spi:8f6c764bcc522d9e:b95ad93d3b218a15
Feb 16 17:31:06 racoon: INFO: Sending Xauth request
Feb 16 17:31:06 racoon: INFO: NAT detected: PEER
Feb 16 17:31:06 racoon: [84.61.40.187] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
Feb 16 17:31:06 racoon: INFO: NAT-D payload #1 doesn't match
Feb 16 17:31:06 racoon: [84.61.40.187] INFO: Hashing 84.61.40.1874500 with algo #2
Feb 16 17:31:06 racoon: INFO: NAT-D payload #0 verified
Feb 16 17:31:06 racoon: [Self]: [217.88.191.65] INFO: Hashing 217.88.191.654500 with algo #2
Feb 16 17:31:06 racoon: [Self]: INFO: NAT-T: ports changed to: 84.61.40.1874500<->217.88.191.654500
Feb 16 17:31:05 racoon: INFO: Adding xauth VID payload.
Feb 16 17:31:05 racoon: [Self]: [217.88.191.65] INFO: Hashing 217.88.191.65500 with algo #2
Feb 16 17:31:05 racoon: [84.61.40.187] INFO: Hashing 84.61.40.187500 with algo #2
Feb 16 17:31:05 racoon: INFO: Adding remote and local NAT-D payloads.
Feb 16 17:31:05 racoon: [84.61.40.187] INFO: Selected NAT-T version: RFC 3947
Feb 16 17:31:05 racoon: INFO: received Vendor ID: DPD
Feb 16 17:31:05 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Feb 16 17:31:05 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Feb 16 17:31:05 racoon: INFO: received Vendor ID: RFC 3947
Feb 16 17:31:05 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 16 17:31:05 racoon: INFO: begin Aggressive mode.
Feb 16 17:31:05 racoon: [Self]: INFO: respond new phase 1 negotiation: 217.88.191.65500<=>84.61.40.187500
Feb 16 17:30:21 racoon: INFO: unsupported PF_KEY message REGISTER
Feb 16 17:30:21 racoon: [Self]: INFO: 217.88.191.65500 used as isakmp port (fd=15)
Feb 16 17:30:21 racoon: [Self]: INFO: 217.88.191.65500 used for NAT-T
Feb 16 17:30:21 racoon: [Self]: INFO: 217.88.191.654500 used as isakmp port (fd=14)
Feb 16 17:30:21 racoon: [Self]: INFO: 217.88.191.654500 used for NAT-T
Feb 16 17:30:21 racoon: INFO: Resize address pool from 0 to 253
Feb 16 17:30:21 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 16 17:30:21 racoon: INFO: (#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
Feb 16 17:30:21 racoon: INFO: (#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
------------------------------------

SAD status:

Source    Destination    Protocol    SPI    Enc. alg.    Auth. alg.    Data    
217.88.191.65[4500]    84.61.40.187[4500]    ESP-UDP    0a34a3f1    aes-cbc    hmac-sha1    5248 B     
84.61.40.187[4500]    217.88.191.65[4500]    ESP-UDP    03d2ad2e    aes-cbc    hmac-sha1    952 B

everything OK!

now second client connecting:

------------------------------------
Feb 16 17:35:33 racoon: ERROR: failed to begin ipsec sa negotication.
Feb 16 17:35:33 racoon: ERROR: no configuration found for 84.61.40.187.
Feb 16 17:35:30 racoon: ERROR: failed to begin ipsec sa negotication.
Feb 16 17:35:30 racoon: ERROR: no configuration found for 84.61.40.187.
Feb 16 17:35:26 racoon: ERROR: failed to begin ipsec sa negotication.
Feb 16 17:35:26 racoon: ERROR: no configuration found for 84.61.40.187.
Feb 16 17:35:23 racoon: ERROR: failed to begin ipsec sa negotication.
Feb 16 17:35:23 racoon: ERROR: no configuration found for 84.61.40.187.
Feb 16 17:35:19 racoon: [Self]: INFO: IPsec-SA established: ESP 217.88.191.65500->84.61.40.187500 spi=1862747522(0x6f074582)
Feb 16 17:35:19 racoon: [Self]: INFO: IPsec-SA established: ESP 217.88.191.65500->84.61.40.187500 spi=49923734(0x2f9c696)
Feb 16 17:35:19 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Feb 16 17:35:19 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Feb 16 17:35:19 racoon: INFO: Update the generated policy : 10.10.10.1/320 192.168.10.0/240 proto=any dir=in
Feb 16 17:35:19 racoon: [Self]: INFO: respond new phase 2 negotiation: 217.88.191.654500<=>84.61.40.1871024
Feb 16 17:35:19 racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Feb 16 17:35:19 racoon: INFO: login succeeded for user "arbor"
Feb 16 17:35:19 racoon: INFO: Using port 0
Feb 16 17:35:19 racoon: [84.61.40.187] INFO: received INITIAL-CONTACT
Feb 16 17:35:19 racoon: [Self]: INFO: ISAKMP-SA established 217.88.191.654500-84.61.40.1871024 spi:e7d991a17e594cbd:c3149752cda23c0e
Feb 16 17:35:19 racoon: INFO: Sending Xauth request
Feb 16 17:35:19 racoon: INFO: NAT detected: ME PEER
Feb 16 17:35:19 racoon: INFO: NAT-D payload #1 doesn't match
Feb 16 17:35:19 racoon: [84.61.40.187] INFO: Hashing 84.61.40.1871024 with algo #2
Feb 16 17:35:19 racoon: INFO: NAT-D payload #0 doesn't match
Feb 16 17:35:19 racoon: [Self]: [217.88.191.65] INFO: Hashing 217.88.191.654500 with algo #2
Feb 16 17:35:19 racoon: [Self]: INFO: NAT-T: ports changed to: 84.61.40.1871024<->217.88.191.654500
Feb 16 17:35:19 racoon: INFO: Adding xauth VID payload.
Feb 16 17:35:19 racoon: [Self]: [217.88.191.65] INFO: Hashing 217.88.191.65500 with algo #2
Feb 16 17:35:19 racoon: [84.61.40.187] INFO: Hashing 84.61.40.187500 with algo #2
Feb 16 17:35:19 racoon: INFO: Adding remote and local NAT-D payloads.
Feb 16 17:35:19 racoon: [84.61.40.187] INFO: Selected NAT-T version: RFC 3947
Feb 16 17:35:19 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 16 17:35:19 racoon: INFO: received Vendor ID: DPD
Feb 16 17:35:19 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 16 17:35:19 racoon: INFO: received Vendor ID: RFC 3947
Feb 16 17:35:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 16 17:35:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 16 17:35:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Feb 16 17:35:19 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Feb 16 17:35:19 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 16 17:35:19 racoon: INFO: begin Aggressive mode.
Feb 16 17:35:19 racoon: [Self]: INFO: respond new phase 1 negotiation: 217.88.191.65500<=>84.61.40.187500
------------------------------------

SAD status:

Source    Destination    Protocol    SPI    Enc. alg.    Auth. alg.    Data    
84.61.40.187[1024]    217.88.191.65[4500]    ESP-UDP    02f9c696    aes-cbc    hmac-sha1    10006 B     
217.88.191.65[4500]    84.61.40.187[4500]    ESP-UDP    6f074582    aes-cbc    hmac-sha1    0 B

no traffic flowing back here !!

Actions
Copy link
 #1

Updated by Jim Pingle about 11 years ago

  • Status changed from New to Rejected

Discuss/troubleshoot on the forum. It comes up often and is always a settings issue.

Actions
Copy link
 #2

Updated by Dennis Neuhaeuser about 11 years ago

Jim P wrote:

Discuss/troubleshoot on the forum. It comes up often and is always a settings issue.

Hi Jim.

I have compared the behavior with identical configurations on pfsense 2.0.1 and pfsense 2.0.2
and there is definitely a difference!!

Actions
Copy link
 #3

Updated by Oscar Francia about 11 years ago

Same problem, on 2.0.2 no IPSec tunnel route added!

Oscar

Actions
Copy link

Also available in: Atom PDF