Project

General

Profile

Actions

Bug #3321

closed

IPSEC failure on modem reset, automatic reconnection is broken, must manually restart racoon service

Added by Christian Borchert over 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
11/14/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

This problem did not exist in 2.0.3

How to reproduce:
1. Cable Modem: Motorola Surfboard SB6120 (any other is likely to work as well)
2. Phase 1 General Information
a. Internet protocol - IPv4
b. Interface - WAN
c. Remote Gateway - hostname.domain
3. Phase 1 settings
a. Authentication method - Mutual PSK
b. Negotiation mode - main
c. My identifier - My IP address
d. Peer identifier - Peer IP address
e. Policy Generation - Default
f. Proposal Checking - Default
g. Encryption algorithm - AES 256
h. Hash algorithm - SHA1
i. DH key group - 5 (1536 bits)
j. Lifetime - 28800 seconds
4. Advanced Options
a. NAT Traversal - Enabled
b. Dead Peer Detection - Checked
c. 10 seconds
d. 5 retries
5. Phase 2
a. Mode - Tunnel IPv4
b. Local Network - LAN Subnet
c. Remote Network - Network (192.168.3.0/24)
6. Phase 2 Proposal
a. Protocol - ESP
b. Encryption algorithms - AES 256
c. Hash algorithms - SHA1
d. PFS key group - 5 (1536 bit)
e. Lifetime - 3600
f. Automatically ping host - 192.168.3.1

7. Access modem webgui here: http://192.168.100.1/cmConfig.htm
8. Select 'Restart Cable Modem'
9. Modem restarts
10. IPSEC tunnel fails
11. IPSEC tunnel does not come back up
12. pfSense logs these errors (racoon):
ERROR: no proposal chosen [Check Phase 2 settings, algorithm].
ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
13. Manually restart racoon service
14. Tunnel returns

Actions #1

Updated by Christian Borchert over 10 years ago

Another user reports the same issue:

http://forum.pfsense.org/index.php/topic,69235.0.html

Actions #3

Updated by Christian Borchert over 10 years ago

Another user reports the same issue:
http://forum.pfsense.org/index.php/topic,67929.0.html

Actions #4

Updated by Christian Borchert over 10 years ago

More users reporting the same issue:
http://forum.pfsense.org/index.php/topic,67625.0.html

Actions #5

Updated by Chris Buechler over 10 years ago

  • Target version set to 2.1.1
Actions #6

Updated by Francesco Lotti over 10 years ago

Same problem here with pfsense 2.1 and cisco router with IOS 12.4(15)T15 as remote endpoint.
IPSEC tunnel doesn't come back up if either local or remote connection resets. Therefore a manual restart of racoon service is usually needed.

Actions #7

Updated by Christian Borchert about 10 years ago

This problem has been fixed in 2.1.1-PRERELEASE! :)

Actions #8

Updated by Chris Buechler about 10 years ago

  • Status changed from New to Resolved

thanks for the confirmation

Actions #9

Updated by Christian Borchert almost 10 years ago

This is broken again in 2.1.2

Actions #10

Updated by Matthias Heer almost 10 years ago

Seems to be broken in 2.1.3 with Draytek Vigor 2200E. Need Cronjob to restart periodically.

Actions

Also available in: Atom PDF