Project

General

Profile

Bug #3321

IPSEC failure on modem reset, automatic reconnection is broken, must manually restart racoon service

Added by Christian Borchert about 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
11/14/2013
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.1
Affected Architecture:

Description

This problem did not exist in 2.0.3

How to reproduce:
1. Cable Modem: Motorola Surfboard SB6120 (any other is likely to work as well)
2. Phase 1 General Information
a. Internet protocol - IPv4
b. Interface - WAN
c. Remote Gateway - hostname.domain
3. Phase 1 settings
a. Authentication method - Mutual PSK
b. Negotiation mode - main
c. My identifier - My IP address
d. Peer identifier - Peer IP address
e. Policy Generation - Default
f. Proposal Checking - Default
g. Encryption algorithm - AES 256
h. Hash algorithm - SHA1
i. DH key group - 5 (1536 bits)
j. Lifetime - 28800 seconds
4. Advanced Options
a. NAT Traversal - Enabled
b. Dead Peer Detection - Checked
c. 10 seconds
d. 5 retries
5. Phase 2
a. Mode - Tunnel IPv4
b. Local Network - LAN Subnet
c. Remote Network - Network (192.168.3.0/24)
6. Phase 2 Proposal
a. Protocol - ESP
b. Encryption algorithms - AES 256
c. Hash algorithms - SHA1
d. PFS key group - 5 (1536 bit)
e. Lifetime - 3600
f. Automatically ping host - 192.168.3.1

7. Access modem webgui here: http://192.168.100.1/cmConfig.htm
8. Select 'Restart Cable Modem'
9. Modem restarts
10. IPSEC tunnel fails
11. IPSEC tunnel does not come back up
12. pfSense logs these errors (racoon):
ERROR: no proposal chosen [Check Phase 2 settings, algorithm].
ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
13. Manually restart racoon service
14. Tunnel returns

History

#5 Updated by Chris Buechler about 5 years ago

  • Target version set to 2.1.1

#6 Updated by Francesco Lotti about 5 years ago

Same problem here with pfsense 2.1 and cisco router with IOS 12.4(15)T15 as remote endpoint.
IPSEC tunnel doesn't come back up if either local or remote connection resets. Therefore a manual restart of racoon service is usually needed.

#7 Updated by Christian Borchert about 5 years ago

This problem has been fixed in 2.1.1-PRERELEASE! :)

#8 Updated by Chris Buechler about 5 years ago

  • Status changed from New to Resolved

thanks for the confirmation

#9 Updated by Christian Borchert almost 5 years ago

This is broken again in 2.1.2

#10 Updated by Matthias Heer over 4 years ago

Seems to be broken in 2.1.3 with Draytek Vigor 2200E. Need Cronjob to restart periodically.

Also available in: Atom PDF