Project

General

Profile

Actions

Bug #3321

closed

IPSEC failure on modem reset, automatic reconnection is broken, must manually restart racoon service

Added by Christian Borchert over 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
11/14/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

This problem did not exist in 2.0.3

How to reproduce:
1. Cable Modem: Motorola Surfboard SB6120 (any other is likely to work as well)
2. Phase 1 General Information
a. Internet protocol - IPv4
b. Interface - WAN
c. Remote Gateway - hostname.domain
3. Phase 1 settings
a. Authentication method - Mutual PSK
b. Negotiation mode - main
c. My identifier - My IP address
d. Peer identifier - Peer IP address
e. Policy Generation - Default
f. Proposal Checking - Default
g. Encryption algorithm - AES 256
h. Hash algorithm - SHA1
i. DH key group - 5 (1536 bits)
j. Lifetime - 28800 seconds
4. Advanced Options
a. NAT Traversal - Enabled
b. Dead Peer Detection - Checked
c. 10 seconds
d. 5 retries
5. Phase 2
a. Mode - Tunnel IPv4
b. Local Network - LAN Subnet
c. Remote Network - Network (192.168.3.0/24)
6. Phase 2 Proposal
a. Protocol - ESP
b. Encryption algorithms - AES 256
c. Hash algorithms - SHA1
d. PFS key group - 5 (1536 bit)
e. Lifetime - 3600
f. Automatically ping host - 192.168.3.1

7. Access modem webgui here: http://192.168.100.1/cmConfig.htm
8. Select 'Restart Cable Modem'
9. Modem restarts
10. IPSEC tunnel fails
11. IPSEC tunnel does not come back up
12. pfSense logs these errors (racoon):
ERROR: no proposal chosen [Check Phase 2 settings, algorithm].
ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
13. Manually restart racoon service
14. Tunnel returns

Actions

Also available in: Atom PDF