Bug #7325: IPsec VPN Phase2 assigned with idem reqid routing a other VPN Phase2 - pfSense - pfSense bugtracker

Actions

Copy link

Bug #7325

closed

IPsec VPN Phase2 assigned with idem reqid routing a other VPN Phase2

Added by Thierry Laurier about 7 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Luiz Souza

Category:

IPsec

Target version:

Start date:

02/27/2017

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.3.3

Affected Architecture:

Description

before create new vpn ipsec :

ipsec statusall
Status of IKE charon daemon (weakSwan 5.5.1, FreeBSD 10.3-RELEASE-p16, amd64):
  uptime: 6 minutes, since Feb 27 11:19:02 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fk
Listening IP addresses:
  10.128.40.5
  10.128.40.1
  185.99.148.5
  185.99.148.254
  10.128.83.252
  10.128.83.254
Connections:
   bypasslan:  %any...%any  IKEv1/2
   bypasslan:   local:  uses public key authentication
   bypasslan:   remote: uses public key authentication
   bypasslan:   child:  10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS
     con1000:  185.99.148.254...185.60.92.210  IKEv1 Aggressive, dpddelay=5s
     con1000:   local:  [185.99.148.254] uses pre-shared key authentication
     con1000:   remote: [185.60.92.210] uses pre-shared key authentication
     con1000:   child:  10.128.40.0/23|/0 === 172.16.30.0/24|/0 TUNNEL, dpdaction=restart
     con1001:   child:  10.128.40.0/23|/0 === 172.16.0.0/24|/0 TUNNEL, dpdaction=restart
     con1002:   child:  10.128.40.0/23|/0 === 172.16.50.0/24|/0 TUNNEL, dpdaction=restart
     con1003:   child:  10.128.40.0/23|/0 === 172.16.10.0/24|/0 TUNNEL, dpdaction=restart
Shunted Connections:
   bypasslan:  10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS
Routed Connections:
     con1003{20}:  ROUTED, TUNNEL, reqid 4
     con1003{20}:   10.128.40.0/23|/0 === 172.16.10.0/24|/0
     con1002{19}:  ROUTED, TUNNEL, reqid 3
     con1002{19}:   10.128.40.0/23|/0 === 172.16.50.0/24|/0
     con1001{18}:  ROUTED, TUNNEL, reqid 2
     con1001{18}:   10.128.40.0/23|/0 === 172.16.0.0/24|/0
     con1000{17}:  ROUTED, TUNNEL, reqid 1
     con1000{17}:   10.128.40.0/23|/0 === 172.16.30.0/24|/0
Security Associations (1 up, 0 connecting):
     con1000[1]: ESTABLISHED 6 minutes ago, 185.99.148.254[185.99.148.254]...185.60.92.210[185.60.92.210]
     con1000[1]: IKEv1 SPIs: 575c35e87396b74c_i* 605b37d0cfe6e215_r, pre-shared key reauthentication in 3 hours
     con1000[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     con1000{5}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca58444b_i 4243f57b_o
     con1000{5}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 400s ago), 2584 bytes_o (17 pkts, 6s ago), rekeying in 36 minutes
     con1000{5}:   10.128.40.0/23|/0 === 172.16.30.0/24|/0
     con1001{6}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1ed5da8_i 6b84dc96_o
     con1001{6}:  AES_CBC_128/HMAC_SHA1_96, 1381467 bytes_i (9768 pkts, 0s ago), 6522568 bytes_o (10161 pkts, 0s ago), rekeying in 36 minutes
     con1001{6}:   10.128.40.0/23|/0 === 172.16.0.0/24|/0
     con1002{7}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: cfb9b2f2_i b73a9f70_o
     con1002{7}:  AES_CBC_128/HMAC_SHA1_96, 4704 bytes_i (56 pkts, 17s ago), 8512 bytes_o (56 pkts, 17s ago), rekeying in 38 minutes
     con1002{7}:   10.128.40.0/23|/0 === 172.16.50.0/24|/0
     con1003{8}:  INSTALLED, TUNNEL, reqid 4, ESP SPIs: cc175f17_i 126cf511_o
     con1003{8}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 347s ago), 2280 bytes_o (15 pkts, 2s ago), rekeying in 37 minutes
     con1003{8}:   10.128.40.0/23|/0 === 172.16.10.0/24|/0

After created a new IPSec VPN:

ipsec statusall
Status of IKE charon daemon (weakSwan 5.5.1, FreeBSD 10.3-RELEASE-p16, amd64):
  uptime: 7 minutes, since Feb 27 11:19:02 2017
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fk
Listening IP addresses:
  10.128.40.5
  10.128.40.1
  185.99.148.5
  185.99.148.254
  10.128.83.252
  10.128.83.254
Connections:
   bypasslan:  %any...%any  IKEv1/2
   bypasslan:   local:  uses public key authentication
   bypasslan:   remote: uses public key authentication
   bypasslan:   child:  10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS
     con1000:  185.99.148.254...185.60.92.210  IKEv1 Aggressive, dpddelay=5s
     con1000:   local:  [185.99.148.254] uses pre-shared key authentication
     con1000:   remote: [185.60.92.210] uses pre-shared key authentication
     con1000:   child:  10.128.40.0/23|/0 === 172.16.30.0/24|/0 TUNNEL, dpdaction=restart
     con1001:   child:  10.128.83.0/24|/0 === 172.16.30.0/24|/0 TUNNEL, dpdaction=restart
     con1002:   child:  10.128.40.0/23|/0 === 172.16.0.0/24|/0 TUNNEL, dpdaction=restart
     con1003:   child:  10.128.40.0/23|/0 === 172.16.50.0/24|/0 TUNNEL, dpdaction=restart
     con1004:   child:  10.128.40.0/23|/0 === 172.16.10.0/24|/0 TUNNEL, dpdaction=restart
Shunted Connections:
   bypasslan:  10.128.40.0/23|/0 === 10.128.40.0/23|/0 PASS
Routed Connections:
     con1004{25}:  ROUTED, TUNNEL, reqid 4
     con1004{25}:   10.128.40.0/23|/0 === 172.16.10.0/24|/0
     con1003{24}:  ROUTED, TUNNEL, reqid 4
     con1003{24}:   10.128.40.0/23|/0 === 172.16.50.0/24|/0
     con1002{23}:  ROUTED, TUNNEL, reqid 3
     con1002{23}:   10.128.40.0/23|/0 === 172.16.0.0/24|/0
     con1001{22}:  ROUTED, TUNNEL, reqid 2
     con1001{22}:   10.128.83.0/24|/0 === 172.16.30.0/24|/0
     con1000{21}:  ROUTED, TUNNEL, reqid 1
     con1000{21}:   10.128.40.0/23|/0 === 172.16.30.0/24|/0
Security Associations (1 up, 0 connecting):
     con1000[1]: ESTABLISHED 7 minutes ago, 185.99.148.254[185.99.148.254]...185.60.92.210[185.60.92.210]
     con1000[1]: IKEv1 SPIs: 575c35e87396b74c_i* 605b37d0cfe6e215_r, pre-shared key reauthentication in 3 hours
     con1000[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     con1000{5}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca58444b_i 4243f57b_o
     con1000{5}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 426s ago), 3192 bytes_o (21 pkts, 3s ago), rekeying in 35 minutes
     con1000{5}:   10.128.40.0/23|/0 === 172.16.30.0/24|/0
     con1001{6}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1ed5da8_i 6b84dc96_o
     con1001{6}:  AES_CBC_128/HMAC_SHA1_96, 1466152 bytes_i (10241 pkts, 0s ago), 6808120 bytes_o (10641 pkts, 0s ago), rekeying in 36 minutes
     con1001{6}:   10.128.40.0/23|/0 === 172.16.0.0/24|/0
     con1002{7}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: cfb9b2f2_i b73a9f70_o
     con1002{7}:  AES_CBC_128/HMAC_SHA1_96, 6384 bytes_i (76 pkts, 3s ago), 11552 bytes_o (76 pkts, 3s ago), rekeying in 38 minutes
     con1002{7}:   10.128.40.0/23|/0 === 172.16.50.0/24|/0
     con1003{8}:  INSTALLED, TUNNEL, reqid 4, ESP SPIs: cc175f17_i 126cf511_o
     con1003{8}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i (0 pkts, 373s ago), 2280 bytes_o (15 pkts, 28s ago), rekeying in 37 minutes
     con1003{8}:   10.128.40.0/23|/0 === 172.16.10.0/24|/0

A new VPN assigned it's ok but old VPN (con1003 et con1004 ) is assigned with reqid 4. A result VPN on peer not functionnal.

in shell, ipsec restart resolv a reqid assignation.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #7325

IPsec VPN Phase2 assigned with idem reqid routing a other VPN Phase2

Updated by Jim Thompson about 7 years ago

Updated by Jim Pingle over 4 years ago