![]() ![]() ![]() They're not the same thing, as you can see from the log when it connects: May 20 12:53:15 pfsense-123test racoon: INFO: IPsec-SA request for x.x.x.49 queued due to no phase1 found. The SPIs shown in the SAD entries are different than the SPI shown for the ISAKMP-SA which racoon deletes. I suspect the tunnel goes up again as soon as you setkey -F ? Here are some related forum threads (I'm sure there are seems SAD entries you have (setkey -D) after the tunnel fails are different from those that were used when this tunnel was established (your log), no? I see different spi's. If you have more information or similar experiences to share, feel free to post them. I have heard that there is discussion of a possible fix on the ipsec-tools-devel list, but nothing concrete yet. It seems like this invalid SPI message is either ignored by, or not seen by, racoon. 16:10:49: DEBUG: pk_recv: retry recv()Īlso noteworthy is that a tcpdump of a session in the "failed" state where pfSense believes it is still active does show that the remote side is sending an "invalid SPI" reply any time traffic attempts to traverse the tunnel. 16:10:48: DEBUG: an undead schedule has been deleted. 16:10:48: DEBUG2: No ph1 handler found, could not send DELETE_SA ![]() 16:10:48: DEBUG2: got a ph2 handler to flush. 16:10:48: DEBUG2: flushing all ph2 handlers. 16:10:48: DEBUG: get pfkey FLUSH message Here is a debug log from racoon showing the DPD failure, shows the SAD entries are still present, and shows the orphaned Phase 2 entries as racoon is stopped: Once that happens, it never attempts to reestablish Phase 1. What appears to happen is that racoon sees the peer go away, and removes the ISAKMP-SA/Phase 1 information for the tunnel, leaving the Phase 2 info present. This seems to happen regardless of the 'DPD' option for most people, and it happens when connecting to all manner of devices (Other pfSense boxes, Cisco VPN concentrators, SonicWALLs, Fireboxes, &c). I'm starting this thread to sort of consolidate the information available about IPSec tunnels that fail and won't reestablish until after racoon (or the router) is restarted.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |