Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - yarick123

Pages: [1]
1
Hello,

I have configured IPsec IKEv2 road warrior VPN over IPv6 on a pfSense 2.4.2-RELEASE-p1 box. I have tested it on a host, which was directly in an Ineternt segment. Everything was ok.

On a host behind an(other) firewall, the connection process started successfully, but then no IKE_AUTH request seemed to be received by the host. Starting from this point, pfSense got "retransmit of request with ID 1", answers, and after some time initiated an timeout error.

I played with different values of MSS: 1000, 1340.  It did not help. The first host could establish IPsec connection, the second - not.

On another pfSense box (2.3.5-RELEASE-p1) I have IPsec (IKEv2) over IPv4. Both hosts can establish connection to the VPN.

Could you please suggest, what could be done, to fix the problem?

Best regards
yarick123

P.S. Here are pfSense logs for the second host:
Code: [Select]
Mar 22 16:08:03 charon          13[NET] <10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[500] to 2003:c8:4011:8000::2[500] (616 bytes)
Mar 22 16:08:03 charon          13[ENC] <10> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar 22 16:08:03 charon          13[IKE] <10> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 22 16:08:03 charon          13[IKE] <10> received MS-Negotiation Discovery Capable vendor ID
Mar 22 16:08:03 charon          13[IKE] <10> received Vid-Initial-Contact vendor ID
Mar 22 16:08:03 charon          13[ENC] <10> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar 22 16:08:03 charon          13[IKE] <10> 2a02:810c:c1bf:f788:71:4cb0:eb92:af04 is initiating an IKE_SA
Mar 22 16:08:03 charon          13[IKE] <10> sending cert request for "yyyyy"
Mar 22 16:08:03 charon          13[ENC] <10> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 22 16:08:03 charon          13[NET] <10> sending packet: from 2003:c8:4011:8000::2[500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[500] (337 bytes)
Mar 22 16:08:03 charon          13[NET] <10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes)
Mar 22 16:08:03 charon          13[ENC] <10> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar 22 16:08:03 charon          13[IKE] <10> received cert request for "yyyyy"
Mar 22 16:08:03 charon          13[IKE] <10> received 53 cert requests for an unknown ca
Mar 22 16:08:03 charon          13[CFG] <10> looking for peer configs matching 2003:c8:4011:8000::2[%any]...2a02:810c:c1bf:f788:71:4cb0:eb92:af04[2a02:810c:c1bf:f788:71:4cb0:eb92:af04]
Mar 22 16:08:03 charon          13[CFG] <con1|10> selected peer config 'con1'
Mar 22 16:08:03 charon          13[IKE] <con1|10> initiating EAP_IDENTITY method (id 0x00)
Mar 22 16:08:03 charon          13[IKE] <con1|10> peer supports MOBIKE
Mar 22 16:08:03 charon          13[IKE] <con1|10> authentication of '2003:c8:4011:8000::2' (myself) with RSA signature successful
Mar 22 16:08:03 charon          13[IKE] <con1|10> sending end entity cert "xxxx"
Mar 22 16:08:03 charon          13[ENC] <con1|10> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 22 16:08:03 charon          13[NET] <con1|10> sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)
Mar 22 16:08:04 charon          13[NET] <con1|10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes)
Mar 22 16:08:04 charon          13[ENC] <con1|10> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar 22 16:08:04 charon          13[IKE] <con1|10> received retransmit of request with ID 1, retransmitting response
Mar 22 16:08:04 charon          13[NET] <con1|10> sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)
Mar 22 16:08:05 charon          13[NET] <con1|10> received packet: from 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] to 2003:c8:4011:8000::2[4500] (1440 bytes)
Mar 22 16:08:05 charon          13[ENC] <con1|10> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar 22 16:08:05 charon          13[IKE] <con1|10> received retransmit of request with ID 1, retransmitting response
Mar 22 16:08:05 charon          13[NET] <con1|10> sending packet: from 2003:c8:4011:8000::2[4500] to 2a02:810c:c1bf:f788:71:4cb0:eb92:af04[4500] (1712 bytes)
Mar 22 16:08:33 charon          11[JOB] <con1|10> deleting half open IKE_SA with 2a02:810c:c1bf:f788:71:4cb0:eb92:af04 after timeout

Here are pfSense logs for the first host, which establishes the VPN connection without problems:
Code: [Select]
Mar 22 16:58:44 charon          07[NET] <11> received packet: from 2003:c8:4011:8000::56[500] to 2003:c8:4011:8000::2[500] (616 bytes)
Mar 22 16:58:44 charon          07[ENC] <11> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar 22 16:58:44 charon          07[IKE] <11> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 22 16:58:44 charon          07[IKE] <11> received MS-Negotiation Discovery Capable vendor ID
Mar 22 16:58:44 charon          07[IKE] <11> received Vid-Initial-Contact vendor ID
Mar 22 16:58:44 charon          07[ENC] <11> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar 22 16:58:44 charon          07[IKE] <11> 2003:c8:4011:8000::56 is initiating an IKE_SA
Mar 22 16:58:44 charon          07[IKE] <11> sending cert request for "yyyyy"
Mar 22 16:58:44 charon          07[ENC] <11> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 22 16:58:44 charon          07[NET] <11> sending packet: from 2003:c8:4011:8000::2[500] to 2003:c8:4011:8000::56[500] (337 bytes)
Mar 22 16:58:44 charon          07[NET] <11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (1056 bytes)
Mar 22 16:58:44 charon          07[ENC] <11> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar 22 16:58:44 charon          07[IKE] <11> received cert request for "yyyyy"
Mar 22 16:58:44 charon          07[IKE] <11> received 33 cert requests for an unknown ca
Mar 22 16:58:44 charon          07[CFG] <11> looking for peer configs matching 2003:c8:4011:8000::2[%any]...2003:c8:4011:8000::56[2003:c8:4011:8000::56]
Mar 22 16:58:44 charon          07[CFG] <con1|11> selected peer config 'con1'
Mar 22 16:58:44 charon          07[IKE] <con1|11> initiating EAP_IDENTITY method (id 0x00)
Mar 22 16:58:44 charon          07[IKE] <con1|11> peer supports MOBIKE
Mar 22 16:58:44 charon          07[IKE] <con1|11> authentication of '2003:c8:4011:8000::2' (myself) with RSA signature successful
Mar 22 16:58:44 charon          07[IKE] <con1|11> sending end entity cert "xxxxx"
Mar 22 16:58:44 charon          07[ENC] <con1|11> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 22 16:58:44 charon          07[NET] <con1|11> sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (1712 bytes)
Mar 22 16:58:44 charon          07[NET] <con1|11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (96 bytes)
Mar 22 16:58:44 charon          07[ENC] <con1|11> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar 22 16:58:44 charon          07[IKE] <con1|11> received EAP identity 'testuser'
Mar 22 16:58:44 charon          07[IKE] <con1|11> initiating EAP_MSCHAPV2 method (id 0x8A)
Mar 22 16:58:44 charon          07[ENC] <con1|11> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar 22 16:58:44 charon          07[NET] <con1|11> sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (112 bytes)
Mar 22 16:58:44 charon          07[NET] <con1|11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (144 bytes)
Mar 22 16:58:44 charon          07[ENC] <con1|11> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar 22 16:58:44 charon          07[ENC] <con1|11> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Mar 22 16:58:44 charon          07[NET] <con1|11> sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (144 bytes)
Mar 22 16:58:44 charon          07[NET] <con1|11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (80 bytes)
Mar 22 16:58:44 charon          07[ENC] <con1|11> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Mar 22 16:58:44 charon          07[IKE] <con1|11> EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 22 16:58:44 charon          07[ENC] <con1|11> generating IKE_AUTH response 4 [ EAP/SUCC ]
Mar 22 16:58:44 charon          07[NET] <con1|11> sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (80 bytes)
Mar 22 16:58:44 charon          14[NET] <con1|11> received packet: from 2003:c8:4011:8000::56[4500] to 2003:c8:4011:8000::2[4500] (112 bytes)
Mar 22 16:58:44 charon          14[ENC] <con1|11> parsed IKE_AUTH request 5 [ AUTH ]
Mar 22 16:58:44 charon          14[IKE] <con1|11> authentication of '2003:c8:4011:8000::56' with EAP successful
Mar 22 16:58:44 charon          14[IKE] <con1|11> authentication of '2003:c8:4011:8000::2' (myself) with EAP
Mar 22 16:58:44 charon          14[IKE] <con1|11> IKE_SA con1[11] established between 2003:c8:4011:8000::2[2003:c8:4011:8000::2]...2003:c8:4011:8000::56[2003:c8:4011:8000::56]
Mar 22 16:58:44 charon          14[IKE] <con1|11> scheduling reauthentication in 35221s
Mar 22 16:58:44 charon          14[IKE] <con1|11> maximum IKE_SA lifetime 35761s
Mar 22 16:58:44 charon          14[IKE] <con1|11> peer requested virtual IP %any
Mar 22 16:58:44 charon          14[IKE] <con1|11> no virtual IP found for %any requested by 'testuser'
Mar 22 16:58:44 charon          14[IKE] <con1|11> peer requested virtual IP fddf:c8:4011:11::1
Mar 22 16:58:44 charon          14[CFG] <con1|11> reassigning offline lease to 'testuser'
Mar 22 16:58:44 charon          14[IKE] <con1|11> assigning virtual IP fddf:c8:4011:11::1 to peer 'testuser'
Mar 22 16:58:44 charon          14[IKE] <con1|11> CHILD_SA con1{2} established with SPIs ca6b2145_i e8c59f9c_o and TS ::/0|/0 === fddf:c8:4011:11::1/128|/0
Mar 22 16:58:44 charon          14[ENC] <con1|11> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR6 DNS6 U_DEFDOM U_SPLITDNS U_BANNER U_SAVEPWD) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Mar 22 16:58:44 charon          14[NET] <con1|11> sending packet: from 2003:c8:4011:8000::2[4500] to 2003:c8:4011:8000::56[4500] (480 bytes)

P.P.S. For the IPv4 the IKE_AUTH response  1 is even longer than 1712 bytes, but everything is o.k.:
Code: [Select]
Mar 22 16:12:22 charon          05[NET] <con4|3697> sending packet: from xxx.yyy.zzz.uuu[4500] to 77.21.251.9[31236] (1824 bytes)
Mar 22 16:12:22 charon          05[NET] <con4|3697> received packet: from 77.21.251.9[31236] to xxx.yyy.zzz.uuu[4500] (96 bytes)
Mar 22 16:12:22 charon          05[ENC] <con4|3697> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar 22 16:12:22 charon          05[IKE] <con4|3697> received EAP identity 'testuser'

2
Hi there,

I am configuring a Road Warrior IPsec on IPv6 stack on an additional pfSence 2.4.2-p1 firewall. The settings are very similar to the IPsec on IPv4 settings on my master pfSense 2.3.5-p1 firewall.

The Local Network is ::/0, Remote Network - fddf:x:x:x:x:x:x:0/112 .

I can login to the VPN over IPv6. But the network is not accessible. After adding route ::/0 -> :: on the IPsec host interface, everything works as expected:

Code: [Select]
route -6 add ::/0 gateway :: metric 1 if 27
On the IPsec on IPv4 such route is automatically created by pfSense after the login:
Code: [Select]
route print
...
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
...
          0.0.0.0          0.0.0.0         On-link       10.33.111.5     26
...

Have you any idea, what I am doing wrong?

P.S. host machines are windows 10 with the built-in IPsec client.

Best regards
yarick123

3
Hi,

I have the simplest VirtualBox 5.2.4 virtual machine configuration:

Code: [Select]
1GiB RAM, 1 CPU, PIIX3, no paravirtualization, no hardware virtualization,
48MB display RAM, no GPU acceleration,
IDE PIIX 3: IDE Primary Master: pfSense-CE-2.3.5-RELEASE-2g-i386-nanobsd-vga.img,
no audio,
adapter 1: Intel PRO/1000 T Server, bridged with the host NIC, cable not connected,
adapter 2: Intel PRO/1000 T Server, host-only adapter, cable not connected,
serial port: COM1, \\.\pipe\com_1,
no USB

The first booting works like a charm. After rebooting (option 5 from the console), BTX is halted, see pictures.

Have only I such a bad destiny?

4
 Hi pfSense Team, thank you for the superior product!

I am updating the rest firewall node from 2.3.4_1 to 2.3.5_1. Everything was ok, there were no problems during the updating. After restarting I noticed, that the kernel was not up to date:

Code: [Select]
[2.3.5-RELEASE][admin@pf1.xxx.yyy]/root: uname -a
FreeBSD pf1.xxx.yyy 10.3-RELEASE-p17 FreeBSD 10.3-RELEASE-p17 #10 6da131e75c7(RELENG_2_3_3): Wed Mar  8 14:27:02 CST 2017     root@ce23-i386-builder:/builder/pfsense-233/tmp/obj/builder/pfsense-233/tmp/FreeBSD-src/sys/pfSense_wrap  i386

Then I tried to update once more. The disk slice was duplicated and it was said, that pfSense-kernel-pfSense_wrap package would be updated:
Code: [Select]
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
        pfSense-kernel-pfSense_wrap: 2.3.3_1 -> 2.3.5_1 [pfSense-core]

Number of packages to be upgraded: 1
>>> Locking package pfSense-pkg-FTP_Client_Proxy... done.
>>> Unlocking package pfSense-pkg-FTP_Client_Proxy... done.
>>> Setting secondary partition as active... done.
Upgrade is complete.  Rebooting in 10 seconds.

Unfortunately after the system restarted, the situation repeated. I tried many times to update the system, but it was an infinite loop: updating the system (updating the kernel); restarting; checking, that the kernel was old; updating the system (updating the kernel);..

NanoBSD Previous Upgrade Log shows:
Code: [Select]
2.3.5_1 version of pfSense is available

I have attached complete log file.

Could you please suggest, what can be done to update the kernel too?

Thank you,
Best regards
yarick123

5
Installation and Upgrades / [Solved] 2.3.5 is shown as 2.3.4-RELEASE (i386)
« on: December 12, 2017, 08:20:39 am »
Hi pfSense Team, thank you for the superior product!

I have upgraded one of the firm firewalls from version 2.3.4-RELEASE-p1 (i386) to 2.3.5 (nanobsd 2g) several hours ago.

The upgrade was not very straight. I needed to reset the firewall several times.

At the end, all the packages and the kernel were successfully upgraded. Uname -a says:
Code: [Select]
[2.3.4-RELEASE][admin@xxx.yyy.zzz]/root: uname -a
FreeBSD xxx.yyy.zzz 10.3-RELEASE-p22 FreeBSD 10.3-RELEASE-p22 #0 352658d6e(RELENG_2_3): Tue Oct 24 05:16:13 CDT 2017     root@ce23-i386-builder:/builder/pfsense-235/tmp/obj/builder/pfsense-235/tmp/FreeBSD-src/sys/pfSense_wrap  i386

but on the dashboard the version is shown as
Code: [Select]
2.3.4-RELEASE (i386)
built on Fri Jul 14 14:53:03 CDT 2017
FreeBSD 10.3-RELEASE-p22

In cli it is also shown as 2.3.4:
Code: [Select]
*** Welcome to pfSense 2.3.4-RELEASE (i386 nanobsd) on xxx ***

In the shell prompt the version is also shown as 2.3.4:
Code: [Select]
[2.3.4-RELEASE][admin@xxx.yyy.zzz]/root:

But on the "Update" tab it is everything ok, see attached image.

Trying to upgrade from the console, I get a message, that the system uses the most recent version:
Code: [Select]
>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
>>> Unlocking package pfSense-kernel-pfSense_wrap... done.
>>> Locking package pfSense-kernel-pfSense_wrap... done.
Your packages are up to date

Is it a correct behaviour, or there are problems by me? (I have rebooted the system several times.)

Thank you,
Best regards
yarick123

6
Hi and thank you very much for the superior firewall!

Unfortunately I did not follow pfSense development plans. This is why it was for me very sadly to read, that the NanoBSD functionality was deprecated and removed from pfSense 2.4.

For me it was very handy, just to care about pfSense configuration backup before upgrading. All the rest was done by NanoBSD - full backup to another slice. I came relatively often to the situation, that upgrades caused firewall problems. I needed just to reboot the server(s) from the backup slice, restore the configuration - voilą! I spent about 30 minutes for such procedure. I did never have fear to upgrade the firewalls.

Now, in order to perform an upgrade, I need to simulate NanoBSD behavior: to have HD, splitted to two slices; to have a possibility to change slices on boot; before upgrading - copy current slice to the backup one. And all of this can be done only manually.

The question is, how to do it the best way? Or there is a better upgrade workflow? E.g. on my linux servers, the root partition can be snapshot-ed, so before the upgrade, I make a snapshot. If after the upgrade everything is ok, I remove the snapshot. Sometimes, e.g. if the system becomes un-bootable, I reboot it from the snapshot and check, if something in the upgrade process can be changed/fixed, I write tickets, may be I contribute a solution...

Now, reading https://doc.pfsense.org/index.php/Upgrade_Guide:

Quote
Pre-Upgrade Tasks
Make a backup!
...
Reinstalling the previous release
The worst case scenario on upgrading is a FreeBSD regression that prevents the firewall from booting successfully, or no longer communicating with the network. In this case, reinstall. For a full install, this means reinstalling from a CD or Memstick for the previous release. Download the appropriate image and have it ready before starting the upgrade procedure.

I understand, that in case of booting or other problems, if I follow this guide literally, I will spend much more time, than 30 minutes, to get the firewall working again.


I do not ask to return NanoBSD functionality. I suppose, there were serious enough reasons to remove it. I just wonder, how I can optimize my time, upgrading the firewalls.

I wonder also, what is the new upgrade process for the embedded firewalls? It is clear, how to make the pfSense configuration backup. But what would happen, if the system becomes un-bootable? (Sorry, I did not try to find the answer on this question - just wondered.)

To be honest, previously I was thinking about buying of two embedded pfSense firewalls. Now I am not sure...

I am sorry for such a post, I really-really like pfSense, the team and the community.

Best regards
yarick123

7
Hello,

one more thank pfSense team for the superior product!

As it was said many times, this is obviously a bad idea, to mix tagged and untagged vlans on the same NIC.

I wanted just inform, that DHCPD is not working on the tagged interfaces in this case. It works only on the untagged one.

Excluding the untagged vlan fixes the problem!

This message should not be understood as an pfSense issue declaration ;)

P.S. Except of DHCPD everything worked ok.

Best regards
yarick123

8
Hi,

EAP-RADIUS authentication works perfectly for the mobile clients, if only one RADIUS server is selected. After selecting two servers in the "Mobile clients" tab, users cannot be authenticated any more.

If after selecting two RADIUS servers, edit the "phase1 entry" for the mobile clients and just push the "Save" button, the following error message comes:


Code: [Select]
The following input errors were detected:

A valid RADIUS server must be selected for user authentication on the Mobile Clients tab in order to set EAP-RADIUS as the authentication method.

Both Radius servers work with EAP-RADIUS separately.

Best regards
yarick123

9
Dear pfSense team, thank you for the great job and the great product!

I would like to inform you, that after upgrading to version 2.2.5 the XMLRPC synchronization started to not work.
Here are the logs:
Code: [Select]
Nov 9 13:45:17 php-fpm[55133]: /rc.filter_synchronize: Beginning XMLRPC sync to http://192.168.11.2:80.
Nov 9 13:45:17 php-fpm[55133]: /rc.filter_synchronize: New alert found: An error code was received while attempting XMLRPC sync with username admin http://192.168.11.2:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload
Nov 9 13:45:17 php-fpm[55133]: /rc.filter_synchronize: An error code was received while attempting XMLRPC sync with username admin http://192.168.11.2:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload
Nov 9 13:44:14 php-fpm[55133]: /rc.filter_synchronize: Beginning XMLRPC sync to http://192.168.11.2:80.
Nov 9 13:44:13 check_reload_status: Syncing firewall
Nov 9 13:36:39 php-fpm[52801]: /rc.filter_synchronize: Beginning XMLRPC sync to http://192.168.11.2:80.
Nov 9 13:36:39 php-fpm[52801]: /rc.filter_synchronize: New alert found: An error code was received while attempting XMLRPC sync with username admin http://192.168.11.2:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload
Nov 9 13:36:39 php-fpm[52801]: /rc.filter_synchronize: An error code was received while attempting XMLRPC sync with username admin http://192.168.11.2:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload
Nov 9 13:35:37 check_reload_status: Reloading filter
Nov 9 13:35:36 php-fpm[52801]: /rc.filter_synchronize: Beginning XMLRPC sync to http://192.168.11.2:80.
Nov 9 13:35:35 check_reload_status: Syncing firewall
Nov 9 13:24:03 php-fpm[24321]: /rc.filter_synchronize: Beginning XMLRPC sync to http://192.168.11.2:80.
Nov 9 13:24:03 php-fpm[24321]: /rc.filter_synchronize: New alert found: An error code was received while attempting XMLRPC sync with username admin http://192.168.11.2:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload
Nov 9 13:24:03 php-fpm[24321]: /rc.filter_synchronize: An error code was received while attempting XMLRPC sync with username admin http://192.168.11.2:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload
Nov 9 13:23:01 check_reload_status: Reloading filter
Nov 9 13:23:01 check_reload_status: Reloading filter
Nov 9 13:23:00 php-fpm[24321]: /rc.filter_synchronize: Beginning XMLRPC sync to http://192.168.11.2:80.
Nov 9 13:22:59 check_reload_status: Syncing firewall

I use pfSense NanoBSD on two servers.

Best regards
yarick123

10
CARP/VIPs / CARP + L2TP
« on: July 03, 2015, 03:14:18 am »
Hello,

could you please to share a solution if it exists? I have no problems with CAPR + pure IPsec,
but recently we have decided to switch to L2TP.

L2TP GUI configuration does not provide any CARP address to select for the field "Interface". If I select "WAN" as the
L2TP Interface, L2TP clients, configured to use CARP VIP, get no answers. Making a port forwarding for udp/1701 on
the carp vip to 127.0.0.1:1701, as it was suggested here https://forum.pfsense.org/index.php?topic=64851.0
did not help. Trying to make additionally an outbound NAT for WAN udp/1701 also did not help.

We use pfSense 2.2.2.

Best regards
yarick123

11
Hello,

after upgrading pfSense from the version 2.2.2 to 2.2.3 our IPSEC for mobile clients has stopped to work. All clients get the message "gateway authentication error".
In the logs appears the message "invalid HASH_V1 payload length, decryption failed?".

We use Shrew Soft VPNCLIENT v.2.2.2 on Windows 7 and Windows XP.

Unfortunately we had to switch back to the version 2.2.2

Here is a cut from the log file (in the reversed order):
Code: [Select]
Jun 25 13:32:55 charon: 14[IKE] <con4|1> INFORMATIONAL_V1 request with message ID 2583112657 processing failed
Jun 25 13:32:55 charon: 14[IKE] <con4|1> INFORMATIONAL_V1 request with message ID 2583112657 processing failed
Jun 25 13:32:55 charon: 14[IKE] <con4|1> ignore malformed INFORMATIONAL request
Jun 25 13:32:55 charon: 14[IKE] <con4|1> ignore malformed INFORMATIONAL request
Jun 25 13:32:55 charon: 14[IKE] <con4|1> message parsing failed
Jun 25 13:32:55 charon: 14[IKE] <con4|1> message parsing failed
Jun 25 13:32:55 charon: 14[ENC] <con4|1> could not decrypt payloads
Jun 25 13:32:55 charon: 14[ENC] <con4|1> invalid HASH_V1 payload length, decryption failed?
Jun 25 13:32:55 charon: 14[NET] <con4|1> received packet: from XX.XX.XX.XX[4500] to YY.YY.YY.YY[4500] (92 bytes)
Jun 25 13:32:55 charon: 12[IKE] <con4|1> AGGRESSIVE request with message ID 0 processing failed
Jun 25 13:32:55 charon: 12[IKE] <con4|1> AGGRESSIVE request with message ID 0 processing failed
Jun 25 13:32:55 charon: 12[NET] <con4|1> sending packet: from YY.YY.YY.YY[500] to XX.XX.XX.XX[500] (76 bytes)
Jun 25 13:32:55 charon: 12[ENC] <con4|1> generating INFORMATIONAL_V1 request 4038421101 [ HASH N(PLD_MAL) ]
Jun 25 13:32:55 charon: 12[IKE] <con4|1> message parsing failed
Jun 25 13:32:55 charon: 12[IKE] <con4|1> message parsing failed
Jun 25 13:32:55 charon: 12[ENC] <con4|1> could not decrypt payloads
Jun 25 13:32:55 charon: 12[ENC] <con4|1> invalid HASH_V1 payload length, decryption failed?
Jun 25 13:32:55 charon: 12[NET] <con4|1> received packet: from XX.XX.XX.XX[4500] to YY.YY.YY.YY[4500] (108 bytes)
Jun 25 13:32:55 charon: 12[NET] <con4|1> sending packet: from YY.YY.YY.YY[500] to XX.XX.XX.XX[500] (432 bytes)
Jun 25 13:32:55 charon: 12[ENC] <con4|1> generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V V ]
Jun 25 13:32:55 charon: 12[CFG] <1> selected peer config "con4"
Jun 25 13:32:55 charon: 12[CFG] <1> looking for XAuthInitPSK peer configs matching YY.YY.YY.YY...XX.XX.XX.XX[vpn@xxxxx.xxxxx.xxx]
Jun 25 13:32:55 charon: 12[IKE] <1> XX.XX.XX.XX is initiating a Aggressive Mode IKE_SA
Jun 25 13:32:55 charon: 12[IKE] <1> XX.XX.XX.XX is initiating a Aggressive Mode IKE_SA
Jun 25 13:32:55 charon: 12[IKE] <1> received Cisco Unity vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received Cisco Unity vendor ID
Jun 25 13:32:55 charon: 12[ENC] <1> received unknown vendor ID: 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
Jun 25 13:32:55 charon: 12[ENC] <1> received unknown vendor ID: 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
Jun 25 13:32:55 charon: 12[ENC] <1> received unknown vendor ID: f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
Jun 25 13:32:55 charon: 12[ENC] <1> received unknown vendor ID: 3b:90:31:dc:e4:fc:f8:8b:48:9a:92:39:63:dd:0c:49
Jun 25 13:32:55 charon: 12[IKE] <1> received DPD vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received DPD vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received FRAGMENTATION vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received FRAGMENTATION vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 25 13:32:55 charon: 12[ENC] <1> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received XAuth vendor ID
Jun 25 13:32:55 charon: 12[IKE] <1> received XAuth vendor ID
Jun 25 13:32:55 charon: 12[ENC] <1> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V V V V V ]
Jun 25 13:32:55 charon: 12[NET] <1> received packet: from XX.XX.XX.XX[500] to YY.YY.YY.YY[500] (1190 bytes)

We have the following IPSEC Phase 1 configuration:

Key Exchange version: V1
Internet Protocol: IPv4
Interface: YY.YY.YY.YY (WAN-CARP)

Phase 1 proposal  (Authentication)

Authentication method: Mutual PSK + Xauth
Negotiation mode: Aggressive
My identifier: My IP address
Peer identifier: User destinguished name - vpn@xxxxx.xxxxx.xxx
Pre-Shared Key: .................................................

Phase 1 proposal (Algorithms)

Encryption algorithm: AES 256 bit
Hash algorithm: SHA1
DH key group: 2 (1024 bit)

Lifetime: 36000 seconds

Advanced Options

Disable Rekey: NO
Responder Only: NO
NAT Traversal: Force
Dead Peer Detection: NO


Best regards
yarick123

12
Hello,

after upgrading our pfSense firewalls from version 2.1.5 to version 2.2.2 the NTP server on the
firewall started not to answer ntpdate requests. The reason was, that all the ntp servers, configured
on the firewall were always unreachable after the upgrade.

The firewalls have CARP addresses for LAN and WAN. Only these two CARP addresses were listened to
by the firewalls' ntp server.

Solution:

the ntp server was configured to listen also to the WAN interface.
Servers behind the firewall could not access the ntp server on the firewalls. The second
change was to listen to the LAN interface.

It seems, that now NTP does not work with CARP interfaces or something must be additionally
configured comparing to the version 2.1.5.

After that, not all the local servers requests were answered:
Code: [Select]
testserver1:~ # ntpdate -d 10.20.20.101
22 Apr 12:14:04 ntpdate[22131]: ntpdate 4.2.0a@1.1190-r Wed Jan 26 17:34:57 UTC 2005 (1)
Looking for host 10.20.20.101 and service ntp
host found : pf1.netmedia.de
transmit(10.20.20.101)
transmit(10.20.20.101)
transmit(10.20.20.101)
receive(10.20.20.101)
transmit(10.20.20.101)
transmit(10.20.20.101)
10.20.20.101: Server dropped: strata too high
server 10.20.20.101, port 123
stratum 16, precision -6, leap 11, trust 000
refid [10.20.20.101], delay 0.04271, dispersion 56.00000
transmitted 4, in filter 4
reference time:    00000000.00000000  Thu, Feb  7 2036  7:28:16.000
originate timestamp: d8e1f2ee.c48f7553  Wed, Apr 22 2015 12:14:06.767
transmit timestamp:  d8e1f2ee.c4f3dc05  Wed, Apr 22 2015 12:14:06.769
filter delay:  0.00000  0.00000  0.04271  0.00000
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.000000 0.000000 -0.00073 0.000000
         0.000000 0.000000 0.000000 0.000000
delay 0.04271, dispersion 56.00000
offset -0.000739

22 Apr 12:14:07 ntpdate[22131]: no server suitable for synchronization found

This problem was solved by unchecking the check box "Access restrictions: Enable Kiss-o'-death packets"



Thank you, the pfSense Team for the great job!

Best regards
yarick123

13
Hello,

we upgraded our two pfSense firewalls from version 2.1.5 to version 2.2, rolled back, and then upgraded from
version 2.1.5 to version 2.2.2.

We use i386 NanoBSD (CF size 2GB) with serial console on both firewalls.

After both upgrades, we experienced the same problem. When the traffic went over the Master firewall,
all worked ok, except of the Lync login. It was just hanging on the login screen. When the traffic went over
the Standby firewall (CARP on the Master firewall was manually temporarily disabled), all including, the Lync login,
worked ok.

Solution:

Checking the checkbox "IP Do-Not-Fragment compatibility: Clear invalid DF bits instead of dropping the packets"
in "System -> Advanced -> Firewall / NAT" made Lync to login without problems.

Interesting is, that the problem happened only on one of two firewalls.

The firewalls have different hardware, including the network cards.

The Master firewall has Intel Core Duo CPU E8400, uses em driver for LAN and ale driver for WAN.
The Standby firewall has Intel Pentium III CPU, uses em driver for LAN and WAN.

Thank you, the pfSense Team for the great job!

Best regards
yarick123

14
IPsec / Mobile clients: Phase2 PFS Group influences to ALL IPSEC tunnels
« on: September 06, 2012, 05:42:16 am »
Dear pfSense Team,

at first I would like to thank you, no, THANK YOU for the perfect software product. We use it many years without problems.

I think, I have found a bug.

The "mobile clients" configuration option "Phase2 PFS Group" influences to all IPSEC tunnels. If "mobile clients" functionality is disabled
and the option is checked, all the rest IPSEC tunnels work incorrect anyway.

It happens on pfSense-2.0.1.

Best regards

Pages: [1]