Netgate SG-1000 microFirewall

Author Topic: StrongSwan problem with IPSEC  (Read 136 times)

0 Members and 1 Guest are viewing this topic.

Offline pdrass

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +1/-0
    • View Profile
StrongSwan problem with IPSEC
« on: January 17, 2018, 09:25:59 am »
I have to reboot one firewall that has 4 IPSEC tunnels to it.  It gets buggy and no matter what I do I can't seem to get it to reconnect.

Here's my log:

Jan 17 09:58:57    charon       07[IKE] <con1|825> IKE_SA con1[825] state change: CONNECTING => DESTROYING
Jan 17 09:58:57    charon       07[CFG] <con1|825> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 17 09:58:57    charon       07[IKE] <con1|825> received NO_PROPOSAL_CHOSEN notify error
Jan 17 09:58:57    charon       07[ENC] <con1|825> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 17 09:58:57    charon       07[NET] <con1|825> received packet: from 47.50.x.x[500] to 24.247.x.x[500] (36 bytes)
Jan 17 09:58:57    charon       11[NET] <con1|825> sending packet: from 24.247.x.x[500] to 47.50.x.x[500] (466 bytes)
Jan 17 09:58:57    charon       11[ENC] <con1|825> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 09:58:57    charon       11[CFG] <con1|825> sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
Jan 17 09:58:57    charon       11[CFG] <con1|825> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 17 09:58:57    charon       11[IKE] <con1|825> IKE_SA con1[825] state change: CREATED => CONNECTING
Jan 17 09:58:57    charon       11[IKE] <con1|825> initiating IKE_SA con1[825] to 47.50.x.x
Jan 17 09:58:57    charon       11[IKE] <con1|825> activating IKE_AUTH_LIFETIME task
Jan 17 09:58:57    charon       11[IKE] <con1|825> activating CHILD_CREATE task
Jan 17 09:58:57    charon       11[IKE] <con1|825> activating IKE_CONFIG task
Jan 17 09:58:57    charon       11[IKE] <con1|825> activating IKE_CERT_POST task
Jan 17 09:58:57    charon       11[IKE] <con1|825> activating IKE_AUTH task
Jan 17 09:58:57    charon       11[IKE] <con1|825> activating IKE_CERT_PRE task
Jan 17 09:58:57    charon       11[IKE] <con1|825> activating IKE_NATD task
Jan 17 09:58:57    charon       11[IKE] <con1|825> activating IKE_INIT task
Jan 17 09:58:57    charon       11[IKE] <con1|825> activating IKE_VENDOR task
Jan 17 09:58:57    charon       11[IKE] <con1|825> activating new tasks
Jan 17 09:58:57    charon       11[IKE] <con1|825> queueing CHILD_CREATE task
Jan 17 09:58:57    charon       11[IKE] <con1|825> queueing IKE_AUTH_LIFETIME task
Jan 17 09:58:57    charon       11[IKE] <con1|825> queueing IKE_CONFIG task
Jan 17 09:58:57    charon       11[IKE] <con1|825> queueing IKE_CERT_POST task
Jan 17 09:58:57    charon       11[IKE] <con1|825> queueing IKE_AUTH task
Jan 17 09:58:57    charon       11[IKE] <con1|825> queueing IKE_CERT_PRE task
Jan 17 09:58:57    charon       11[IKE] <con1|825> queueing IKE_NATD task
Jan 17 09:58:57    charon       11[IKE] <con1|825> queueing IKE_INIT task
Jan 17 09:58:57    charon       11[IKE] <con1|825> queueing IKE_VENDOR task
Jan 17 09:58:57    charon       07[KNL] creating acquire job for policy 24.247.x.x/32|/0 === 47.50.x.x/32|/0 with reqid {20}
Jan 17 09:57:34    charon       07[IKE] <con1|824> IKE_SA con1[824] state change: CONNECTING => DESTROYING
Jan 17 09:57:34    charon       07[CFG] <con1|824> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

I've looked around a bit and this also seems to be a StrongSwan issue which the PFSense uses:

https://wiki.strongswan.org/issues/442

I even try changing cyphers, etc like this...same result:

Jan 17 10:21:07    charon       13[IKE] <con1|5> IKE_SA con1[5] state change: CONNECTING => DESTROYING
Jan 17 10:21:07    charon       13[CFG] <con1|5> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024
Jan 17 10:21:07    charon       13[IKE] <con1|5> received NO_PROPOSAL_CHOSEN notify error
Jan 17 10:21:07    charon       13[ENC] <con1|5> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 17 10:21:07    charon       13[NET] <con1|5> received packet: from 47.50.x.x[500] to 24.247.x.x[500] (36 bytes)
Jan 17 10:21:07    charon       13[NET] <con1|5> sending packet: from 24.247.x.x[500] to 47.50.x.x[500] (330 bytes)
Jan 17 10:21:07    charon       13[ENC] <con1|5> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 17 10:21:07    charon       13[CFG] <con1|5> sending supported signature hash algorithms: sha1 sha256 sha384 sha512 identity
Jan 17 10:21:07    charon       13[CFG] <con1|5> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024
Jan 17 10:21:07    charon       13[IKE] <con1|5> IKE_SA con1[5] state change: CREATED => CONNECTING
Jan 17 10:21:07    charon       13[IKE] <con1|5> initiating IKE_SA con1[5] to 47.50.x.x
Jan 17 10:21:07    charon       13[IKE] <con1|5> activating IKE_AUTH_LIFETIME task
Jan 17 10:21:07    charon       13[IKE] <con1|5> activating CHILD_CREATE task
Jan 17 10:21:07    charon       13[IKE] <con1|5> activating IKE_CONFIG task
Jan 17 10:21:07    charon       13[IKE] <con1|5> activating IKE_CERT_POST task
Jan 17 10:21:07    charon       13[IKE] <con1|5> activating IKE_AUTH task
Jan 17 10:21:07    charon       13[IKE] <con1|5> activating IKE_CERT_PRE task
Jan 17 10:21:07    charon       13[IKE] <con1|5> activating IKE_NATD task
Jan 17 10:21:07    charon       13[IKE] <con1|5> activating IKE_INIT task
Jan 17 10:21:07    charon       13[IKE] <con1|5> activating IKE_VENDOR task
Jan 17 10:21:07    charon       13[IKE] <con1|5> activating new tasks
Jan 17 10:21:07    charon       13[IKE] <con1|5> queueing CHILD_CREATE task
Jan 17 10:21:07    charon       13[IKE] <con1|5> queueing IKE_AUTH_LIFETIME task
Jan 17 10:21:07    charon       13[IKE] <con1|5> queueing IKE_CONFIG task
Jan 17 10:21:07    charon       13[IKE] <con1|5> queueing IKE_CERT_POST task
Jan 17 10:21:07    charon       13[IKE] <con1|5> queueing IKE_AUTH task
Jan 17 10:21:07    charon       13[IKE] <con1|5> queueing IKE_CERT_PRE task
Jan 17 10:21:07    charon       13[IKE] <con1|5> queueing IKE_NATD task
Jan 17 10:21:07    charon       13[IKE] <con1|5> queueing IKE_INIT task
Jan 17 10:21:07    charon       13[IKE] <con1|5> queueing IKE_VENDOR task
Jan 17 10:21:07    charon       14[KNL] creating acquire job for policy 24.247.x.x/32|/0 === 47.50.x.x/32|/0 with reqid {4}

So...at the moment the ONLY way to get the IPSEC VPN tunnel back up is to reboot the firewall at 47.50.x.x which totally sucks because it takes down 3 other sites.  I had this problem with a different site last week > reboot the 47.50.x.x firewall > tunnels come back up.  Today, it's a different site AND NOTHING HAS CHANGED!

Any advice besides a back rev to 2.3?  I'm seriously considering wiping the infrastructure and going back to 2.3 which was stable as hell.  It's only after I upgraded to this 2.4.x version that things have gotten ridiculously unstable.

Thanks!

================

** Update **

I needed to actually reboot BOTH the firewalls.  So it doesn't seem to be a symptom of just one firewall!

Thoughts?
« Last Edit: January 17, 2018, 09:48:27 am by pdrass »

Offline pdrass

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +1/-0
    • View Profile
Re: StrongSwan problem with IPSEC
« Reply #1 on: January 18, 2018, 09:49:53 am »

Today it flaked out AGAIN and I had to reboot the 24.247.x.x firewall.  The Internet works, 0% latency, everything looks great BUT the IPSEC tunnel crashes and won't come up UNTIL something is rebooted.  I can restart IPSEC services until I'm blue in the face and I've got nothing UNTIL the dumb thing is rebooted.

Good thing I didn't have to reboot the other router because that's the one with multiple sites connected to it.  The 24.247.x.x is the remote site.

Anyone else experiencing these issues?  We didn't have these issues on the 2.3.x versions of PFSense!  These are PFSense boxes from PFSense too, the rack mounts.