And here is #2:
Another FW, another place called home this time:
Update to 160 months ago showed the same issue (rolled back to 159 back then) as now with the update to 161:
Update runs thru without throwing any errors but ipsec connections are just not connecting anymore, No matter having an 159 or 161 FW on the other side.
Luckily I got a snapshot up front so I’ll be back to working conditions under 159.
any ideas what to look at first?
Other updated machines connect just fine.
Thanks!
Uwe
Hi,
while testing Core Update 161, I noticed some IPsec connections became very unstable (i. e. reauthenticating every 10-20 seconds), but were still usable (see bug #12725 for details).
IPsec connections to working at all is a phenomenon only observed directly after installing the upgrade. Manually clicking the “reconnect” button in the web interface solved the problem permanently for me.
Could you try this as well and report back if it makes a difference?
Either way, if the problem persists (and/or is reproducible), please raise a ticket at https://bugzilla.ipfire.org/ (your login credentials work there as well), so we can keep track of it. Refer to this wiki page for further information, if necessary.
Thanks in advance, and best regards,
Peter Müller
thanks. I’ll give that a shot tonight.
I am pretty sure that I clicked the reconnect button and it didn’t help. I’ll check that tonight and try to dive into the logs as well…
Cheers
Uwe
Hi,
for the records: The same behaviour appeared to me while testing Core Update 162 the other day.
Bug #12740 has been raised for this, since this can cause trouble if an IPFire machine is updated remotely via an IPsec connection and it’s administrator does not have access to the IPsec gateway on his/her end.
Thanks, and best regards,
Peter Müller
still no IPSec Connections working with 163. Rolled back to 159.
Cheers
Uwe
Hi,
all right, let’s try to get to the bottom of this:
Just staying on an outdated Core Update cannot be a solution… 
Thanks, and best regards,
Peter Müller
Hi Peter
…not even a year since I have worked on this. Today I updated all IPFires again. This one firewall still breaks IPSec connections after the final reboot when installing updates newer then 159. Let me get you guys some informations:
I run IP Firewalls in about 4 locations, one is my homeoffice. There are tunnels between all locations and I was able to upgrade all those other firewalls to now 172 without breaking the IPSec Connections. Just at home the connections are not coming up again.
Here are some logs, let me know if you need more:
Cheers Uwe
before:
*20:42:15 charon: 06[NET] received packet: from x.x.x.146[4500] to x.x.x.73[4500] (1248 bytes)
20:42:15 charon: 06[ENC] parsed CREATE_CHILD_SA request 2 [ EF(1/3) ]
20:42:15 charon: 06[ENC] received fragment #1 of 3, waiting for complete IKE message
20:42:15 charon: 07[NET] received packet: from x.x.x.146[4500] to x.x.x.73[4500] (1248 bytes)
20:42:15 charon: 07[ENC] parsed CREATE_CHILD_SA request 2 [ EF(2/3) ]
20:42:15 charon: 07[ENC] received fragment #2 of 3, waiting for complete IKE message
20:42:15 charon: 11[NET] received packet: from x.x.x.146[4500] to x.x.x.73[4500] (1247 bytes)
20:42:15 charon: 11[ENC] parsed CREATE_CHILD_SA request 2 [ EF(3/3) ]
20:42:15 charon: 11[ENC] received fragment #3 of 3, reassembled fragmented IKE message (3617 bytes)
20:42:15 charon: 11[ENC] parsed CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No KE TSi TSr ]
20:42:15 charon: 11[CFG] selected proposal: ESP:CHACHA20_POLY1305/CURVE_25519/NO_EXT_SEQ
20:42:15 charon: 11[IKE] inbound CHILD_SA nm{35} established with SPIs c42c2d17_i cea32660_o and TS 192.168.5.0/24 === 192.168.50.0/24
20:42:15 charon: 11[IKE] inbound CHILD_SA nm{35} established with SPIs c42c2d17_i cea32660_o and TS 192.168.5.0/24 === 192.168.50.0/24
20:42:15 charon: 11[ENC] generating CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
20:42:15 charon: 11[NET] sending packet: from x.x.x.73[4500] to x.x.x.146[4500] (221 bytes)
20:42:15 charon: 04[NET] received packet: from x.x.x.146[4500] to x.x.x.73[4500] (69 bytes)
20:42:15 charon: 04[ENC] parsed INFORMATIONAL request 3 [ D ]
20:42:15 charon: 04[IKE] received DELETE for ESP CHILD_SA with SPI c50ca910
20:42:15 charon: 04[IKE] closing CHILD_SA nm{26} with SPIs cf1406da_i (0 bytes) c50ca910_o (0 bytes) and TS 192.168.5.0/24 === 192.168.50.0/24
20:42:15 charon: 04[IKE] closing CHILD_SA nm{26} with SPIs cf1406da_i (0 bytes) c50ca910_o (0 bytes) and TS 192.168.5.0/24 === 192.168.50.0/24
20:42:15 charon: 04[IKE] sending DELETE for ESP CHILD_SA with SPI cf1406da
20:42:15 charon: 04[IKE] CHILD_SA closed
20:42:15 charon: 04[IKE] outbound CHILD_SA nm{35} established with SPIs c42c2d17_i cea32660_o and TS 192.168.5.0/24 === 192.168.50.0/24
20:42:15 charon: 04[IKE] outbound CHILD_SA nm{35} established with SPIs c42c2d17_i cea32660_o and TS 192.168.5.0/24 === 192.168.50.0/24
20:42:15 charon: 04[ENC] generating INFORMATIONAL response 3 [ D ]
20:42:15 charon: 04[NET] sending packet: from x.x.x.73[4500] to x.x.x.146[4500] (69 bytes)
20:42:15 charon: 09[IKE] sending DPD request
20:42:15 charon: 09[ENC] generating INFORMATIONAL request 77 [ ]
20:42:15 charon: 09[NET] sending packet: from x.x.x.73[4500] to x.x.x.70[4500] (57 bytes)
20:42:15 charon: 10[NET] received packet: from x.x.x.70[4500] to x.x.x.73[4500] (57 bytes)
20:42:15 charon: 10[ENC] parsed INFORMATIONAL response 77 [ ]
20:42:44 charon: 16[IKE] sending DPD request
20:42:44 charon: 16[ENC] generating INFORMATIONAL request 92 [ ]
20:42:44 charon: 16[NET] sending packet: from x.x.x.73[4500] to x.x.x.146[4500] (57 bytes)
20:42:45 charon: 12[NET] received packet: from x.x.x.146[4500] to x.x.x.73[4500] (57 bytes)
20:42:45 charon: 12[ENC] parsed INFORMATIONAL response 92 [ ]
20:42:45 charon: 12[IKE] sending DPD request
20:42:45 charon: 12[ENC] generating INFORMATIONAL request 78 [ ]
20:42:45 charon: 12[NET] sending packet: from x.x.x.73[4500] to x.x.x.70[4500] (57 bytes)
20:42:45 charon: 02[NET] received packet: from x.x.x.70[4500] to x.x.x.73[4500] (57 bytes)
20:42:45 charon: 02[ENC] parsed INFORMATIONAL response 78 [ ]
20:42:59 charon: 06[IKE] sending DPD request
20:42:59 charon: 06[ENC] generating INFORMATIONAL request 2 [ ]
20:42:59 charon: 06[NET] sending packet: from x.x.x.73[4500] to x.x.x.111[4500] (57 bytes)
20:42:59 charon: 13[NET] received packet: from x.x.x.111[4500] to x.x.x.73[4500] (57 bytes)
20:42:59 charon: 13[ENC] parsed INFORMATIONAL response 2 [ ]
20:43:14 charon: 02[IKE] sending DPD request
20:43:14 charon: 02[ENC] generating INFORMATIONAL request 93 [ ]
20:43:14 charon: 02[NET] sending packet: from x.x.x.73[4500] to x.x.x.146[4500] (57 bytes)
20:43:15 charon: 06[NET] received packet: from x.x.x.146[4500] to x.x.x.73[4500] (57 bytes)
20:43:15 charon: 06[ENC] parsed INFORMATIONAL response 93 [ ]
20:43:15 charon: 02[IKE] sending DPD request
20:43:15 charon: 02[ENC] generating INFORMATIONAL request 79 [ ]
20:43:15 charon: 02[NET] sending packet: from x.x.x.73[4500] to x.x.x.70[4500] (57 bytes)
20:43:15 charon: 07[NET] received packet: from x.x.x.70[4500] to x.x.x.73[4500] (57 bytes)
20:43:15 charon: 07[ENC] parsed INFORMATIONAL response 79 [ ]
20:43:44 charon: 02[IKE] sending DPD request
20:43:44 charon: 02[ENC] generating INFORMATIONAL request 94 [ ]
20:43:44 charon: 02[NET] sending packet: from x.x.x.73[4500] to x.x.x.146[4500] (57 bytes)
20:43:45 charon: 13[NET] received packet: from x.x.x.146[4500] to x.x.x.73[4500] (57 bytes)
20:43:45 charon: 13[ENC] parsed INFORMATIONAL response 94 [ ]
20:43:45 charon: 04[IKE] sending DPD request
20:43:45 charon: 04[ENC] generating INFORMATIONAL request 80 [ ]
20:43:45 charon: 04[NET] sending packet: from x.x.x.73[4500] to x.x.x.70[4500] (57 bytes)
20:43:45 charon: 16[NET] received packet: from x.x.x.70[4500] to x.x.x.73[4500] (57 bytes)
20:43:45 charon: 16[ENC] parsed INFORMATIONAL response 80 [ ]
20:43:58 charon: 12[IKE] sending DPD request
20:43:58 charon: 12[ENC] generating INFORMATIONAL request 3 [ ]
20:43:58 charon: 12[NET] sending packet: from x.x.x.73[4500] to x.x.x.111[4500] (57 bytes)
20:43:58 charon: 02[NET] received packet: from x.x.x.111[4500] to x.x.x.73[4500] (57 bytes)
20:43:58 charon: 02[ENC] parsed INFORMATIONAL response 3 [ ]
20:44:14 charon: 10[IKE] sending DPD request
20:44:14 charon: 10[ENC] generating INFORMATIONAL request 95 [ ]
20:44:14 charon: 10[NET] sending packet: from x.x.x.73[4500] to x.x.x.146[4500] (57 bytes)
20:44:15 charon: 02[NET] received packet: from x.x.x.146[4500] to x.x.x.73[4500] (57 bytes)
20:44:15 charon: 02[ENC] parsed INFORMATIONAL response 95 [ ]
20:44:15 charon: 01[IKE] sending DPD request
20:44:15 charon: 01[ENC] generating INFORMATIONAL request 81 [ ]
20:44:15 charon: 01[NET] sending packet: from x.x.x.73[4500] to x.x.x.70[4500] (57 bytes)
20:44:15 charon: 06[NET] received packet: from x.x.x.70[4500] to x.x.x.73[4500] (57 bytes)
20:44:15 charon: 06[ENC] parsed INFORMATIONAL response 81 [ ]
20:44:45 charon: 07[NET] received packet: from x.x.x.146[4500] to x.x.x.73[4500] (57 bytes)
20:44:45 charon: 07[ENC] parsed INFORMATIONAL request 4 [ ]
20:44:45 charon: 07[ENC] generating INFORMATIONAL response 4 [ ]
20:44:45 charon: 07[NET] sending packet: from x.x.x.73[4500] to x.x.x.146[4500] (57 bytes)
20:44:45 charon: 09[IKE] sending DPD request *
Here is the aftermath: IPSec not working:
*21:12:19 charon: 11[CFG] received stroke: terminate ‘homelink’
21:12:19 charon: 11[CFG] no IKE_SA named ‘homelink’ found
21:12:19 charon: 09[CFG] rereading secrets
21:12:19 charon: 09[CFG] loading secrets from ‘/etc/ipsec.secrets’
21:12:19 charon: 09[CFG] loading secrets from ‘/etc/ipsec.user.secrets’
21:12:19 charon: 09[CFG] loaded IKE secret for @hostname.chickenkiller.com @vpn.hostname.de
21:12:19 charon: 09[CFG] loaded IKE secret for @hostname.chickenkiller.com @mail.nm.de
21:12:19 charon: 09[CFG] loaded IKE secret for @hostname.chickenkiller.com @x.x.x.70
21:12:19 charon: 09[CFG] loaded IKE secret for @hostname.chickenkiller.com @x.x.x.111
21:12:19 charon: 09[CFG] rereading ca certificates from ‘/etc/ipsec.d/cacerts’
21:12:19 charon: 09[CFG] rereading aa certificates from ‘/etc/ipsec.d/aacerts’
21:12:19 charon: 09[CFG] rereading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
21:12:19 charon: 09[CFG] rereading attribute certificates from ‘/etc/ipsec.d/acerts’
21:12:19 charon: 09[CFG] rereading crls from ‘/etc/ipsec.d/crls’
21:12:19 charon: 13[CFG] received stroke: delete connection ‘orangelink’
21:12:19 charon: 13[CFG] deleted connection ‘orangelink’
21:12:19 charon: 08[CFG] received stroke: delete connection ‘nm’
21:12:19 charon: 08[CFG] deleted connection ‘nm’
21:12:19 charon: 05[CFG] received stroke: delete connection ‘krtz’
21:12:19 charon: 05[CFG] deleted connection ‘krtz’
21:12:19 charon: 07[CFG] received stroke: delete connection ‘homelink’
21:12:19 charon: 07[CFG] deleted connection ‘homelink’
21:12:19 charon: 14[CFG] received stroke: add connection ‘orangelink’
21:12:19 charon: 14[CFG] added configuration ‘orangelink’
21:12:19 charon: 09[CFG] received stroke: initiate ‘orangelink’
21:12:19 charon: 09[IKE] initiating IKE_SA orangelink[5] to x.x.x.112
21:12:19 charon: 09[IKE] initiating IKE_SA orangelink[5] to x.x.x.112
21:12:19 charon: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
21:12:19 charon: 09[NET] sending packet: from x.x.x.73[500] to x.x.x.112[500] (4100 bytes)
21:12:19 charon: 13[CFG] received stroke: add connection ‘nm’
21:12:19 charon: 13[CFG] added configuration ‘nm’
21:12:19 charon: 08[CFG] received stroke: initiate ‘nm’
21:12:19 charon: 08[IKE] initiating IKE_SA nm[6] to x.x.x.146
21:12:19 charon: 08[IKE] initiating IKE_SA nm[6] to x.x.x.146
21:12:19 charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
21:12:19 charon: 08[NET] sending packet: from x.x.x.73[500] to x.x.x.146[500] (2148 bytes)
21:12:19 charon: 05[CFG] received stroke: add connection ‘krtz’
21:12:19 charon: 05[CFG] added configuration ‘krtz’
21:12:19 charon: 07[CFG] received stroke: initiate ‘krtz’
21:12:19 charon: 07[IKE] initiating IKE_SA krtz[7] to x.x.x.70
21:12:19 charon: 07[IKE] initiating IKE_SA krtz[7] to x.x.x.70
21:12:19 charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
21:12:19 charon: 07[NET] sending packet: from x.x.x.73[500] to x.x.x.70[500] (4100 bytes)
21:12:19 charon: 02[CFG] received stroke: add connection ‘homelink’
21:12:19 charon: 02[CFG] added configuration ‘homelink’
21:12:19 charon: 11[CFG] received stroke: initiate ‘homelink’
21:12:19 charon: 11[IKE] initiating IKE_SA homelink[8] to x.x.x.111
21:12:19 charon: 11[IKE] initiating IKE_SA homelink[8] to x.x.x.111
21:12:19 charon: 10[CFG] received stroke: initiate ‘homelink’
21:12:19 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
21:12:19 charon: 11[NET] sending packet: from x.x.x.73[500] to x.x.x.111[500] (2628 bytes)
21:12:19 charon: 11[NET] received packet: from x.x.x.112[500] to x.x.x.73[500] (36 bytes)
21:12:19 charon: 11[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
21:12:19 charon: 11[IKE] received NO_PROPOSAL_CHOSEN notify error
21:12:19 charon: 12[NET] received packet: from x.x.x.70[500] to x.x.x.73[500] (36 bytes)
21:12:19 charon: 12[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
21:12:19 charon: 12[IKE] received NO_PROPOSAL_CHOSEN notify error
21:12:19 charon: 08[NET] received packet: from x.x.x.146[500] to x.x.x.73[500] (36 bytes)
21:12:19 charon: 08[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
21:12:19 charon: 08[IKE] received NO_PROPOSAL_CHOSEN notify error
21:12:20 charon: 12[NET] received packet: from x.x.x.111[500] to x.x.x.73[500] (36 bytes)
21:12:20 charon: 12[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
21:12:20 charon: 12[IKE] received NO_PROPOSAL_CHOSEN notify error *
The only thing that is unique to the failing fw is its using a dynamic dns address. The others or on fixed ip addresses…
Uwe, could you please upload a screenshot of the “Advanced” settings of one of the failing connections here? The “NO_PROPOSAL_CHOSEN” does look suspicious to me…
So I did some experimenting… The last time I reinstalled IPFire I used a backup to get all my settings back.
Today I installed a fresh copy of IPFire 172 and manually added the IPSec Tunnels.
…they work from the first second of hitting the “save” button.
So no more need to hunt those ghost (I still have the old VM in case somebody is curious and I could connect them again…)
Only downside is loosing the network traffic data, but that’s not too important…
Cheers and enjoy your weekend!
Uwe
