SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004234: IPsec VPNs in Endian 2.5 unstable, stop passing data - MantisBT
MantisBT - Endian Firewall
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0004234Endian FirewallNetwork related (VPN, uplinks)public2012-01-02 21:592012-02-03 13:51
ReporterSota 
Assigned Tolorenzo-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.4.1 
Target VersionFixed in Version 
Customer Importance
Customer Occurrences
Queue
Summary0004234: IPsec VPNs in Endian 2.5 unstable, stop passing data
DescriptionI have upgraded an existing firewall (clean install & reconfigure) from Endian 2.4.1 to 2.5 and the IPsec VPNs keep stopping after a few minutes. Their status shows green and if I restart them data flow will resume for another while.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Filespng ipsec-host-1.png (61,016) 2012-01-10 09:12
https://bugs.endian.com/file_download.php?file_id=903&type=bug
png

png ipsec-host-2.png (48,729) 2012-01-10 09:12
https://bugs.endian.com/file_download.php?file_id=904&type=bug
png

png IPSec VPN.PNG (48,294) 2012-01-23 16:37
https://bugs.endian.com/file_download.php?file_id=907&type=bug
png
Issue History
Date ModifiedUsernameFieldChange
2012-01-02 21:59SotaNew Issue
2012-01-05 08:46christian-endianStatusnew => acknowledged
2012-01-10 09:05lorenzo-endianNote Added: 0007612
2012-01-10 09:05lorenzo-endianAssigned To => lorenzo-endian
2012-01-10 09:05lorenzo-endianStatusacknowledged => feedback
2012-01-10 09:12lorenzo-endianFile Added: ipsec-host-1.png
2012-01-10 09:12lorenzo-endianFile Added: ipsec-host-2.png
2012-01-17 09:00christian-endianNote Added: 0007633
2012-01-17 16:07SotaNote Added: 0007634
2012-01-19 14:29christian-endianNote Added: 0007636
2012-01-23 16:37SotaFile Added: IPSec VPN.PNG
2012-01-23 16:41SotaNote Added: 0007644
2012-02-01 14:48SotaNote Added: 0007685
2012-02-03 13:51SotaNote Added: 0007693
2012-02-03 13:51SotaStatusfeedback => resolved
2012-02-03 13:51SotaResolutionopen => fixed

Notes
(0007612)
lorenzo-endian   
2012-01-10 09:05   
Hi Sota,

I tried to reproduce the problem in my virtual environment but I am not able to do it: the connection between my two hosts works without problem even after some hours.

I suspect the problem is related to the packet loss on the network between your hosts, but I need to verify it.

In the meanwhile, I attach the configuration I used on my systems... can you check if you did the same? If something differs, can you report it, please?

Thanks in advance!

Lo
(0007633)
christian-endian   
2012-01-17 09:00   
Any news on this?
(0007634)
Sota   
2012-01-17 16:07   
Sorry, I am away from the office until Thursday, I will look at it then. However, it cannot be packet loss on the network as this configuration worked with Endian 2.4.1. I will try to upload my config files later.
(0007636)
christian-endian   
2012-01-19 14:29   
Thank you very much!
(0007644)
Sota   
2012-01-23 16:41   
So I have had another attempt at this. The attached image shows one VPN to a remote Endian 2.4.1 box that says the link is Open but does not pass any traffic. This used to work when my firewall was 2.4.1. I am seeing a lot of errors for this connection:
Jan 23 16:19:57 pluto[21718] packet from 137.191.xxx.xxx:500: initial Main Mode message received on 89.101.xxx xxx:500 but no connection has been authorized with policy=PSK. Perhaps an openswan <==> strongswan interoperability issue?
Some of the other links do work intermittently.

Others are reporting similar issues:
http://www.efwsupport.com/index.php?topic=2903.0 [^]
(0007685)
Sota   
2012-02-01 14:48   
Since I moved to 2.5.1 this problem has not recurred.
(0007693)
Sota   
2012-02-03 13:51   
Still working OK, so consider it fixed.